> For the complete documentation index, see [llms.txt](https://sgtdiddlywink.gitbook.io/htb/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sgtdiddlywink.gitbook.io/htb/machines/starting-point-machines/tier-1-machines/funnel.md).

# Funnel

{% file src="/files/KHnSPoYc7OWl806FyYPb" %}

**Task 1:  How many TCP ports are open?**

* Run a nmap scan:

```
nmap [Target IP]
```

* This will return that Ports 21 and 22 are open.

**Task 2: What is the name of the directory that is available on the FTP server?**

* Run the following to connect to the FTP server:

```
ftp [Target IP]
```

* Check to see if the "anonymous" account is available. The password should be nothing. Just hit enter.
* Use the ls command to list out the directories
* The only directory available in the current directory is "mail\_backup"

**Task 3: What is the default account password that every new member on the "Funnel" team should change as soon as possible?**

* Check the directory for mail\_backup.
* There is a pdf file in there called password\_policy.pdf.
* Use the `get` command to download the file.&#x20;
* They mention that the default password is "funnel123#!#"

**Task 4: Which user has not changed their default password yet?**

* Start by downloading and viewing the file welcome\_28112022
* This is an email to new employees.
* There is a string of employee emails in the To line.
* The username to the ftp account is "christine" with the default password of funnel123#!#

**Task 5: Which service is running on TCP port 5432 and listens only on localhost?**

* You can google the port number or run an nmap scan on that specific port.

```
nmap -p 5432 [Target IP]
```

* The answer is postgresql

**Task 6: Since you can't access the previously mentioned service from the local machine, you will have to create a tunnel and connect to it from your machine. What is the correct type of tunneling to use? remote port forwarding or local port forwarding?**

* The answer is "local port forwarding"

**Task 7: What is the name of the database that holds the flag?**

* First start by making an SSH connection to the target through a local port with the following command:

```
ssh -L 1234:localhost:5432 christine@[Target IP]
```

* -L flag specifies using local port forwarding
* Specifying port 1234 on the my host machine for the traffic to be forwarded through.
* Specifying 5432 to connect back to the local host through that port for psql
* Once this is done, I opened a new terminal window on my host machine.

```
psql -U christine -h localhost -p 1234
```

* Since psql isn't installed on the local machine for christine, I will forward the traffic through my machine to utilize the command.
* Once we do this we should have access to the psql database.
* Use the `\l` command to list out available databases
* One of the databases is "secrets"

**Task 8: Could you use a dynamic tunnel instead of local port forwarding? Yes or No.**

* Yes

**Capture the Flag:**

* Use the `\c secrets` command to access the secrets database.
* Use the `\dt` to list the tables in the database
  * This will show a table called flag
* Use the following command to view all items in the table:

```
SELECT * FROM flag;
```

* The flag listed is:
  * cf277664b1771217d7006acdea006db1
