📦
HTB
  • Machines
    • Starting Point Machines
      • Tier 0 Machines
        • Meow
        • Fawn
        • Dancing
        • Redeemer
        • Explosion
        • Preignition
        • Mongod
        • Synced
      • Tier 1 Machines
        • Appointment
        • Sequel
        • Crocodile
        • Responder
        • Three
        • Ignition
        • Bike
        • Funnel
        • Pennyworth
        • Tactics
      • Tier 2 Machines
        • Archetype
        • Oopsie
        • Vaccine
        • Unified
        • Included
        • Markup
        • Base
    • Easy Machines
      • Nibbles
      • Stocker
      • Lame
        • Findings
        • Recon
          • NMAP
          • FTP
          • SSH
          • SMB Client
        • Exploitation
          • FTP
          • Samba
      • Find the easy Pass
      • Weak RSA
      • Jerry (Windows)
        • Recon
        • Enumeration
        • Vulnerabilities
      • You know 0xDiablos
      • Netmon
      • Blue
      • Precious
      • Optimum
      • Cap
      • Knife
    • Medium Machines
      • Under Construction
  • Getting Started Notes
    • Getting Help
    • SSL/TLS Certificates
    • Tutorial Websites
    • Wayback Machine
    • Wappalyzer
    • Google Hacking/Dorking
    • Blogs
    • Youtube Resources
    • Vulnerable Machines
    • Challenges
    • Parrot
    • Common Terms
    • Common Ports
    • SecLists
    • Shells
    • Enumeration Scripts
    • Escalation
    • Downloading files from Target
    • Knowledge Check
Powered by GitBook
On this page
  1. Machines
  2. Starting Point Machines
  3. Tier 1 Machines

Funnel

PreviousBikeNextPennyworth

Last updated 2 years ago

Task 1: How many TCP ports are open?

  • Run a nmap scan:

nmap [Target IP]

  • This will return that Ports 21 and 22 are open.

Task 2: What is the name of the directory that is available on the FTP server?

  • Run the following to connect to the FTP server:

ftp [Target IP]

  • Check to see if the "anonymous" account is available. The password should be nothing. Just hit enter.

  • Use the ls command to list out the directories

  • The only directory available in the current directory is "mail_backup"

Task 3: What is the default account password that every new member on the "Funnel" team should change as soon as possible?

  • Check the directory for mail_backup.

  • There is a pdf file in there called password_policy.pdf.

  • Use the get command to download the file.

  • They mention that the default password is "funnel123#!#"

Task 4: Which user has not changed their default password yet?

  • Start by downloading and viewing the file welcome_28112022

  • This is an email to new employees.

  • There is a string of employee emails in the To line.

  • The username to the ftp account is "christine" with the default password of funnel123#!#

Task 5: Which service is running on TCP port 5432 and listens only on localhost?

  • You can google the port number or run an nmap scan on that specific port.

nmap -p 5432 [Target IP]

  • The answer is postgresql

Task 6: Since you can't access the previously mentioned service from the local machine, you will have to create a tunnel and connect to it from your machine. What is the correct type of tunneling to use? remote port forwarding or local port forwarding?

  • The answer is "local port forwarding"

Task 7: What is the name of the database that holds the flag?

  • First start by making an SSH connection to the target through a local port with the following command:

ssh -L 1234:localhost:5432 christine@[Target IP]

  • -L flag specifies using local port forwarding

  • Specifying port 1234 on the my host machine for the traffic to be forwarded through.

  • Specifying 5432 to connect back to the local host through that port for psql

  • Once this is done, I opened a new terminal window on my host machine.

psql -U christine -h localhost -p 1234

  • Since psql isn't installed on the local machine for christine, I will forward the traffic through my machine to utilize the command.

  • Once we do this we should have access to the psql database.

  • Use the \l command to list out available databases

  • One of the databases is "secrets"

Task 8: Could you use a dynamic tunnel instead of local port forwarding? Yes or No.

  • Yes

Capture the Flag:

  • Use the \c secrets command to access the secrets database.

  • Use the \dt to list the tables in the database

    • This will show a table called flag

  • Use the following command to view all items in the table:

SELECT * FROM flag;

  • The flag listed is:

    • cf277664b1771217d7006acdea006db1

6MB
Funnel_Write_Up.pdf
pdf