Scrutiny

Source: Proving Grounds OS: Linux Community Rating: Very Hard

Enumeration & Reconnaissance

  • I started with autorecon as usual, which exposed three open ports on the target:

    • SSH (22)

    • SMTP (25)

    • HTTP (80)

Service Analysis

  • I dived straight into HTTP, which displayed a simple page featuring a login portal for TeamCity, a popular CI/CD tool by JetBrains.

Initial Page
TeamCity Login
  • I tried several random credentials, but nothing worked, so I started searching for CVEs. I found a few, and eventually CVE-2024-27198 worked for me. I couldn’t find a PoC on Exploit-DB, so I had to look on GitHub. This CVE allowed me to create a user that bypassed authentication.

Gaining Access

Gaining Initial Access

  • After logging in and exploring further, I spotted a commit titled "Oops" by one of the users. In that commit, they were removing their accidentally pushed id_rsa SSH private key.

Oops
  • It looked like an easy win, getting the key should have meant instant access. But there was a twist: the key was password-protected.

SSH Key
  • I cracked the password (Convert first using ssh2john)using John the Ripper with the rockyou wordlist (the default John wordlist didn’t cut it). The cracked password turned out to be cheer. Now I had Marcot’s SSH key and the key's password, which granted me initial access.

Key Password Cracked

Privilege Escalation

  • After getting in, I tried uploading linpeas, but it wouldn’t work. I then started checking manually, no useful output from sudo -l, no cron jobs or interesting processes were found.

  • Then an unusal attack vector presented itself. I discovered that emails from user Marcot contained the credentials for another account, matthewa with the password IdealismEngineAshen476.

User 1 Password
  • I switched to this user, but that still didn’t give me root. I tried uploading linpeas again, and although it worked this time, it didn’t expose anything useful on its own. This machine was definitely twisted!

User 2 Password
  • The next clue came from a hidden file in Marcot’s home directory. The file name hinted at the user "Dach," but not the actual username. A quick check of /etc/passwd revealed that the corresponding username was briand with the password being, RefriedScabbedWasting502.

  • Logging in as briand (it was like entering the matrix), I skipped another round of linpeas and directly ran sudo -l. Finally, I found that briand had privileges over systemctl. Consulting gtfobins, I executed the recommended command and then used !sh to spawn a root shell.

Privilege Escalation

Lessons Learned

  • Check hidden files

  • Check emails (/var/spool/mail)

  • Try to crack an SSH key if it requires a password

  • Check commits for juicy files

Last updated