Peppo
Pg Practice Peppo writeup
Nmap
As ident
is running we can use the Perl script ident-user-enum
to identify which services are running under what user.
Port 10000 reports it is running under the user 'eleanor'. I tried Bruteforcing the username on SSH
and had no luck. Eventually simply trying eleanor:elenaor
I was able to login on SSH.
We see from trying the id
command we are locked in with a restricted bash shell. Checking out our command availability by viewing $PATH
we can see what binaries we have access to.
Checking GTFObins for any of these binaries than can spawn a shell to escape a restricted one:
After running the above command we can export a new path and then spawn a python shell then again export the path to have full functionover the shell session.
The command id
shows we are a member of the docker group. GTFObins again shows a method for spawning a root shell when we are a member of the docker group.
First check what images we have available to us:
We can use the GTFObins command replacing the value <alpine>
with one of the images listed above.
Returning a shell as root:
If you found this page helpful to you, please rate below as per the feedback options. For any corrections or general communications, please see the root page Pentest Everything for contact information.
Last updated