After elevating your privileges to a database superuser on a remote server on a Windows EC2, you may find yourself looking to see where you are and what host you are on (depending on the path taken to get to the server!) Unfortunately, if you only have limited remote read/write (such as in this situation) without full remote code execution, interacting with an ephemeral file system can be difficult. But as a superuser, you likely have permission to use pg_catalog.pg_file_write(), pg_ls_dir() and/or pg_read_file(). So what areas of the file system can we read and write in as an attacker?
It depends on a few layers of permissions, between the Postgres instance, Windows, and EC2, but the traditional C:\Windows\win.ini is a great test to start with. Once that was successful, I started using pg_ls_dir to list directories under the different C:\Users. If none can be accessed, try C:\ProgramData.
Sometimes ACLs do weird things to EC2-specific directories. For example, I couldn't read logs under this directory:
C:\ProgramData\Amazon\EC2-Windows\Launch
However, I was able to read logs under:
C:\ProgramData\Amazon\Inspector\Logs
Those logs contained the information I was looking for (the first line of each of the logs had the host name, EC2-AMAZ...). Additionally, I was able to write files to C:\ProgramData as well. Temp directories didn't seem to work as well.
Your mileage may vary, but these are some of the low-level permission locations that are likely available to the Postgres process that Claude helped enumerate as a starting point.
No comments:
Post a Comment