Nibbles - Proving Grounds Practice
Enumeration
Nmap
Initial nmap scan revealed FTP, SMB, HTTP and PostgreSQL ports were open.
PostgreSQL Enumeration
At first I tried web enumeration and directory brute forcing but get nothing. Then I tried FTP and SMB brute forcing and again got nothing. Later, I tried default credentials postgres:postgres for PostgreSQL service and it worked.
I then checked version and found out it was PostgreSQL 11.7.
Exploitation
CVE-2019-9193
In PostgreSQL 9.3 through 11.7, the “COPY TO/FROM PROGRAM” function allows superusers and users in the ‘pg_execute_server_program’ group to execute arbitrary code in the context of the database’s operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.
There was a CVE assigned for this version. After some research I found and exploit: https://www.exploit-db.com/exploits/50847
Executing it got me remote code execution.
Then I simply executed a reverse shell and obtained user shell.
Privilege Escalation
find SUID
I executed below command to locate SUID binaries.
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
find binary was SUID binary.
I simply executed necessary command from gtfobins to obtain root shell.
find . -exec /bin/sh -p \; -quit