📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • HTTP (Port 8080)
  • HTTP (Port 10000)
  • Postgresql (Port 5432)
  • Ident (Port 113)
  • SSH (Port 22)
  • Exploit
  • Privesc

Was this helpful?

  1. Proving Grounds practice
  2. Try harder
  3. Linux

Peppo

Writeup for Peppo from offsec Proving Grounds

PreviousSirolNextClyde

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo ./nmapAutomator.sh 192.168.137.60 all

Service Enumeration

HTTP (Port 8080)

Seems like Redmine is running on port 8080, we try the default credentials admin:admin and we are authenticated.

Under /admin/info, we can see the version this Redmine is running, however, it doesn't seem to be a version with any exploits.

HTTP (Port 10000)

Nothing much on here. Looks like another dead end.

Postgresql (Port 5432)

We can try default credentials postgres:postgres and we are easily authenticated.

We are able to get RCE, however, further enumeration shows that this is likely a rabbit hole as I spent hours on here not being able to find any means to privilege escalate. :/

Ident (Port 113)

We enumerate the users on every port. We notice that there is a user Eleanor.

SSH (Port 22)

We try to ssh into Eleanor using eleanor:eleanor and we are able to get a shell.

Exploit

From the image above, it seems like we are in a rbash - restricted bash, which limits us in terms of the commands we can use.

Searching online for rbash escapes, I came across this site:

There is a method that allows us to escape using ed.

Privesc

We notice from our earlier id command that we are part of the docker group. From gtfobins, there is a way to privesc using docker.

And we got root!

Logo113 - Pentesting IdentHackTricks
Logorbash escape | rbash restricted shell escape -hackNos
Logodocker | GTFOBins