Port enumeration

Uning nmap, I found 2 open ports, 21 and 22. 6ad4fe118588e398fc5aefb1d25f8c84.png

FTP enumeration

The ftp server have the anonymous user enabled, so, I use this user to log in the server and read the files. ef534bba659210b123532ff9e2f58cf2.png Here, I found 2 files. 2ce424f2bb79a4af233157c6fb8dfa19.png First one is a mail, where I see a user list in the recipients. 2d706289a8f0aed3168ad980eaa66a72.png The last one is more interesting, is a pdf where we can see the password policy, this policy includes a default password who need to be changed. ac3f8b45f4fd078df7c0c91c9fd334d0.png

Brute force

So, if someone of the users in the mail hasn't changed the default password, I will be able to log, for this, I use Hydra.

hydra -L users.txt -p 'funnel123#!#' -V ssh://10.129.32.216

f648d811ae70c1ab2f218ee70312f93b.png This user is christine, so, using the credentials christine:funnel123#!# I obtain a shell using ssh. 349d165d17c72fa2d8eae39450e537cf.png

Local machine enumeration

Inside the machine, I found a postgresql instance in 5432.

ss -tulnp

5e47a61b3d2e832fe56f64b5d631ac9d.png Using ssh, I redirect this port to my local machine.

ssh -L 8000:localhost:5432 christine@10.1239.32.215

2d9887ed869b8c5fdb14254d05704c73.png Here, In the database, I enumerated all until I found the flag.

\list

413316245ace1629a527c503f7270254.png

\c secrets
\dt

21027ad91ad52e40a35b4424a3aa7878.png

SELECT * FROM FLAG;

2b3a8de96d3b87c002d98c8b9cad1aa6.png