Poster — TryHackMe — WriteUp

TonyRahmos
4 min readNov 17, 2020

--

Hello. I’m Rahmos. Here is my Poster — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports.

nmap -A -T4 -p- -v <ip>

nmap

As you can see, a PostgreSQL is running on port 5432.

Next, use Metasploit to gather login credential. I’m gonna use this module: auxiliary/scanner/postgres/postgres_login

Type “options” to see which field you need to set before attack. They are:

  • RHOSTS: the target machine’s ip
  • USER_FILE: the wordlist you choose to use for username, or you can use the default one.
  • PASS_FILE: the wordlist you choose to use for password, or you can use the default one.

After set all of these, type “run”.

metasploit

Now I’ve got the correct username and password. Remember to ignore @template1

Next, search for module to execute commands. Look at the hint, THM said it starts with “auxiliary”. One trick for you to search more specifically in Metasploit:

search type: auxiliary postgresql

This cmd will search only for auxiliary modules contain postgresql.

search msf

I will use this module: auxiliary/admin/postgres/postgres_sql

Again, type “options” to set fields:

  • PASSWORD: the password you’ve found above.
  • USERNAME: the username you’ve found above.
  • RHOSTS: target machine’s ip

Then, “run”.

Now I’ve got the postgre version.

Next, I’ll use this module to dump user’s hash: auxiliary/scanner/postgres/postgres_hashdump

Again, “options” and set needed fields. Then, “run”.

hashdump

I’ve found 6 user’s hashes.

The module to read file is: auxiliary/admin/postgres/postgres_readfile

The module that allows arbitrary command execution with the proper user credentials is: exploit/multi/postgres/postgres_copy_from_program_cmd_exec

I will use module: auxiliary/admin/postgres/postgres_readfile
read the flag.

You need to set the following fields before run:

  • PASSWORD: the password you find above.
  • USERNAME: the username you find above.
  • RHOSTS: target machine’s ip

There’s a file called “credentials.txt” at /home/dark. Let’s change “RFILE” to this file and read it.

credentials.txt

Now I’ve got the password of dark. Now SSH to the machine using dark credential.

ssh

Now I’m in! First, spawn a bash shell for stability using perl:

perl -e ‘exec “/bin/bash”;’

bash

Now move around to find our flag.

The user.txt is in alison’s home folder. But we cannot read it yet, cause it’s only accessible by alison.

Let’s find all files own by alison:

find / -type f -user alison 2>/dev/null

There’s a file called “config.php”. Let’s see if I can read it.

Ah yes! Now I have the password for alison.

Get the 1st flag:

user.txt

Now let’s own root to get the final flag. First, check if alison can run sudo:

sudo -l

sudo -l

Alison can run any command as sudo! Get the root flag:

root flag

The end.

HAPPY HACKING

--

--