TryHackMe - Couch
Description
Hello hackers, I hope you are doing well. We are doing Couch from TryHackMe.
Enumeration
nmap
We start a nmap scan using the following command: sudo nmap -sC -sV -T4 -p- {target_IP}.
-sC: run all the default scripts.
-sV: Find the version of services running on the target.
-T4: Aggressive scan to provide faster results.
-p-: Scan all ports.
1
2
3
4
5
6
7
8
9
10
11
12
Nmap scan report for 10.10.49.174
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 34:9d:39:09:34:30:4b:3d:a7:1e:df:eb:a3:b0:e5:aa (RSA)
| 256 a4:2e:ef:3a:84:5d:21:1b:b9:d4:26:13:a5:2d:df:19 (ECDSA)
|_ 256 e1:6d:4d:fd:c8:00:8e:86:c2:13:2d:c7:ad:85:13:9c (ED25519)
5984/tcp open http CouchDB httpd 1.6.1 (Erlang OTP/18)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There are two open ports, 22 running OpenSSH and 5984 running CouchDB.
We can connect to CounchDB simply using our browser. Let’s navigate to it.
I Googled for couchdb pentest and found this article explaining how to do so.
Let’s navigate to _utils.
We found called secret. Clicking on it redirects us to the following page.
Now clicking on the value, we go to a page where we find a username and password.
Foothold
Using the credentials we found, let’s connect to the machine via ssh.
Privilege Escalation
Checking the files of atena’s home directory, we find that the history file is not empty.
If we check it, we find the following command:
1
docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
This one looks like the command we use to escalate privileges if we can run docker as root.
Let’s run it and see what happens.
Thank you for taking the time to read my write-up, I hope you have learned something from this. If you have any questions or comments, please feel free to reach out to me. See you in the next hack :).