0xPThree.gitbook.io
  • Network Services
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 23 - Telnet
      • 25, 465, 587 - SMTP(S)
      • 53 - DNS
      • 80, 443 - HTTP(S)
        • Frameworks
          • Drupal
          • Flask
          • Laravel
          • Tomcat
          • Werkzeug
        • Fuzzing
        • Grafana
        • Languages
          • PHP
        • WebDAV
        • Web Vulnerabilities
          • CloudFlare Bypass
          • Command Injection
          • CSTI
          • File Inclusion/Path Traversal
          • SQL Injection
          • SSI
          • SSTI
          • Upload bypass
          • XLST
          • XML Injection
      • 88 - Kerberos
      • 135, 593 - MSRPC
      • 139, 445 - SMB
      • 161, 162, 10161, 10162 - SNMP
      • 1433, 3306 - SQL
      • 2049 - NFS
      • 2375 - Docker
  • Active Directory
    • ADCS
    • DACL Abuse
      • AddMember
      • ForceChangePassword
      • Kerberoasting
      • ReadLAPSPassword
      • ReadGMSAPassword
      • Grant Ownership
      • Grant Rights
      • Logon Script
      • Rights on RODC object
    • Security groups
    • Misc
  • Coding Languages
    • Python
  • Exploits / PoC's
    • Ansible
      • Ansible AWX
    • Apache
      • HTTP Server - CVE-2021-41773
      • Struts - CVE-2024-53677 / S2-067
      • Tomcat - CVE-2020-1938 / CVE-2020-10487
      • Tomcat - CVE-2025-24813
    • Confluence - CVE-2023-22527
    • CUPS - CVE-2024-47***
    • D-Link
      • CVE-2020-29322
      • Decrypt firmware: DIR-X1560
    • Dmidecode - CVE-2023-30630
    • Erlang
      • OTP SSH - CVE-2025-32433
    • EternalBlue - MS17-010
    • Gitlab - CVE-2023-7028
    • Ivanti - CVE-2024-21893 / 21887
    • Jenkins - CVE-2024-23897
    • LXD group - N/A
    • nf_tables - CVE-2024-1086
    • NFS - N/A
    • Oracle
      • WebLogic - CVE-2018-2628
      • WebLogic - CVE-2019-2729
      • WebLogic - CVE-2023-21839
      • WebLogic - CVE-2024-20931
      • WebLogic - CVE-2024-21006
    • PHP
      • CVE-2024-4577
    • RunC
      • CVE-2022-0811
      • CVE-2024-21626
    • Snap - CVE-2019-7304
    • TP-Link - CVE-2024-5035
  • Hardware
    • Firmware
    • JTAG
    • SPI
    • UART
    • USB
  • Post Exploit
    • Compile payload
    • Obfuscation
    • Read VMDK files
    • Saved Credentials
      • Linux - Ansible AWX / Tower
      • Linux - Dell Networker
      • Windows - Mozilla Firefox
      • Windows - Notepad++
      • Windows - WinSCP
    • Session Hijack
    • Sniffing Passwords
    • Upgrade shell
    • VMware
      • Disk Encryption
      • LDAP Connection (SSO)
      • Restore VCSA Postgres Database
      • vCenter Forge SAML
      • Waiter Account Information
  • Development
    • Dnsmasq DHCP
    • Docker
      • Ansible AWX
      • Docker Compose
      • FirmAE - Emulate Firmware
      • Oracle WebLogic
      • Rocket.Chat
      • Tomcat
      • Vaultwarden
    • Harden Windows Host
    • HTTPS Proxy
    • Netplan + Networkd
    • SSL/TLS Certificates
  • TODO
Powered by GitBook
On this page
  • Restore using Docker Container
  • Prerequisites
  • Setup container structure
  • Access the database container

Was this helpful?

  1. Post Exploit
  2. VMware

Restore VCSA Postgres Database

Last updated 5 months ago

Was this helpful?

Before diving into data extraction, it’s essential to understand the anatomy of a typical vCSA backup:

  • Backups are usually stored on a network share.

  • The top-level folder of the network share will have a folder named 'vCenter'.

  • Inside the 'vCenter' folder, you will find separate folders for each vCenter instance being backed up to the network share.

