> For the complete documentation index, see [llms.txt](https://cybersec.th4ntis.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cybersec.th4ntis.com/hackthebox/starting-point/tier-1/funnel.md).

# Funnel

## Initial Scan

```nmap
sudo nmap -T4 -Pn -sV -sC -v 10.129.246.65 -oA Funnel
```

<figure><img src="/files/7MGWIIXZb9UpaAXvNvQl" alt=""><figcaption></figcaption></figure>

## Task 1

How many TCP ports are open?

Answer: 2

## Task 2

What is the name of the directory that is available on the FTP server?

<figure><img src="/files/t2ltM3Q8bHwS1GLAzdQT" alt=""><figcaption></figcaption></figure>

Answer: mail\_backup

## Task 3

What is the default account password that every new member on the "Funnel" team should change as soon as possible? - Look in the .pdf file from the FTP server.

<figure><img src="/files/fa6xHhLtTg3gio5nohMY" alt=""><figcaption></figcaption></figure>

Answer: funnel123#!#

## Task 4

Which user has not changed their default password yet?

<figure><img src="/files/i2vOCWCKgDiBZB9WIl8u" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/b9koV2As7GHa5U7ARfM4" alt=""><figcaption></figcaption></figure>

Answer: christine

## Task 5

Which service is running on TCP port 5432 and listens only on localhost?

<figure><img src="/files/Z3Yx7BY2oldzb6rL0vVA" alt=""><figcaption></figcaption></figure>

Answer: postgresql

## Task 6

Since you can't access the previously mentioned service from the local machine, you will have to create a tunnel and connect to it from your machine. What is the correct type of tunneling to use? remote port forwarding or local port forwarding?

Answer: local port tunneling

## Task 7

What is the name of the database that holds the flag?

<figure><img src="/files/zewujYgwvzyaQJNpxlP8" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/4xPXQdZKLgdFNm4NWumk" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/jVr0T4HYC3SZbSmQSpHg" alt=""><figcaption></figcaption></figure>

Answer: Secrets

## Task 8

Could you use a dynamic tunnel instead of local port forwarding? Yes or No.

Answer: Yes

## Task 9

Submit Root Flag

<figure><img src="/files/JbDnjlhMrLWSO5lrTuVB" alt=""><figcaption></figcaption></figure>

Answer: cf277664b1771217d7006acdea006db1


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://cybersec.th4ntis.com/hackthebox/starting-point/tier-1/funnel.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.