Tunnel Cake Challenge

Career Paths Penetration Tester
1

I’m working on “Tunnel Cake” and I’ve successfully stolen credentials. I have 2 questions:

1- I changed target’s password using “passwd” command. Did this lab expect us to retrieve the password in another way?

2- For the second part (Nested Tunnels) I’ve tried the commands below:

A: ssh -fN -L 2222:172.16.2.101:22 UserHostB@172.16.1.100 -i key
       ssh -fN -L 8888:127.0.0.1:8888 UserHostB@127.0.0.1 -i key -p 2222

B: ssh -fN -L 8888:127.0.0.1:8888 UserHostB172.16.1.100 ssh -L 8888:127.0.0.1:2222 -N 172.16.2.101
C: ssh -fN -L 8888:127.0.0.1:8888 UserHostB172.16.1.100 ssh -L 8888:127.0.0.1:2222 -N 172.16.2.101 -i key -p 2222

For B and C I got nothing. For the second part of A I got “permission denied”. I was wondering if you could tell me what’s wrong?

Thanks!

2

Without giving too much away, the expected solution path looks something like this:

-Use nmap with a vulnerability scan to identify a vulnerable service running on target01.

-Use metasploit to locate a module related to the vulnerable service, then run that module against the vulnerable service to compromise target01.

-After running the exploit module, you should get root access to the target01, which will allow you to obtain the first flag.

-You should also find another user account. Some exploration of this account should reveal additional information that you can use to employ a nested tunnel strategy to access target02.

If you’re having trouble with the Challenge - it is admittedly a bit more complex than some of the others in the Penetration Tester Practice section - I would recommend moving on to a different one.

3

I want to understand the concept and how it works. here is my try on this challenge:

Screenshot 2025-04-09 120807
Screenshot 2025-04-09 120807595×263 21.9 KB

4

I’ll clarify this in the instructions, but “key” is intended to be a placeholder for an actual RSA private key (or the file containing the key) - not the word “key”.

You can get access to the private key by exploring the second user account discovered on target01. You will then need to extract the key to the kali machine.

5

Done!
Thank you for your time and consideration!

1 Like