Article Image

Couch TryHackMe


Nmap Scan

Scan image

Scan 2 image

It's my first time hearing about CouchDB and i found out that it's an open source NoSQL database based on common standards to facilitate Web accessibility and compatibility with a variety of devices ...

Scan the machine. How many ports are open? 2

What is the database management system installed on the server? couchdb

What port is the database management system running on? 5984

What is the version of the management system installed on the server? 1.6.1

Browsing to gives us the following JSON message:


Search Exploit

SS image

Since it was the first time hearing about CouchDB, I had to search for the docs and specially the URL structure for the server. And I found the path for the web administration tool for this database management system and it's /_utils

What is the path to list all databases in the web browser of the database management system? /_all_dbs

BTW! I aslo tried to run gobuster but it was useless since i figured out the path for the web administration 😅

Admin image

And if you browse to it will lead you into a database that contains credentials



I used the just found credentials to log into the server over SSH, and you can found the user flag in the home directory /home/atena

ssh atena@


I tried openning the .bash_history file and it was not empty


And you can see that the user removed the flag directory that was in the /root and he/she puts the file into a docker container

So I decided to run the exact same command and I was inside a docker container:

docker -H run --rm -it --privileged --net=host -v /:/mnt alpine


And since I'm in the root directory I run a find command and I found the root.txt file (FLAG) 🎉:


Thanks for reading!!!


––– views