Offsec PG practice
I started my recon with nmap automator( as it automates a lot of nmap job and and also ffuf job) and we got
From initial nmap report we can see there are only 21,22,80 ports are running.
I tried anonymous login on ftp but it didnt worked.Also vsftpd 3.0.3 didnt have any public exploits that can give us RCE.So we moved to port 80.
ON port 80
It is a static site with only 2 links working.
- internet cats which leads to an image in the server.
- Another page which leads to another static html page named page2.html
So I decided to run the ffuf and see if we can find some good directories.
Mean while nmap full scan was completed and it showed one additional port to be open.
Port 5437 which is postgres port is open.
So I thought to connect to the postgress database.
But it has an authN in place with weak credentials.I tried credentials like admin:admin,admin:password,postgres:postgres and this one worked.
I first tried to list out all the databases all the tables to find some sensitive data like some password hashes that can be used to login either in ftp or in ssh(As people reuse their password everywhere)but it didn’t worked.
The databases didn’t have any data that can be used to proceed further.
So I thought to check any vulnerabilities this postgress database version has and sure enough postgress db 9.3 >latest has code execution capabilities.
Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest
EDIT (9.April.2019): We have applied for a retraction of CVE-2019-9193 previously associated with this post. Upon…
So I followed this article and was able to get code execution.
Then I uploaded my shell to the server using wget and executed it to get the shell.
Once i logged in i ran Linux-smart-enumeration to have an idea on what to expect from this server,and it showed that the server has uncommon suid binaries.
So i checked the existing binaries and i found find
I quickly headed over to gtfobins , copied payload and executed it to get the root shell.
Thanks For Reading