This lab focused on exploiting vulnerabilities in a Postgres service on a Linux server using Metasploit on Kali Linux. Through controlled exploitation and privilege escalation, the lab provided hands-on experience with vulnerability scanning, exploitation, and gaining administrative access.
- Effective use of Nmap and OpenVAS for scanning and vulnerability detection.
- Experience using Greenbone Security Assistant for managing vulnerability data.
- Proficiency with Metasploit Framework and Meterpreter for exploitation and shell interaction.
- Understanding of network security, pentesting methodologies, and privilege escalation techniques.
- Nmap/Zenmap – Network scanning for open ports and services.
- OpenVAS/Greenbone – Vulnerability scanning and management.
- Metasploit Framework – For exploiting vulnerabilities in Postgres and escalating privileges.
- Meterpreter – For shell interaction and control over the target system.
-
Nmap: Used to scan for open ports and services on the target system.
-
Example command:
nmap -T4 -A -v 203.0.113.100 -
Ref 1: Nmap/Zenmap Scan
-
-
OpenVAS with Greenbone: Launched OpenVAS to detect vulnerabilities.
-
Example usage:
/home/scripts/openvas_start -
Ref 2: Vulnerability Analysis
-
-
Metasploit Setup: Started PostgreSQL service and launched Metasploit to exploit the target.
- Command:
msfconsole
- Command:
-
PostgreSQL Exploitation: Ran auxiliary modules to brute-force and gain access.
-
Command:
use auxiliary/scanner/postgres/postgres_login -
Ref 3: Set Exploit Options
-
Ref 4: Run Exploit to Gain Access
-
-
Udev Netlink Exploit: Used local exploit to gain root privileges on the target system.
-
Explanation: This exploit targets a vulnerability in Udev’s netlink message handling. By sending a crafted netlink message, the exploit tricks Udev into executing a payload with root privileges, allowing privilege escalation.
-
Command:
use exploit/linux/local/udev_netlink -
Ref 5: Privilege Escalation
-
-
Execute Interactive Bash Shell: After exploiting the target, we executed
execute -f /bin/bash -ito spawn an interactive shell with root privileges.- Explanation: This command was used to start an interactive bash shell on the target system. By doing this, we gained direct root access, allowing us to issue commands dynamically with elevated permissions.
- Command:
execute -f /bin/bash -i
-
Verification and Accessing
/etc/shadow: With root access, we verified our elevated privileges by accessing the/etc/shadowfile, which stores hashed passwords and is only accessible by the root user.-
Command:
tail /etc/shadow -
Ref 7: Shadow File Access
)
-
This lab demonstrated the process of exploiting a vulnerable Postgres database, escalating privileges to root, and gaining a deeper understanding of penetration testing workflows.