HTB Notes: Funnel

William MaWilliam Ma
3 min read

FTP

We begin by scanning the box with nmap. We find two ports open on the machine:

  1. 21 (ftp) and

  2. 22 (ssh)

We can access the ftp server using the anonymous user account.

An interesting note is we could use either the anonymous or ftp user and we could enter anything for the password.

There's two files on the FTP server.

  1. A PDF document outlining the password policy

  2. A template of a welcome email

Password spraying (SSH)

According to OWASP:

Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application.

This is exactly what we'll do.

  1. We can get the default password for the system by reading the password policy

  2. We can get a list of users from reading the welcome email

We have all the information we need to conduct a password spray attack. We iterate through the list of users using the default password to try and log in to the machine via ssh.

We eventually found one that works.

SSH Tunnelling

After gaining access to the machine with a user account. We run the following command to see what services are open and listening.

ss -l -t -n

This command displays socket information on your machine. -l shows the sockets that are listening. -t shows the TCP sockets. -n tells the command to show the port numbers.

We can see a PostgreSQL service (port 5432) listening on localhost (the compromised machine). This means the PostgreSQL service can only be connected to via the same host. However our compromised user account can't connect because they don't have the psql command.

We can access the PostgreSQL service by creating a local port forwarding tunnel.

ssh -L 127.0.0.1:5001:127.0.0.1:5432 user@host

This command basically says anything you send to 127.0.0.1:5001 (port 5001 on our machine) will go through the host (compromised machine) and be forwarded to 127.0.0.1:5432 (port 5432 on the compromised machine).

In summary we can connect to the PostgreSQL server via the host.

PostgreSQL

We can connect to the PostgreSQL server with the following command, using the password that we found earlier.

psql --host=127.0.0.1 --port=5001 --username=<user>

Every database client has different commands for interacting with the database. We can find all the commands using \?. Using \l to list databases, \c <database> to connect to them, \dt to show tables, we can easily figure out where the flag is hiding in one of the tables.

Summary

This was a fun machine. I liked the technique of using ssh tunnelling to gain access to internal resources. Internal services usually have less defensive measures than public services, because they seem safer inside a network. However, if an attacker penetrates that network, it gives them more opportunities to compromise the network or escalate their privileges.

I also liked the idea of using password spraying to compromise a user on the system. This shows the importance of encouraging users to change the default passwords as soon as possible.

0
Subscribe to my newsletter

Read articles from William Ma directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#HackTheBox#cybersecurityhackingpassword sprayingsshssh-tunneling

Written by

William Ma
William Ma

Software Engineer based in Sydney, Australia