📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • HTTP (Port 80)
  • Postgresql (Port 5437)
  • Exploit
  • Privesc

Was this helpful?

  1. Proving Grounds practice
  2. Get to work
  3. Linux

Nibbles

Writeup for Nibbles from offsec Proving Grounds

PreviousSnookumsNextChatty

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo ./nmapAutomator.sh 192.168.163.47 all

Service Enumeration

HTTP (Port 80)

Looks like a blank website used for testing.

Doesn't look like there's anything else here that could be useful.

Postgresql (Port 5437)

Since we know the default username is postgres, we can try the default password as well, postgres, and we managed to log in.

Since this version of postgresql is higher than 9.3 and we are super user, we can run the following exploit.

Exploit

Let's use Metasploit for this exploit to make life easier.

And we got an interactive shell!

Privesc

Running LinEnum on the target machine, we find an interesting SUID file.

Searching on GTFObins and we got the exact command needed.

LogoPostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)Exploit Database
Logofind | GTFOBins