Sweettooth Inc

Sweettooth Inc. - THM

There are four open ports. Following the indications of the room, we further analyze the port running the DB. There is a metasploit module that can give you the version running, but it is not able to go past authentication. In order to find a database user, you can check if there are available endpoints under /debug... Mostly two, one gives you a username, the other one a whole lot of informations you will need to carefully look at.

You need the username to answer one of the questions. Another username is hidden in plain sight as it's part of many paths you can see in the second endpoint response (just search for a couple of keywords you extract from the questions and look carefully).

Once you gather both usernames, Google is your friend. There is a brief article explaining how to exploit JWTs to gain unauthorized access to the DBMS. Careful, only the first username is valid to construct a custom JWT, the other user doesn't seem to be registered on the DB. Once you have access you can just query what you need as you would do with any other DB, either create a user and connect remotely or use curl as explained in the docs of the DB. Very conveniently, besides the rest of the answers you need for this section of the room, you can also gather SSH credentials inside one of the DBs.

Get your first flag and then take a look around. Weird files reside in the root directory, read those and you will notice an open port exposing the docker engine. Set up a port forward and analyze the exposed engine. Let's suppose you set up port forwarding on your local port 8000 using SSH, you can now run commands by doing (on your local machine):

docker -H tcp://localhost:8000 exec <container name> <command>

To find out the container name run

docker -H tcp://localhost:8000 ps

Any reverse shell command should give you a root shell.

Grab the second flag and take a look at the disk partition. As you are now root you are allowed to mount that 15 GB filesystem that looks like the underlying OS. Run this:

mount /dev/<name of the partition> /<path to a folder you created>

You now have full access to the machine, and the last flag is yours. Merry hacking!


You'll only receive email when they publish something new.

More from emacab98