Poster — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my Poster — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports.
nmap -A -T4 -p- -v <ip>
As you can see, a PostgreSQL is running on port 5432.
Next, use Metasploit to gather login credential. I’m gonna use this module: auxiliary/scanner/postgres/postgres_login
Type “options” to see which field you need to set before attack. They are:
- RHOSTS: the target machine’s ip
- USER_FILE: the wordlist you choose to use for username, or you can use the default one.
- PASS_FILE: the wordlist you choose to use for password, or you can use the default one.
After set all of these, type “run”.
Now I’ve got the correct username and password. Remember to ignore @template1
Next, search for module to execute commands. Look at the hint, THM said it starts with “auxiliary”. One trick for you to search more specifically in Metasploit:
search type: auxiliary postgresql
This cmd will search only for auxiliary modules contain postgresql.
I will use this module: auxiliary/admin/postgres/postgres_sql
Again, type “options” to set fields:
- PASSWORD: the password you’ve found above.
- USERNAME: the username you’ve found above.
- RHOSTS: target machine’s ip
Then, “run”.
Now I’ve got the postgre version.
Next, I’ll use this module to dump user’s hash: auxiliary/scanner/postgres/postgres_hashdump
Again, “options” and set needed fields. Then, “run”.
I’ve found 6 user’s hashes.
The module to read file is: auxiliary/admin/postgres/postgres_readfile
The module that allows arbitrary command execution with the proper user credentials is: exploit/multi/postgres/postgres_copy_from_program_cmd_exec
I will use module: auxiliary/admin/postgres/postgres_readfile
read the flag.
You need to set the following fields before run:
- PASSWORD: the password you find above.
- USERNAME: the username you find above.
- RHOSTS: target machine’s ip
There’s a file called “credentials.txt” at /home/dark. Let’s change “RFILE” to this file and read it.
Now I’ve got the password of dark. Now SSH to the machine using dark credential.
Now I’m in! First, spawn a bash shell for stability using perl:
perl -e ‘exec “/bin/bash”;’
Now move around to find our flag.
The user.txt is in alison’s home folder. But we cannot read it yet, cause it’s only accessible by alison.
Let’s find all files own by alison:
find / -type f -user alison 2>/dev/null
There’s a file called “config.php”. Let’s see if I can read it.
Ah yes! Now I have the password for alison.
Get the 1st flag:
Now let’s own root to get the final flag. First, check if alison can run sudo:
sudo -l
Alison can run any command as sudo! Get the root flag:
The end.
HAPPY HACKING