Funnel

Task 1: How many TCP ports are open?

  • Run a nmap scan:

nmap [Target IP]
  • This will return that Ports 21 and 22 are open.

Task 2: What is the name of the directory that is available on the FTP server?

  • Run the following to connect to the FTP server:

ftp [Target IP]
  • Check to see if the "anonymous" account is available. The password should be nothing. Just hit enter.

  • Use the ls command to list out the directories

  • The only directory available in the current directory is "mail_backup"

Task 3: What is the default account password that every new member on the "Funnel" team should change as soon as possible?

  • Check the directory for mail_backup.

  • There is a pdf file in there called password_policy.pdf.

  • Use the get command to download the file.

  • They mention that the default password is "funnel123#!#"

Task 4: Which user has not changed their default password yet?

  • Start by downloading and viewing the file welcome_28112022

  • This is an email to new employees.

  • There is a string of employee emails in the To line.

  • The username to the ftp account is "christine" with the default password of funnel123#!#

Task 5: Which service is running on TCP port 5432 and listens only on localhost?

  • You can google the port number or run an nmap scan on that specific port.

nmap -p 5432 [Target IP]
  • The answer is postgresql

Task 6: Since you can't access the previously mentioned service from the local machine, you will have to create a tunnel and connect to it from your machine. What is the correct type of tunneling to use? remote port forwarding or local port forwarding?

  • The answer is "local port forwarding"

Task 7: What is the name of the database that holds the flag?

  • First start by making an SSH connection to the target through a local port with the following command:

ssh -L 1234:localhost:5432 christine@[Target IP]
  • -L flag specifies using local port forwarding

  • Specifying port 1234 on the my host machine for the traffic to be forwarded through.

  • Specifying 5432 to connect back to the local host through that port for psql

  • Once this is done, I opened a new terminal window on my host machine.

psql -U christine -h localhost -p 1234
  • Since psql isn't installed on the local machine for christine, I will forward the traffic through my machine to utilize the command.

  • Once we do this we should have access to the psql database.

  • Use the \l command to list out available databases

  • One of the databases is "secrets"

Task 8: Could you use a dynamic tunnel instead of local port forwarding? Yes or No.

  • Yes

Capture the Flag:

  • Use the \c secrets command to access the secrets database.

  • Use the \dt to list the tables in the database

    • This will show a table called flag

  • Use the following command to view all items in the table:

SELECT * FROM flag;
  • The flag listed is:

    • cf277664b1771217d7006acdea006db1

Last updated