Depending on the EF Codd relational model, an RDBMS allows users to build, update, manage, and interact with a relational database, which stores data as a table.
Today, several companies use relational databases instead of flat files or hierarchical databases to store business data. This is because a relational database can handle a wide range of data formats and process queries efficiently. In addition, it organizes data into tables that can be linked internally based on common data. This allows the user to easily retrieve one or more tables with a single query. On the other hand, a flat file stores data in a single table structure, making it less efficient and consuming more space and memory.
Most commercially available RDBMSs currently use Structured Query Language (SQL) to access the database. RDBMS structures are most commonly used to perform CRUD operations (create, read, update, and delete), which are critical to support consistent data management.
Lets grab some info from this box using Nmap
We are looking for the rdbms on the server
Nmap shows us that Postgresql is the answer
The port that it is running on is 5432
From here we launch metasploit and search for postgres
The aux module we are looking for is auxiliary/scanner/postgres/postgres_login
The options on that module show that it is pointing to port 5432 and using database, template1. We just need to set RHOSTS and exploit
With this module, we get username – postgres and password – password
Now we want to search for the module that allows us to execute commands with proper user credentials. Searching is metasploit, we get auxiliary/admin/postgres/postgres_sql
Options on that are pretty basic
We have our version info!
Next we want the module that will allow dumping user hashes. That is auxiliary/scanner/postgres/postgres_hashdump
After setting options and exploiting, we get the following 6 hashes
We now want the module that allows authenticated users to view files of their choosing on a server. That module will be auxiliary/admin/postgres/postgres_readfile
We also want the full path of the module that allows arbitrary command execution exploit/multi/postgres/postgres_copy_from_program_cmd_exec
From here I upgraded the shell using python to get some more capabilities
The user.txt file was located under an alison directory
Also found this interesting info
Checking into alisons files, we find a config.php file that contains some database credentials
There is a very good chance that this is her password
And we are in!
It appears that alison already has root privileges so no need to escalate. We just have to find the flag
