Peppo
Writeup for Peppo from offsec Proving Grounds
Information Gathering
sudo ./nmapAutomator.sh 192.168.137.60 all
Service Enumeration
HTTP (Port 8080)
Seems like Redmine is running on port 8080, we try the default credentials admin:admin
and we are authenticated.
Under /admin/info
, we can see the version this Redmine is running, however, it doesn't seem to be a version with any exploits.
HTTP (Port 10000)
Nothing much on here. Looks like another dead end.
Postgresql (Port 5432)
We can try default credentials postgres:postgres
and we are easily authenticated.
We are able to get RCE, however, further enumeration shows that this is likely a rabbit hole as I spent hours on here not being able to find any means to privilege escalate. :/
Ident (Port 113)
We enumerate the users on every port. We notice that there is a user Eleanor.
SSH (Port 22)
We try to ssh into Eleanor using eleanor:eleanor
and we are able to get a shell.
Exploit
From the image above, it seems like we are in a rbash
- restricted bash, which limits us in terms of the commands we can use.
Searching online for rbash
escapes, I came across this site:
There is a method that allows us to escape using ed
.
Privesc
We notice from our earlier id command that we are part of the docker group. From gtfobins, there is a way to privesc using docker.
And we got root!
Last updated