Peppo

Writeup for Peppo from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.137.60 all

Service Enumeration

HTTP (Port 8080)

Seems like Redmine is running on port 8080, we try the default credentials admin:admin and we are authenticated.

Under /admin/info, we can see the version this Redmine is running, however, it doesn't seem to be a version with any exploits.

HTTP (Port 10000)

Nothing much on here. Looks like another dead end.

Postgresql (Port 5432)

We can try default credentials postgres:postgres and we are easily authenticated.

We are able to get RCE, however, further enumeration shows that this is likely a rabbit hole as I spent hours on here not being able to find any means to privilege escalate. :/

Ident (Port 113)

113 - Pentesting IdentHackTricks

We enumerate the users on every port. We notice that there is a user Eleanor.

SSH (Port 22)

We try to ssh into Eleanor using eleanor:eleanor and we are able to get a shell.

Exploit

From the image above, it seems like we are in a rbash - restricted bash, which limits us in terms of the commands we can use.

Searching online for rbash escapes, I came across this site:

rbash escape | rbash restricted shell escape -hackNos

There is a method that allows us to escape using ed.

Privesc

We notice from our earlier id command that we are part of the docker group. From gtfobins, there is a way to privesc using docker.

docker | GTFOBins

And we got root!

PreviousSirol NextClyde

Last updated 2 years ago