Room Link: <https://tryhackme.com/room/poster>

Introduction

RDBMS - relational database management system. RDBMSs have been a common option for the storage of information in databases used for financial records, manufacturing and logistical information, personnel data, and other applications since the 1980s. Relational databases have often replaced legacy hierarchical databases and network databases, because RDBMS were easier to implement and administer.

PostgreSQL is a free and open-source relational database management system (RDBMS) emphasizing extensibility and SQL compliance.

Recon

First, add poster.thm to your /etc/hosts file for ease of operation.

As always, start with the simple RustScan scan.

From the scan above we can easily identify both port (Q2) and the rdms name (Q1).

Metasploit Enumaration

Launch metasploit and search for postgresql-related modules using:

search postgresql

First of all, let's look at the login module. It check the rdbms for weak/standard login credentials and allows us to get initial access.

auxiliary/scanner/postgres/postgres_login

Bingo! We got the credentials. Now we can use them to dump password hashes, read files and achieve an RCE.

Let's dump password hashes using another module

auxiliary/scanner/postgres/postgres_hashdump

Don't forget to plug both username and password into the module.

Metasploit Exploitation

auxiliary/admin/postgres/postgres_readfile

Let's use this module to read the contents of /etc/passwd file to get some initial information about the machine.

After reading the /etc/passwd file we have a direct clue about all user accounts on the box.

Now it's time to finally get the box access and escalate our priviliges.

exploit/multi/postgres/postgres_copy_from_program_cmd_exec

Above module will allow you to achieve RCE on the system using just the RDBMS username and password.

Once the command was executed, use python3 -c 'import pty; pty.spawn("/bin/bash")' to get a tty shell.

Remember, while reading the /etc/passwd file, we have identified one user? Take a look at his home directory at retrieve credentials.

Once on the system, we may notice that the user cannot run any commands as sudo which usually indicates that we need to find something ourselves.

Turns out there was a conf file in the /var/html/www that contained both username and password for out last step of privilege escalation. Read it and login as the new user.

Root

After getting on the second account, it becomes relatively easy to escalate your privileges.

sudo -l

From this point, execute sudo su and get the root access :)

Thank you for reading!