Peppo Proving Grounds Write-Up

SUMMARY

This write-up covers the Peppo machine from Offsec’s Proving Grounds, a Linux machine where a simple credential hint in the scan output led to a Docker-based privilege escalation.

The Nmap scan leaked a username (eleanor) in the auth-owners field of a service response. SSH authentication with eleanor:eleanor succeeded, but the shell was a restricted bash. Listing available commands revealed ed; running it and entering !sh escaped the restriction.

Enumerating group memberships showed eleanor was part of the docker group. Available images were listed, and a container was launched with the host root filesystem mounted at /mnt/root. From inside the container, SUID permissions were applied to /bin/sh on the mounted host filesystem. After exiting the container, running sh -p from the host provided a root shell.

---

PATH TO FOLLOW

1. Nmap Username Leak → SSH Access as eleanor
2. Restricted Bash Escape via ed → !sh
3. Docker Group Membership Discovery
4. Container Launch with Host Root Mount → SUID on /bin/sh
5. sh -p on Host → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.