Nibbles

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • Autorecon detected:

    • FTP (21)

    • SSH (22)

    • HTTP (80)

    • PostgreSQL (5437)

Service Analysis

  • The HTTP site was a static page with no functionality. FTP blocked anonymous logins, so PostgreSQL became the focus.

HTTP (80)

Gaining Initial Access

  • I tried the classic postgres:postgres combo, and it worked instantly:

psql -h 192.168.111.47 -p 5437 -U postgres  
Postgres Connection
  • In a real engagement, I’d dig into databases for credentials or sensitive data, but since I had an easier path (RCE), I skipped it for now.

  • I grabbed a PostgreSQL RCE script from GitHub (postgresql_rce.py). My first reverse shell used a random port, 9911, but it failed, likely blocked by a firewall. Switching to port 5437 (same as PostgreSQL’s service port) worked, and the shell connected.

PostgreSQL RCE PoC

Privilege Escalation

  • Running linpeas.sh revealed that find had the SUID bit set.

find SUID
  • SUID means the command runs with the owner’s privileges (in this case, root). To test:

find test -exec whoami \;  # Output: root
  • Then, to spawn a root shell:

find test -exec /bin/bash -p \;  
  • Boom, root access.

Root Access

Lessons Learned

  • Default Credentials Are Gold: postgres:postgres is still far too common.

  • SUID Misconfigurations: Always check binaries for SUID flags.

  • Port Mirroring: Firewalls often allow traffic on ports matching the open services (e.g., 5437 for PostgreSQL).

Last updated