Funnel (Tier 1)
Description
Tier -> 1
Difficult -> Very Easy
OS -> Linux
Tags -> FTP / PostgreSQL / Reconnaissance / Tunneling / Password Spraying / Port Forwarding / Anonymous-Guest Access / Clear Text Credentials
Write-up
I started doing an initial scan using Nmap
nmap 10.129.219.72 -p- -Pn --min-rate 2500 -oN scan.txt
With this, I answered the first question
Answer: 2
Then I did an exhaustive scan to learn more about the running services on the open ports
nmap 10.129.219.72 -p21,22 -sVC -oN serv_scan.txt
I identified two running services, focusing on the FTP protocol running on port 21, and tried logging in as an anonymous user and successfully got in
ftp 10.129.219.72
To learn more about the FTP protocol you can go here
I checked the shared resources and found a folder named mail_backup. I accessed it, listed its contents, and found two interesting files, which I downloaded from the server and closed the connection
With this, I answered the next question
Answer: mail_backup
I checked the contents of the downloaded files and found what seemed to be an email informing new employees of an enterprise about the password policy, and also a document containing the policy. Checking its content, I found valuable information letting me know that the default password used for the digital services was funnel123#!#
With this, I answered the next question
Answer: funnel123#!#
Now with this password, I could try to log in somewhere else. As I also found an SSH service running on the machine, I tried to log in there using one of the users exposed on the email. After trying with all the usernames I finally found that using christine I successfully went in. After that, I sanitized the terminal to interact more comfortably with the system
ssh christine@10.129.219.72
With this, I answered the next question
Answer: christine
Then I wanted to find a way to escalate privileges. After exploring some escalation vectors I didn't find anything relevant, so to go deeper, I tried checking the programs running locally on the host. With this, I found a process running on port 5432
ps aux | grep "127.0.0.1"
To get more details about it, I used the
sscommand to get information about the sockets running to relate any with the process found. I first listed the services showing the port the sockets were running on, and then the name of the service to relate them. With that, I confirmed that port 5432 was running the postgresql program
ss -tuln
ss -tul
With this and a little research, I answered the next questions
Answer: postgresql
Answer: local port forwarding
As the service was locally deployed, I couldn't access or interact with it, but as I had access via SSH, I could try to make a tunnel via Local Port Forwarding so I could access it from my machine. So I mounted the tunnel through SSH and after that, I checked in my machine that the service had been forwarded properly
ssh -L 7777:127.0.0.1:5432 christine@10.129.219.72
ss -tlp
Then I could interact with the service to connect to the database. I tried using the Postgresql command line utility, specifying the location of the service in my machine and using the credentials I had got. Once I had done it, I connected successfully to the database
psql -h 127.0.0.1 -p 7777 -U christine
Once there, I listed the databases and found an interesting one named secrets, so I accessed it and listed the tables finding a table named flag. Last, I retrieved all of the information from this table, and inside that, I found the flag
christine=# \l
christine=# \c secrets
secrets=# \dt
secrets=# SELECT * FROM flag;
With this and a little research, I answered the last questions
Answer: secrets
Answer: Yes
And finally, I got the root flag and pwned the machine
Answer: cf277664b1771217d7006acdea006db1
Last updated