TryHackMe - Poster
Room Link: <https://tryhackme.com/room/poster>RDBMS - relational database management system. RDBMSs have been a common option for the storage of information in databases used for financial records, manufacturing and logistical information, personnel data, and other applications since the 1980s. Relational databases have often replaced legacy hierarchical databases and network databases, because RDBMS were easier to implement and administer.
PostgreSQL is a free and open-source relational database management system (RDBMS) emphasizing extensibility and SQL compliance.
First, add poster.thm to your /etc/hosts file for ease of operation.
From the scan above we can easily identify both port (Q2) and the rdms name (Q1).
Launch metasploit and search for postgresql-related modules using:
search postgresql
First of all, let's look at the login module. It check the rdbms for weak/standard login credentials and allows us to get initial access.
auxiliary/scanner/postgres/postgres_login
Bingo! We got the credentials. Now we can use them to dump password hashes, read files and achieve an RCE.
Let's dump password hashes using another module
auxiliary/scanner/postgres/postgres_hashdump
Don't forget to plug both username and password into the module.
auxiliary/admin/postgres/postgres_readfile
Let's use this module to read the contents of /etc/passwd file to get some initial information about the machine.
After reading the /etc/passwd file we have a direct clue about all user accounts on the box.
Now it's time to finally get the box access and escalate our priviliges.
exploit/multi/postgres/postgres_copy_from_program_cmd_exec
Above module will allow you to achieve RCE on the system using just the RDBMS username and password.
It is important to set a proper payload for this payload
Once the command was executed, use
python3 -c 'import pty; pty.spawn("/bin/bash")' to get a tty shell.Remember, while reading the /etc/passwd file, we have identified one user? Take a look at his home directory at retrieve credentials.
Black: Credentials; White: User
Once on the system, we may notice that the user cannot run any commands as sudo which usually indicates that we need to find something ourselves.
Turns out there was a conf file in the /var/html/www that contained both username and password for out last step of privilege escalation. Read it and login as the new user.
After getting on the second account, it becomes relatively easy to escalate your privileges.
sudo -l
From this point, execute
sudo su and get the root access :)Thank you for reading!