Nibbles
Source: Proving Grounds OS: Linux Community Rating: Intermediate
Enumeration & Reconnaissance
Autorecon detected:
FTP (21)
SSH (22)
HTTP (80)
PostgreSQL (5437)
Service Analysis
The HTTP site was a static page with no functionality. FTP blocked anonymous logins, so PostgreSQL became the focus.

Gaining Initial Access
I tried the classic
postgres:postgres
combo, and it worked instantly:
psql -h 192.168.111.47 -p 5437 -U postgres

In a real engagement, I’d dig into databases for credentials or sensitive data, but since I had an easier path (RCE), I skipped it for now.
I grabbed a PostgreSQL RCE script from GitHub (
postgresql_rce.py
). My first reverse shell used a random port, 9911, but it failed, likely blocked by a firewall. Switching to port 5437 (same as PostgreSQL’s service port) worked, and the shell connected.

Privilege Escalation
Running
linpeas.sh
revealed thatfind
had the SUID bit set.

SUID means the command runs with the owner’s privileges (in this case, root). To test:
find test -exec whoami \; # Output: root
Then, to spawn a root shell:
find test -exec /bin/bash -p \;
Boom, root access.

Lessons Learned
Default Credentials Are Gold:
postgres:postgres
is still far too common.SUID Misconfigurations: Always check binaries for SUID flags.
Port Mirroring: Firewalls often allow traffic on ports matching the open services (e.g., 5437 for PostgreSQL).
Last updated