Skip to content

Tryhackme - Poster Room WriteUp

Tryhackme1 min read


Poster is an easy category room developed by stuxnet . It depicts basically how a misconfiured RDBMS can lead to system hack. You can check out the room here.

Let's start with a quick nmap scan .

Initial Nmap scan

222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
3| ssh-hostkey:
4| 2048 71:ed:48:af:29:9e:30:c1:b6:1d:ff:b0:24:cc:6d:cb (RSA)
5| 256 eb:3a:a3:4e:6f:10:00:ab:ef:fc:c5:2b:0e:db:40:57 (ECDSA)
6|_ 256 3e:41:42:35:38:05:d3:92:eb:49:39:c6:e3:ee:78:de (ED25519)
780/tcp open http Apache httpd 2.4.18 ((Ubuntu))
8|_http-server-header: Apache/2.4.18 (Ubuntu)
9|_http-title: Poster CMS
105432/tcp open postgresql PostgreSQL DB 9.5.8 - 9.5.10
11| ssl-cert: Subject: commonName=ubuntu
12| Not valid before: 2020-07-29T00:54:25
13|_Not valid after: 2030-07-27T00:54:25
14|_ssl-date: TLS randomness does not represent time
15Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So we have SSH , a web server and postgres . Checking the web server , it is just a simple home page , nothing interesting. So , let's go with postgres. As the room directs us , we can use a lot of metasploit modules to enumerate and exploit postgres . First , we will check if there are any default passwords set up for the postgres server using the module auxiliary/scanner/postgres/postgres_login . - Login Successful: postgres:password@template1

We get a match !

Now, For executing arbitrary SQL commands on the server, we can use the module auxiliary/admin/postgres/postgres_sql. Using the command select version () , we can get the RDBMS version


We can also get the postgres user's hashes by using another metasploit module auxiliary/scanner/postgres/postgres_hashdump

1[+] Query appears to have run successfully
2[+] Postgres Server Hashes
5 Username Hash
6 -------- ----
7 darkstart md58842b99375db43e9fdf238753623a27d
8 poster md578fb805c7412ae597b399844a54cce0a
9 postgres md532e12f215ba27cb750c9e093ce4b5127
10 sistemas md5f7dbc0d5a06653e74da6b1af9290ee2b
11 ti md57af9ac4c593e9e4f275576e13f935579
12 tryhackme md503aab1165001c8f8ccae31a8824efddc

Now to achieve RCE , we will use the module


Running it, we will get a shell. Running id confirms that we are user postgres . Now , I tried to spawn a TTY but couldn't find python or php or anything useful . So I decided to enumerate the system. In the directory /home/dark , we see a juicy directory .

1ls -la /home/dark
2total 28
3drwxr-xr-x 2 dark dark 4096 Jul 28 20:33 .
4drwxr-xr-x 4 root root 4096 Jul 28 20:13 ..
5-rw------- 1 dark dark 26 Jul 28 20:33 .bash_history
6-rw-r--r-- 1 dark dark 220 Aug 31 2015 .bash_logout
7-rw-r--r-- 1 dark dark 3771 Aug 31 2015 .bashrc
8-rwxrwxrwx 1 dark dark 24 Jul 28 20:15 credentials.txt
9-rw-r--r-- 1 dark dark 655 May 16 2017 .profile

This gives us the credentials for the user dark. Since SSH is open , I logged on as dark in the system . Upon further enumeration , we find that there is a file users.txt in /home/alison . But it is only accessible by user alison. So tried some low hanging fruits like sudo -l , SUID binaries but couldn't find anything . So , I decided more ENUMERATION.

In /var/www/html , we see a config.php

3 $dbhost = "";
4 $dbuname = "alison";
5 $dbpass = <the password was stored here>;
6 $dbname = "mysudopassword";

So now , we have alison's password. Now , we can access users.txt and get our user flag.

Running sudo -l , we see the all time fav, ALL:ALL , so switch to root and we have our root flag !

Wrap it Up

Hope you learned something new . Thanks for reading and as always

See ya later!

© 2021 by Jatin Malik. All rights reserved.