OSCP Prep Box 45 – Sorcerer – Proving Grounds Practice

Posted on

Hi everyone

Today we are going to look for a Box called Sorcerer which is rated as Intermediate in terms of difficulty. This machine has various phases: Recon, Enumeration, Exploitation and Privilege Escalation.

Box Type: Linux

Recon & Enumeration

Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.

First, we will check whether target is reachable or not with ping command:

ping Target_IP

With ping command output we found that the target is reachable.

Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:

nmap -sC -sV -O -oA nmap/initial 192.168.177.100

nmap -sC -sV -O -p- -oA nmap/full 192.168.177.100 -T4

Now let’s also execute the full scan and UDP Scan:

nmap -sC -sV -O -p- -oA nmap/full 192.168.177.100 -T4

I discovered these ports are open:

  • 22/tcp – SSH Service running OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
  • 80/tcp – HTTP Service running nginx
  • 111/tcp – rpcbind 2-4 (RPC #100000)
  • 2049/tcp – nfs 3-4 (RPC #100003)
  • 8080/tcp – HTTP Service running Apache Tomcat 7.0.4
  • 33065/tcp nlockmgr 1-4 (RPC #100021)
  • 35835/tcp mountd 1-3 (RPC #100005)
  • 42329/tcp mountd 1-3 (RPC #100005)
  • 43307/tcp mountd 1-3 (RPC #100005)
  • OS: Linux

Let’s move ahead and check the IP in the web browser and I found page:

Exploitation

I was able to grab the local.txt:

Privilege Escalation

Now it was a time for escalating the privileges:

I quickly went ahead and check for the SUIDs with the following command:

find / -perm /4000 2>/dev/null

The above image shows the proof.txt file.

Key Takeaways

  • Thorough web enumeration is critical — exposed backup archives and ZIP files can leak sensitive data like SSH keys.
  • Always inspect configuration files such as authorized_keys — forced-command restrictions can often be abused rather than bypassed directly.
  • Understand protocol behavior (SCP vs SSH) — misconfigured command wrappers can be leveraged to gain code execution.
  • When gaining initial access, analyze user-level scripts and permissions carefully — small misconfigurations can lead to full compromise.
  • During privilege escalation, check for misconfigured SUID binaries (e.g., start-stop-daemon) and research known abuse techniques to escalate to root.

If you enjoyed this post, share it with your friends and colleagues!

Leave a Reply

Your email address will not be published. Required fields are marked *