TryHackMe Writeups Couch at Main The Debarghya TryHackMe Writeups
TryHackMe Writeups Couch at Main The Debarghya TryHackMe Writeups
TryHackMe Writeups Couch at Main The Debarghya TryHackMe Writeups
• IP = 10.10.178.121
Questions/Tasks:
• Tried to scan that particular port with Nmap, and Bingo!! We found a valid open
port...
• nmap -sC -sV 10.10.178.121 -p22,5984
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-01 00:05 IST
Nmap scan report for 10.10.178.121
Host is up (0.56s latency).
Ans-2
Ans-Couchdb
Ans-5984
Ans-1.6.1
• Next we visit the CouchDb docs, where searching for administration gives us the
_utils directory.
5. What is the path for the web administration tool for this database management
system?
Ans-_utils
6. What is the path to list all databases in the web browser of the database
management system?
Ans-_all_dbs
Ans-atena:t4qfzcc4qN##
• SSH into the server using atena as username and t4qfzcc4qN## as password:
Ans-THM{1ns3cure_couchdb}
• Firstly we can check for sudo permissions with sudo -l , but no luck, we can't
run sudo as atena�
�
• Next we check for SUID binaries with find / -perm -4000 -type f 2>/dev/null
but no interesting binaries found too�
�
• Checking the .bash_history file, we find this:
• Now look carefully docker is running an alpine image which contains the root.txt
since it was mounted as a volume
• Hence we can run the same command to get into the docker container and
probably find root.txt.
• Run docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v
/:/mnt alpine
• Where,
• Hence you'll get an interactive root shell inside the container with the main
filesystem mounted to /mnt of container filesystem.
• Find the flag at /mnt/root/root.txt
Ans-THM{RCE_us1ng_Docker_API}