It's my first time hearing about CouchDB and i found out that it's an open source NoSQL database based on common standards to facilitate Web accessibility and compatibility with a variety of devices ...
Scan the machine. How many ports are open?
What is the database management system installed on the server?
What port is the database management system running on?
What is the version of the management system installed on the server?
Browsing to http://10.10.123.150:5984/ gives us the following JSON message:
Since it was the first time hearing about CouchDB, I had to search for the docs and specially the URL structure for the server. And I found the path for the web administration tool for this database management system and it's
What is the path to list all databases in the web browser of the database management system?
BTW! I aslo tried to run gobuster but it was useless since i figured out the path for the web administration 😅
And if you browse to http://10.10.123.150:5984/_utils/database.html?secret it will lead you into a database that contains credentials
I used the just found credentials to log into the server over SSH, and you can found the user flag in the home directory
I tried openning the
.bash_history file and it was not empty
And you can see that the user removed the flag directory that was in the
/root and he/she puts the file into a docker container
So I decided to run the exact same command and I was inside a docker container:
docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
And since I'm in the root directory I run a find command and I found the root.txt file (FLAG) 🎉:
Thanks for reading!!!