Couch
Date: 01, July, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
Enumeration
Nmap
$ nmap -sC -sV -p- 10.10.15.199 -oN nmap.out
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 14:01 IST
Nmap scan report for 10.10.15.199
Host is up (0.17s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 34:9d:39:09:34:30:4b:3d:a7:1e:df:eb:a3:b0:e5:aa (RSA)
| 256 a4:2e:ef:3a:84:5d:21:1b:b9:d4:26:13:a5:2d:df:19 (ECDSA)
|_ 256 e1:6d:4d:fd:c8:00:8e:86:c2:13:2d:c7:ad:85:13:9c (ED25519)
5984/tcp open http CouchDB httpd 1.6.1 (Erlang OTP/18)
|_http-server-header: CouchDB/1.6.1 (Erlang OTP/18)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 473.15 secondsHow many ports are open?
Answer: 2
What's is the database management system installed on the server?
Answer: CouchDB
What port is the database management system running on?
Answer: 5984
What's is the version of management system installed on the server?
Answer: 1.6.1
Administration tool
What is path for the web administration tool for this database management system?
Answer: _utils
What is path for list all databases in the web browser of the database management system?
Answer: _all_dbs
What is the credentials founed in the web administration tool?
The credentials can be found inside
secretcollection.
User.txt
Login into SSH using the credentials found:
Privilege Escalation
Do manual enumeration - check the following for Privilege Escalation:
Sudo Permissions
SUID binaries
Cron Jobs
Backup files
History files
Config files
Running Processes (
ps aux)
By checking the bash history file:
Run docker in privileged mode, to get root access:
Root.txt
Last updated