  • Each vCenter folder contains subfolders for individual backup runs. These subfolders are named using the following convention: an initial letter ('M' for manually created or 'S' for scheduled backups), followed by the vCenter version, and ending with a timestamp.

  • Inside these subfolders, you’ll find various files related to different vCSA components. For our purposes, we need specific files to restore the internal PostgreSQL database.

Restore using Docker Container

Prerequisites

From the VCSA backup we need the following files to restore the Postgres database:

  • database_full_backup.tar.gz

  • wal_backup_*.tar.gz

  • wal_dir_struct.tar.gz

If the database is password protected you'll usually find the password in the archive file config_files.tar.gz, at etc/vmware-vpx/vcdb.properties, root/.pgpass or etc/vmware-vpx/embedded_db.cfg.

Setup container structure

## Create directory 'vcsa_recovery' 
apt :: web/s3/loot » ls -al
...
-rw-rw-r-- 1 void void 7955684429 Nov 28 14:14 database_full_backup.tar.gz
drwxrwxr-x 2 void void       4096 Nov 28 16:01 vcsa_recovery
-rw-rw-r-- 1 void void    4902456 Nov 28 15:23 wal_backup_1.tar.gz
-rw-rw-r-- 1 void void    5065989 Nov 28 15:24 wal_backup_2.tar.gz
-rw-rw-r-- 1 void void    8063773 Nov 28 15:24 wal_backup_3.tar.gz
-rw-rw-r-- 1 void void    4088343 Nov 28 15:25 wal_backup_4.tar.gz
-rw-rw-r-- 1 void void    4213428 Nov 28 15:25 wal_backup_5.tar.gz
-rw-rw-r-- 1 void void    5292680 Nov 28 15:25 wal_backup_6.tar.gz
-rw-rw-r-- 1 void void    4715323 Nov 28 15:26 wal_backup_7.tar.gz
-rw-rw-r-- 1 void void     163128 Nov 28 15:26 wal_backup_8.tar.gz
-rw-rw-r-- 1 void void        192 Nov 28 15:23 wal_dir_struct.tar.gz

## Extract content, it is important to start with 'database_full_backup.tar.gz' 
## as it will create the directory structure.
apt :: web/s3/loot » cd vcsa_recovery 
apt :: s3/loot/vcsa_recovery » tar xzf ../database_full_backup.tar.gz
apt :: s3/loot/vcsa_recovery » for i in {1..8}; do tar xzf ../wal_backup_$i.tar.gz; done
apt :: s3/loot/vcsa_recovery » tar xzf ../wal_dir_struct.tar.gz

## wal-files are extracted to storage/archive/vpostgres, extract them and move to pg_xlog
apt :: s3/loot/vcsa_recovery » cd storage/archive/vpostgres
apt :: storage/archive/vpostgres » ls -al
total 38724
drwxrwxr-x 2 void void    4096 Nov 29 08:25 .
drwxrwxr-x 3 void void    4096 Nov 29 08:25 ..
-rw------- 1 void void 5122431 Nov 28 02:35 00000001000003EA000000E6.gz
-rw------- 1 void void 5328181 Nov 28 02:43 00000001000003EA000000E7.gz
-rw------- 1 void void 4426101 Nov 28 02:45 00000001000003EA000000E8.gz
-rw------- 1 void void 4584563 Nov 28 02:45 00000001000003EA000000E9.gz
-rw------- 1 void void 4650365 Nov 28 02:45 00000001000003EA000000EA.gz
-rw------- 1 void void 4728503 Nov 28 02:47 00000001000003EA000000EB.gz
-rw------- 1 void void 5543681 Nov 28 02:53 00000001000003EA000000EC.gz
-rw------- 1 void void 5008740 Nov 28 03:00 00000001000003EA000000ED.gz
-rw------- 1 void void  236885 Nov 28 03:00 00000001000003EA000000EE.gz
apt :: storage/archive/vpostgres » gunzip *
apt :: storage/archive/vpostgres » mv * ../../dblog/vpostgres/pg_xlog/

