Hack into a vulnerable database server that collects and stores data in JSON-based document formats, in this semi-guided challenge.
- Nmap scan result : nmap -sV -A -O 10.10.86.117
nmap -p- 10.10.86.117
2 ports are open. and the second port has a service couchdb.
- browse the port 5984 : http://10.10.86.117:5984/
- Research the couchdb service.
After some research we got an overview about couchdb. The path for the web administration tool is "_utils"
http://10.10.42.146:5984/_utils/
Path for list all databases in the web browser of the data management system is _all_dbs
- Looking for any credentials.
Checking all the databases , given me some useful credentials.
It is inside the "secret" database.
- Foothold
By using the credentials we can try to login ssh.
Now we have a foothold in the machine. From here we can get the user.txt flag.
- Privilege Escalation
Searching in so many methods of privilege escalation. I found nothing, then listing all the files inside the atena's directory I saw the bash_history is not empty.
cat .bash_history
From bash_history we got the above command of docker. So by running it we get root privilege and by this we get the root flag.
