Funnel

6MB

Funnel_Write_Up.pdf

pdf

Task 1: How many TCP ports are open?

• Run a nmap scan:

nmap [Target IP]

• This will return that Ports 21 and 22 are open.

Task 2: What is the name of the directory that is available on the FTP server?

• Run the following to connect to the FTP server:

ftp [Target IP]

• Check to see if the "anonymous" account is available. The password should be nothing. Just hit enter.

• Use the ls command to list out the directories

• The only directory available in the current directory is "mail_backup"

Task 3: What is the default account password that every new member on the "Funnel" team should change as soon as possible?

• Check the directory for mail_backup.

• There is a pdf file in there called password_policy.pdf.

• Use the get command to download the file.

• They mention that the default password is "funnel123#!#"

Task 4: Which user has not changed their default password yet?

• Start by downloading and viewing the file welcome_28112022

• This is an email to new employees.

• There is a string of employee emails in the To line.

• The username to the ftp account is "christine" with the default password of funnel123#!#

Task 5: Which service is running on TCP port 5432 and listens only on localhost?

• You can google the port number or run an nmap scan on that specific port.

nmap -p 5432 [Target IP]

• The answer is postgresql

Task 6: Since you can't access the previously mentioned service from the local machine, you will have to create a tunnel and connect to it from your machine. What is the correct type of tunneling to use? remote port forwarding or local port forwarding?

• The answer is "local port forwarding"

Task 7: What is the name of the database that holds the flag?

• First start by making an SSH connection to the target through a local port with the following command:

ssh -L 1234:localhost:5432 christine@[Target IP]

• -L flag specifies using local port forwarding

• Specifying port 1234 on the my host machine for the traffic to be forwarded through.

• Specifying 5432 to connect back to the local host through that port for psql

• Once this is done, I opened a new terminal window on my host machine.

psql -U christine -h localhost -p 1234

• Since psql isn't installed on the local machine for christine, I will forward the traffic through my machine to utilize the command.

• Once we do this we should have access to the psql database.

• Use the \l command to list out available databases

• One of the databases is "secrets"

Task 8: Could you use a dynamic tunnel instead of local port forwarding? Yes or No.

• Yes

Capture the Flag:

• Use the \c secrets command to access the secrets database.

• Use the \dt to list the tables in the database

  • This will show a table called flag

• Use the following command to view all items in the table:

SELECT * FROM flag;

• The flag listed is:

  • cf277664b1771217d7006acdea006db1