Nibbles
PG Practice Nibbles writeup
Nmap
Port 5437 is running postgresql version between 11.3 - 11.7. I was able to login with the default credentials of postgres:postgres
using psql
.
As we are running on a version of postgresql higher than 9.3 we should be able to use the following exploit to gain command execution on the target machine.
Description
Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with 'pg_execute_server_program' to pipe to and from an external program using COPY. This allows arbitrary command execution as though you have console access.
This module attempts to create a new table, then execute system commands in the context of copying the command output into the table.
This module should work on all Postgres systems running version 9.3 and above.
For Linux & OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse_perl
For Windows Systems, target 2 is used with Powershell payloads such as: cmd/windows/powershell_reverse_tcp Alternativly target 3 can be used to execute generic commands, such as a web_delivery meterpreter powershell payload or other customized command.
First ensure we are a superuser on postgresql:
As we are confirmed a superuser we can use the following Metasploit
module to gain a shell.
Execution:
Checking for SUID and PATH we have a '.' at the end of path and SUID bit set for the find binary
.
Knowing this we can attempt to gain privileges by exploiting the find binary. Checking GTFOBins shows we can escalate privileges:
Running the following will escalate privileges:
Last updated