TryHackMe | Poster Writeup

This room is more focused on PostgresSQL on how misconfiguration could lead to Remote Code Execution.


Always do recon, recon is the way to win. Take notes of versions.


Web (Port 80)

  1. Apache 2.4.18
  2. No robots.txt

Not much was found, but always run a directory scanner in case there are any hidden files on the web.

DB (Port 5432)

  1. We can pentest this port
    psql -h <host> -U <username> -d <database> # Remote connection
  2. We can enumerate user credentials using Metasploit.

Found valid credentials :
[+] - Login Successful: postgres:password@template1

3. We can use another module to execute commands.
PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit

4. Now we can try dumping some hashes using another module

5. We can also read files using a module

6. We can also run another module for command injection.

We now have a shell.

Privilege Escalation

  1. Found credentials in config.php
  1. User Dark cannot run sudo
  2. DB password is reused for user alison, we are now user alison
  3. Check sudo -l
    User alison may run the following commands on ubuntu: (ALL : ALL) ALL
  4. Simply run sudo /bin/bash for easy root.

Student that loves FOSS