## Reconfigure postgresql.conf
apt :: storage/archive/vpostgres » cd ../../../
apt :: s3/loot/vcsa_recovery » vim storage/db/vpostgres/postgresql.conf

old: unix_socket_directories = '/var/run/vpostgres'
new: unix_socket_directories = '/var/run/postgresql'

old: #log_destination = 'stderr'
new: log_destination = 'stderr'

old: logging_collector = on
new: #logging_collector = on

old: stats_temp_directory = '/dev/shm/postgres_stats'
new: #stats_temp_directory = '/dev/shm/postgres_stats'

old: shared_preload_libraries = 'health_status_worker,pg_stat_statements'
new: shared_preload_libraries = 'pg_stat_statements'

## Change ownership of files to match PostgreSQL docker image uid and gid
apt :: s3/loot/vcsa_recovery » cd ..
apt :: web/s3/loot » sudo chown -R 999:999 vcsa_recovery

Access the database container

## Start the container
apt :: web/s3/loot » sudo docker run -it --rm --name=vcsa_recovery_db -e PGDATA=/storage/db/vpostgres -v ./vcsa_recovery/storage:/storage postgres:13

PostgreSQL Database directory appears to contain a database; Skipping initialization

2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/postgresql.conf.repl"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.634 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/postgresql.conf.repl"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/standby.conf"
2024-11-29 07:37:29.635 GMT [1] LOG:  skipping missing configuration file "/storage/db/vpostgres/stig.conf"
2024-11-29 07:37:29.680 UTC 67496f39.1 0    1 39 LOG:  starting PostgreSQL 13.18 (Debian 13.18-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
2024-11-29 07:37:29.680 UTC 67496f39.1 0    1 40 LOG:  listening on IPv4 address "0.0.0.0", port 5432
2024-11-29 07:37:29.680 UTC 67496f39.1 0    1 41 LOG:  listening on IPv6 address "::", port 5432
2024-11-29 07:37:29.683 UTC 67496f39.1 0    1 42 LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2024-11-29 07:37:29.688 UTC 67496f39.1a 0    26 1 LOG:  database system was interrupted; last known up at 2024-11-28 01:36:36 UTC
2024-11-29 07:37:29.807 UTC 67496f39.1a 0    26 2 LOG:  database system was not properly shut down; automatic recovery in progress
2024-11-29 07:37:29.811 UTC 67496f39.1a 0    26 3 LOG:  redo starts at 3EA/E6000028
2024-11-29 07:37:30.488 UTC 67496f39.1a 0    26 4 LOG:  redo done at 3EA/EE0776F8
2024-11-29 07:37:30.496 UTC 67496f39.1a 0    26 5 LOG:  checkpoint starting: end-of-recovery immediate
2024-11-29 07:37:30.932 UTC 67496f39.1a 0    26 6 LOG:  checkpoint complete: wrote 14637 buffers (8.6%); 0 WAL file(s) added, 0 removed, 9 recycled; write=0.400 s, sync=0.003 s, total=0.438 s; sync files=258, longest=0.003 s, average=0.001 s; distance=147456 kB, estimate=147456 kB
2024-11-29 07:37:30.941 UTC 67496f39.1 0    1 43 LOG:  database system is ready to accept connections

As noted earlier login credentails can be found in config_files.tar.gz, /etc/vmware-vpx/vcdb.properties, root/.pgpass or /etc/vmware-vpx/embedded_db.cfg.

Access the database: sudo docker exec -it vcsa_recovery_db psql -U vc VCDB

Useful Queries:

## List all VM:s and their annotations
SELECT name,annotation FROM vpxv_vms;

## Dump all event tables to file (with password)
for i in {1..92}; do sudo docker exec -it -e PGPASSWORD='s3cretp@ssw0rd' vcsa_recovery_db psql -h localhost -U vc -d VCDB -c "SELECT username FROM vpx_event_$i;" -o /storage/out/event_$i.txt; done

## Dump all event tables to file (without password)
for i in {1..92}; do sudo docker exec -it vcsa_recovery_db psql -U postgres VCDB -c "SELECT username FROM vpx_event_$i;" -o /storage/out/event_$i.txt; done

## List event data dates
SELECT * FROM vpx_event_partition_lookup;

## Account information
SELECT * FROM vpx_access;

## Unknown maybe good (?) session info
SELECT * FROM vpx_device;