Article directory
-
- 1 topic
- 2. Experimental process
- 3. Using SSH Tunnel
-
- 3.1 Local port forwarding
One topic
Tags
FTP, PostgreSQL, Reconnaissance, Tunneling, Password Spraying, Port Forwarding, Anonymous/Guest Access, Clear Text Credentials Translation: FTP, PostgreSQL, Reconnaissance, Tunneling, Password Spraying, Port Forwarding, Anonymous/Guest Access, Cleartext Credentials
Connect
To attack the target machine, you must be on the same network.Connect to the Starting Point VPN using one of the following options. It may take a minute for HTB to recognize your connection.If you don't see an update after 2-3 minutes, refresh the page. Translation: To attack the target machine, you must be on the same network. Use one of the following options to connect to your Origin VPN. It may take a minute for HTB to recognize your connection. If you don't see updates after 2-3 minutes, refresh the page.
SPAWN MACHINE
Spawn the target machine and the IP will show here. Translation: Generate the target machine, the IP will be displayed here
TASK 1
How many TCP ports are open? Translation: How many TCP ports are open? Answer: 2
TASK 2
What is the name of the directory that is available on the FTP server? Translation: What are the directory names available on the FTP server? Answer: mail_backup
TASK 3
What is the default account password that every new member on the "Funnel" team should change as soon as possible? Translation: What is the default account password that every new member of the "Funnel" team should change as soon as possible? Answer: funnel123#!#
TASK 4
Which user has not changed their default password yet? Translation: Which user hasn’t changed their default password? Answer: christine
TASK 5
Which service is running on TCP port 5432 and listens only on localhost? Translation: Which service runs on TCP port 5432 and listens only to localhost? Answer: postgresql
TASK 6
Since you can't access the previously mentioned service from the local machine, you will have to create a tunnel and connect to it from your machine. What is the correct type of tunneling to use? remote port forwarding or local port forwarding ? Translation: Since you cannot access the previously mentioned service from your local computer, you must create a tunnel and connect to it from your computer. What is the correct tunnel type to use? Remote port forwarding or local port forwarding? Answer: local port forwarding
TASK 7
What is the name of the database that holds the flag? Translation: What is the name of the database that holds the flag? Answer: secrets
TASK 8
Could you use a dynamic tunnel instead of local port forwarding? Yes or No. Translation: Can you use dynamic tunneling instead of local port forwarding? Yes or no. Answer: yes
SUBMIT FLAG
Submit root flag Translation: commit root flag
2 Experimental process
1.Port Scan
nmap -sC -sV 10.129.152.201
2.FTP anonymous login
ftp 10.129.252.232 anonymous empty password
3.Download files on FTP
4.View password_policy.pdf and welcome_28112022
Found email account: [email protected] [email protected] [email protected] [email protected] [email protected]
A default password found:
funnel123#!#
5.Use the account password obtained above to blast the ssh account password
Account dictionary: user.txt:[optimus, albert, andreas, christine, maria]
Password dictionary:
6.SSH login and operation
ssh [email protected]
# Check which ports are listening locally on a given machine ss-tln # Check the default service running on the port for postgresql ss -tl
# Check that the postgresql client tool is not installed psql # And cannot be downloaded, requiring root permissions apt install postgresql-client-common
3 Using SSH Tunnel
1.Tunnel Introduction
Tunneling protocol is a communications protocol that allows data to be moved from one network to another using encapsulation.
The tunneling protocol works by using the data portion (payload) of the packet to carry the packet that actually provides the service. Tunneling uses a layered protocol model, such as those of the OSI or TCP/IP protocol suites, but often violates layering when using payloads to carry services not normally provided by the network. Typically, the delivery protocol operates at an equal or higher level than the payload protocol in a layered model.
Tunnels provide access to resources available on the detachment’s internal network.
Three common tunnels:
1. Local port forwarding
With local port forwarding, a separate tunnel is created within an existing, valid SSH session that forwards network traffic from the client machine’s local port to the remote server’s port. Under the hood, SSH allocates a socket listener on the client on a given port, and when a connection is made to that port, the connection is forwarded through the existing SSH session to the remote server’s port.
2. Remote port forwarding
Also known as reverse tunneling, it is the exact opposite of local port forwarding tunneling. The SSH connection succeeds, creating a separate tunnel that SSH uses to redirect incoming traffic to the server port back to the client.
Under the hood, SSH allocates a socket listener on the server for a given port. When connecting to this port, the connection will be forwarded to the local client’s port through the existing SSH session.
3. Dynamic port forwarding
With both local and remote forwarding, the local port and remote port must be defined before the tunnel is created. Dynamic tunneling allows the user to specify a port that will dynamically forward incoming traffic from the client to the server. So what happens internally is that SSH becomes a SOCKS5 proxy and network packets are exchanged between the client and server through the SOCKET5 proxy server.
3.1 Local port forwarding
ssh -L 1234:localhost:5432 [email protected]
Using SSH to open a socket on port 4444 on our local machine, we can access port 4444 and forward the traffic we want to forward directly to the target machine 5432 port.
Note: Due to port conflict, port 1234 was later changed to port 4444
1. Install psql on the local system and remotely access the postgresql service on port 5432 locally
psql -U christine -h localhost -p 4444
2. Now that you have successfully connected to the postgresql service using the ssh tunnel, you can execute the command to view the database information
# \list abbreviation, list existing databases \l
The 5 databases are listed below: christine, postgres, secrets, template0, template1
# Connect to database \c secrets # View the tables in the database \dt
# View flag select * from flag;
