Couch
July 4, 2021•328 words
Couch - THM
Scan the machine with a basic nmap scan (nothing too fancy needed) in order to answer the first question. If you ran a -A scan or just a -sV, you also have the answers to question two, three and four.
Now, onto the researching side of the challenge. Honestly, with no prior experience with CouchDB, I basically ran into Google's arms and kindly encountered the awesome documentation where you can find everything you need. Take a couple of minutes, read it and you should have no issue finding a very interesting "secret" DB, which contains SSH credentials to log into the machine.
Once you have a shell it's time to poke around for a privesc opportunity. Look at the new open ports you can see from this new shell. To more experienced users, port 2375 might mean something. If it doesn't, Google it. It's docker's engine default port. A quick nmap scan (port forward with SSH if you don't have nmap on the target) confirms this hunch.
To see if you can interact with the engine, try:
docker -H tcp://$IP:$PORT images
This should give you a (short) list of available images. Try to mount the filesystem on the container, thus gaining access to the whole system as a root user. To do this, run:
DOCKERHOST=tcp://$IP:$PORT docker run -it -v /:/mnt/host <imagename> /bin/sh
This should give you a new shell with root access. Now be careful, the filesystem of the target machine has been mounted to /mnt/host, so the flag you are looking for is in /mnt/host/root, don't get confused.
After this nice docker escape, you are done. Merry hacking!