LINK ROOM: https://tryhackme.com/room/couch
Hi there! Already a few months that I didn’t post any writeups here. I was busy finishing my postgraduate but I am back now 😊
From now I will go out of my comfort zone (web boxes) and try different boxes. In this box, we will try to figure out how the CouchDB works and how we can exploit the docker API.
I will try to put as many details as I can, like that, if you are a beginner, you will be able to understand all the steps to solve this room.
First, let’s figure out what CouchDB is. In this « Getting Started guide » you have all the information that you need to answer all the first questions. => https://guide.couchdb.org/draft/tour.html
Let’s navigate in the web administration tool :
Ok, we have 6 databases, but one kept my interest (the secret one). Let’s check it.
Let’s check its content :
Ahh, we found something interesting there.
As the ssh port (22) is open, we can try to use this credential to connect to this machine. Let’s try it :
It is a piece of cake right? Let’s find the first flag. Normally, it is in the home folder of the user.
Our guess was right! Time to escalate our privileges and take the root flag.
This part took me a while! I tried everything that I knew so far : sudo -l, cron jobs, linpeas, etc. I couldn’t find anything…
Then I checked the file .bash_history to see if I could find a kind of hint.
Let’s cat this file.
Here we have interesting information :
• Who created the room, created a file named root.txt (normally we will find the root flag there). This file is in the root folder.
• He removed the possibility to use sudo with the atena user.
• He used docker with –privileged.
• The name of the image of this container is « alpine ».
So far I never touched docker. I have already watched a video and understand the basics of the basics. By the way, this video is a good introduction made by NetworkChuck => https://www.youtube.com/watch?v=eGz9DS-aIeY
A friend told me that I could check this blog (hacktricks blog) to have more information about how docker works. => https://book.hacktricks.xyz/pentesting/2375-pentesting-docker#basic-information
In this blog I found something interesting :
As we know the name of the image, we can replace the « ubuntu :latest » with « alpine » and try this command :
Ok, we don’t have permission. I realized that I was stuck again…
My friend gave me another idea: do SSH port forwarding of this docker and try to execute this command on my machine.
What is port forwarding? If you never did a port forwarding before (as me at this point) please read this article :
In order to forward a specific port to our machine, we have to use this command (we want to forward port 2375, the default port of docker) :
ssh user@MACHINEIP -L 2375:127.0.0.1:2375
Basically, now we can access this port in our machine using 127.0.0.1 :2375
Let’s go back to the article of HackTricks. They say that we can enumerate this docker with the following command (I use 127.0.0.1 because I forwarded already the port of this machine to mine) :
After they say that we can avoid using the -H parameter using this command :
At this point, I think we set everything that we needed to use the « Fast privilege escalation » command (don’t forget to change the name of the image to alpine).
Niceee, we have root ! Now we can easily take the root flag.
What say about this room? We learned several interesting things thanks to this box: the basics of CouchDB, ssh port forwarding, and docker.
In my point of view, the beginning was easy and straightforward. However, the privilege escalation part was something new for me and I struggled a lot with it.
I would like to thank my friend @p00rduck for helping me figure out the privilege escalation part.
Now it is time for me to learn a bit more about docker !
I hope that my writeup helped you to understand better all the aspects of this CTF. If you want to read more writeups like this one or have any questions, you can find me on Twitter @dropn0w.
Stay safe and keep learning!