HACKING Central-Infosec{PostgreSQL}

Denice
5 min readApr 12, 2021

--

Hi! First of all, thank you for reading my first write up of Central Infosec’s Capture The Flag event. *heart eyes*

Let’s do another write-up. *Stretches* *puts on headphone while listening to Taylor Swift’s Complete Collection on Spotify*

BTW, Today Was A Fairytale’s my favorite of them all. Love you Tay.

Ok, so we are again faced with another box of Database however this time it is PostgreSQL. (NOTE: Central Infosec approved and gave me a go to do this write-up)

Let’s fire up that VM and our network configuration. I know I already showed it on my first writeup however I was not that specific, so some of you might not be able to follow.

(NOTE: this is just my preferred settings. you can choose what you like :) )

I have 2 VMs on my VMWare:

Right click the VM you want to configure:

Click the Settings option and Network Adapter from Virtual Machine Settings. For the Network connection, choose host-only.

Given the steps above, please follow them on the next VM which is the Central Infosec CIS-WEBSRV01. (you might wanna turn it off and on after to take effect)

Again, this is just my preferred settings. You can always choose what you like! (Note: I think there are some challenges that require it to be in BRIDGED mode. so yes try to switch.)

The rest of the walkthrough will be done from the Linux Machine. Done? Yes done. Cool. Let’s go to the main event! rings bell *ting ting ting ting*

I scanned my network again to see the IP of the vulnerable machine:

sudo arp-scan -l

Got the IP now. Very awesome! Now let’s check if Port 5432 is OPEN. (https://nmap.org/nsedoc/scripts/pgsql-brute.html)

Perfect, it is OPEN.

Warning: please do not scan a network UNLESS you are AUTHORIZED to do so.

What’s next? Let’s try to connect to the PostgreSQL using the command below:

psql -h <IPofCentralVM> -U admin

*GASPS* There is no “admin” role. How. Ok, don’t give up. Let’s try “root”

psql -h <IPofCentralVM> -U root

PANIC INTENSIFIES. This cannot be. There’s no root and admin. That’s weird. Okay let’s try another command:

psql -h <host> -p 5432 -U admin -d postgres (-U for username, -d for Database Name)

okay. NONE. how about we take drink a glass of water first before proceeding?

Think think think think think. LAST, let’s try to guess another. How about the postgres name itself? hmm.

psql -h <host> -p 5432 -U postgres -d postgres

ALERT!!!! WE GOT IN. WE GOT IN Y’ALL.

Let’s check info under the DATABASE postgres, see what tables are in here:

\l (this command shows us the list of databases)

There are 3 databases as presented above. Let’s examine all three. Start with the first database “postgres”. First we will switch to that DB using the command below:

\connect postgres (or you can do \c postgres too)

Nice! you’re doing great! Let’s investigate if there are tables.

\d (this command shows us the list of tables under your selected DB)

Yay!! There is! kinda weird because the the MySQL challenge gave us hint from the very start (see here: https://hal3.medium.com/central-infosec-maria-db-50c75585744e)

We will try to know what’s inside those table. Are you ready? Yes? Yes? Yes.

SELECT * FROM postgres (or you can also do TABLE postgres;)

OMG. Treasure found. Is this the FLAG?! cross fingers. We’ll go back to the Central Infosec CTF page and see if it’s really it.

BRAVO. It is the FLAG!!! Sweet. Never leave your DBs unattended.

IMPORTANT QUESTION: So how many Taylor Swift songs did you finish alongside this quest?

(Anyway I am curious what’s inside the template0 and template1! I would cover it here but I’ll leave that up to you.)

(credits to the owner of this image)

Yay!! Thank you very much again for reading my second writeup about Central Infosec CTF. I hope you are able to follow these steps and find the flag as well!

If you want to know more about Central Infosec, please see below:

(btw I’m not affiliated with Central Infosec)

Central InfoSec

Central InfoSec is an award-winning cyber security company that offers professional security services including Red Teaming, Penetration Testing, and Security Training. The Central InfoSec team consists of skilled security professionals bringing a total of 20+ years of red teaming, penetration testing, web application, and exploitation experience. Central InfoSec team members have achieved industry leading professional certifications including OSCP, OSWP, GXPN, GPEN, GWAPT, GMOB, AWS-CSS, AWS-CCP, PenTest+, CEH, CISSP, and more. The Central InfoSec team goes one step further and develops open-source tools including Burp Suite extensions, Cobalt Strike aggressor scripts, scripts tying into tools (including GoPhish, PhishMe, Slack, Lair), other custom-built security tools, and Capture The Flag (CTF) events!

Achieved Awards
Central InfoSec has achieved the following industry awards:
Best Penetration Testing & Security Consulting Firm — Corporate Excellence Awards, 2021
5 Best Cyber Security Companies to Watch — The Silicon Review, 2021
10 Best Security Companies — CIO Bulletin, 2021
10 Most Promising Cybersecurity Consulting/Service Companies — CIO Review, 2020

Social Media links:

https://www.facebook.com/centralinfosec/
https://twitter.com/centralinfosec
https://www.linkedin.com/company/centralinfosec/
https://twitter.com/JAMESM0RR1S

--

--

Denice
Denice

Written by Denice

Information Security Analyst & a huge fan of drinking water. Interested in anything related to Malware and Cyber Espionage.

No responses yet