Skip to content

Peppo 🔺

Enumeration

Port 8080 shows a Redmine service.

Trying admin:admin at /login works. The system asks us to change the password, change it to adminadmin.

At port 10000 we have a...

Using feroxbuster, we discover some API actions.

We have eleanor user from nmap.

Initial Access

Trying ssh with eleanor:eleanor.

Privilege Escalation

We are in a restricted bash and can't execute most commands.

Now we can use the commands, get the flag.

/bin/bash to upgrade the shell.

We have /usr/bin/docker command so https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-docker-socket

Post Exploitation

Get the flag.