This is Couch from THM. It’s Easy:
Hack into a vulnerable database server that collects and stores data in JSON-based document formats, in this semi-guided challenge.
This will be brief, because I’m only interested in the privesc (which wasn’t guided).
We’ve SSH’d in as atena and I run linpeas; I don’t get much but do notice:
I port forward 2375 with SSH:
And check in the broswer:
I run dirsearch:
And visiting /info gives a lot of information:
The real takeaway is that last bit though:
WARNING: API is accessible on http://127.0.0.1:2375 without encryption
So. What can we do? First, I install the docker CLI in kali:
Then we can list the images:
And then we can get root: