Skip to content

Peppo 🔺

Enumeration

Port 8080 shows a redmine service

Trying 'admin:admin' at /login works. The system ask us to change the password, change it to adminadmin

At port 10000 we have a

Using feroxbuster we discover some api actions

We have eleanor user from nmap

Initial Access

Trying ssh with eleanor:eleanor

Privilege Escalation

We are in a restricted bash and can't execute most of commands.

Now we can use the commands, get the flag.

/bin/bash to upgrade the shell

We have /usr/bin/docker command so https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-docker-socket

Post Exploitation

Get the flag