Scrutiny Proving Grounds Write-Up

SUMMARY

This write-up covers the Scrutiny machine from Offsec’s Proving Grounds, a Linux machine involving multiple lateral movement steps before privilege escalation.

A hostname discovered on the main website was added to /etc/hosts, revealing a TeamCity login panel accessible with default credentials (test:test). The admin account exposed an SSH private key stored in another user’s profile. The key was passphrase-protected; ssh2john and john cracked it. SSH access was established as user marcot.

Inspecting /var/mail/marcot revealed a mail from matthewa sharing his password. Switching to matthewa and checking hidden files in his home directory exposed a file containing credentials for dach — who turned out to be user briand according to another mail. SSH as briand revealed a sudo rule allowing execution of systemctl as root. Running it entered a less pager, from which a shell escape (!bash) spawned a root shell.

---

PATH TO FOLLOW

1. Subdomain Discovery & TeamCity Login with Default Credentials
2. SSH Key Extraction from User Profile & Passphrase Cracking
3. SSH Access as marcot
4. Mail Enumeration → Lateral Movement to matthewa
5. Hidden File Credential Discovery → Lateral Movement to briand
6. Sudo systemctl Abuse — less Pager Shell Escape
7. Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.