Funnel (Tier 1)
Last updated
Was this helpful?
Last updated
Was this helpful?
Tier -> 1
Difficult -> Very Easy
OS -> Linux
Tags -> FTP / PostgreSQL / Reconnaissance / Tunneling / Password Spraying / Port Forwarding / Anonymous-Guest Access / Clear Text Credentials
With this, I answered the first question
Answer: 2
Then I did an exhaustive scan to learn more about the running services on the open ports
I identified two running services, focusing on the FTP protocol running on port 21, and tried logging in as an anonymous user and successfully got in
I checked the shared resources and found a folder named mail_backup. I accessed it, listed its contents, and found two interesting files, which I downloaded from the server and closed the connection
With this, I answered the next question
Answer: mail_backup
I checked the contents of the downloaded files and found what seemed to be an email informing new employees of an enterprise about the password policy, and also a document containing the policy. Checking its content, I found valuable information letting me know that the default password used for the digital services was funnel123#!#
With this, I answered the next question
Answer: funnel123#!#
Now with this password, I could try to log in somewhere else. As I also found an SSH service running on the machine, I tried to log in there using one of the users exposed on the email. After trying with all the usernames I finally found that using christine I successfully went in. After that, I sanitized the terminal to interact more comfortably with the system
With this, I answered the next question
Answer: christine
Then I wanted to find a way to escalate privileges. After exploring some escalation vectors I didn't find anything relevant, so to go deeper, I tried checking the programs running locally on the host. With this, I found a process running on port 5432
To get more details about it, I used the ss command to get information about the sockets running to relate any with the process found. I first listed the services showing the port the sockets were running on, and then the name of the service to relate them. With that, I confirmed that port 5432 was running the postgresql program
With this and a little research, I answered the next questions
Answer: postgresql
Answer: local port forwarding
As the service was locally deployed, I couldn't access or interact with it, but as I had access via SSH, I could try to make a tunnel via Local Port Forwarding so I could access it from my machine. So I mounted the tunnel through SSH and after that, I checked in my machine that the service had been forwarded properly
Once there, I listed the databases and found an interesting one named secrets, so I accessed it and listed the tables finding a table named flag. Last, I retrieved all of the information from this table, and inside that, I found the flag
With this and a little research, I answered the last questions
Answer: secrets
Answer: Yes
And finally, I got the root flag and pwned the machine
Answer: cf277664b1771217d7006acdea006db1
I started doing an initial scan using
To learn more about the FTP protocol you can go
To learn about the sanitization process you can go , and to learn more about the SSH protocol you can go .
Then I could interact with the service to connect to the database. I tried using the command line utility, specifying the location of the service in my machine and using the credentials I had got. Once I had done it, I connected successfully to the database
