(e) -Tunneling with ssh

Want to run this Docker container locally?

docker run -d -p 9010:22 --network flag-e-net --cap-add=NET_ADMIN --restart always --name flag-e-container joshbeck2024/ctf-tunnel-challenge-flag-e

For this lab, you are given the ssh credentials to the box. (Port 9010)

Username: tunneluser
Password: tunneluser

On Kali:

ssh [email protected] -p 9010

This time we need to look at the difference between what’s listening on the external IP address versus what’s listening on `localhost`.

nmap 172.25.200.200 -p 9010

`nmap` isn’t installed on this machine, but port sweeping is easy enough with a bash script like this:

Open a new file called `scan.sh` using the `vi` text editor

vi scan.sh

Paste in the following script

#!/bin/bash

if [ -z "$1" ]; then
    echo "Usage: $0 <target>"
    exit 1
fi

TARGET="$1"

echo "[*] Starting port sweep on $TARGET (ports 1–1000)"
echo

for PORT in $(seq 1 1000); do
    (echo > /dev/tcp/$TARGET/$PORT) >/dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo "[+] Port $PORT is OPEN"
    fi
done

echo
echo "[*] Scan complete"

`vi` is a pain! Type `:wq` to save your changes.

chmod 777 scan.sh
./scan.sh localhost

This is another common scenario. In many cases a computer will have ports and services open on `localhost` only. If we can trick the machine into accessing these restricted ports and services via the public IP address, it will almost certainly result in a bug bounty payout.

In this case we are going to set up an ssh tunnel that will allow us to access the webpage that is listening on the `localhost` interface of our target via a regular web browser on our Kali machine.

Untitled

Want to run this Docker container locally?

For this lab, you are given the ssh credentials to the box. (Port 9010)

This time we need to look at the difference between what’s listening on the external IP address versus what’s listening on localhost.

nmap isn’t installed on this machine, but port sweeping is easy enough with a bash script like this:

Open a new file called scan.sh using the vi text editor

Paste in the following script

vi is a pain! Type :wq to save your changes.

This is another common scenario. In many cases a computer will have ports and services open on localhost only. If we can trick the machine into accessing these restricted ports and services via the public IP address, it will almost certainly result in a bug bounty payout.

In this case we are going to set up an ssh tunnel that will allow us to access the webpage that is listening on the localhost interface of our target via a regular web browser on our Kali machine.

This time we need to look at the difference between what’s listening on the external IP address versus what’s listening on `localhost`.

`nmap` isn’t installed on this machine, but port sweeping is easy enough with a bash script like this:

Open a new file called `scan.sh` using the `vi` text editor

`vi` is a pain! Type `:wq` to save your changes.

This is another common scenario. In many cases a computer will have ports and services open on `localhost` only. If we can trick the machine into accessing these restricted ports and services via the public IP address, it will almost certainly result in a bug bounty payout.

In this case we are going to set up an ssh tunnel that will allow us to access the webpage that is listening on the `localhost` interface of our target via a regular web browser on our Kali machine.