Proving Grounds | Peppo
Scanning:
Host is up (0.24s latency).
Not shown: 65529 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
|_auth-owners: root
| ssh-hostkey:
| 2048 75:4c:02:01:fa:1e:9f:cc:e4:7b:52:fe:ba:36:85:a9 (RSA)
| 256 b7:6f:9c:2b:bf:fb:04:62:f4:18:c9:38:f4:3d:6b:2b (ECDSA)
|_ 256 98:7f:b6:40:ce:bb:b5:57:d5:d1:3c:65:72:74:87:c3 (ED25519)
53/tcp closed domain
113/tcp open ident FreeBSD identd
|_auth-owners: nobody
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| VFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 2.0 to 3.0
| Fpostmaster.c
| L2071
|_ RProcessStartupPacket
8080/tcp open http WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020–03–31))
|_http-favicon: Unknown favicon MD5: D316E1622C58825727E7E4E6C954D289
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 4 disallowed entries
|_/issues/gantt /issues/calendar /activity /search
|_http-server-header: WEBrick/1.4.2 (Ruby/2.6.6/2020–03–31)
|_http-title: Redmine
10000/tcp open snet-sensor-mgmt?
|_auth-owners: eleanor
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
| HTTP/1.1 400 Bad Request
| Connection: close
| FourOhFourRequest:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Sun, 08 Aug 2021 17:57:53 GMT
| Connection: close
| Hello World
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Sun, 08 Aug 2021 17:57:42 GMT
| Connection: close
|_ Hello World
Enumeration:
Port 8080: This is not the intended pathway and can’t find anyway to get code execution.
Service: Redmine 4.1.1 stable
Credentials admin:admin
PORT 113: Ident “Is an Internet protocol that helps identify the user of a particular TCP connection.”
With this service running, we can enumerate the deamons or users running them.
https://book.hacktricks.xyz/pentesting/113-pentesting-ident
The output from ident-user-enum reveals that the user eleanor runs the web app on port 10000
With this information, we try to ssh into the target host using eleanor:eleanor. This user is also explicitly leaked right off our nmap scan.
Exploitation:
Notice that we are in a restricted shell (rbash) and our PATH is limited to /home/eleanor/bin which contains very limited binaries.
Googling for rbash escapes → https://www.hacknos.com/rbash-escape-rbash-restricted-shell-escape/
According to the site, we can use the binary ed to escape our rbash shell
ed
!’/bin/bash’
Afterwards, add the necessary directories to our PATH variable so we don’t have to state the full path whenever we want to run system binaries → export PATH=”/bin:/sbin:/usr/bin:/usr/sbin:$PATH”
Privilege Escalation:
After transferring linenum.sh to the target machine, then running it, we can see that our current user is a member of the docker group.
Docker is also run by root, and so if we “escape” from docker, we land on the root user. GTFObins → https://gtfobins.github.io/gtfobins/docker/ provides a quick and easy way for us to priv esc to root from docker.
Cool exploit but seems to be a Rabbit Hole:
Port 5432 runs postgresql and we can access it using default credentials for the user postgresql → postgresl:postgresql
Googling for postgresql exploits, we land on this RCE exploit from Trustwave.
Using metasploit, we can get a reverse shell.
exploit/multi/postgres/postgres_copy_from_program_cmd_exec
