[{"data":1,"prerenderedAt":444},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-couch-writeup":3,"surround-\u002F2025\u002Ftryhackme-couch-writeup":435},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"draft":6,"readingTime":14,"body":19,"_type":428,"_id":429,"_source":430,"_file":431,"_stem":432,"_extension":433,"_original_dir":434},"\u002F2025\u002Ftryhackme-couch-writeup","2025",false,"","TryHackMe - Couch","This post provides a step-by-step write-up for the TryHackMe 'Couch' room. Learn how to find credentials in a CouchDB database and escalate privileges to root by leveraging an insecure Docker port.","2025-10-22T06:11:23.000Z","https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-couch-writeup\u002Fthumbnail.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"2 min read",1.255,75300,251,{"type":20,"children":21,"toc":422},"root",[22,28,44,51,56,151,155,184,207,211,217,221,234,238,244,257,261,275,279,299,303,316,375,411,416],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-couch-writeup\u002F1.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target IP: ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fcouch",[40],"nofollow",[42],{"type":33,"value":43},"10.10.132.174",{"type":23,"tag":45,"props":46,"children":48},"h2",{"id":47},"reconnaissance",[49],{"type":33,"value":50},"Reconnaissance",{"type":23,"tag":29,"props":52,"children":53},{},[54],{"type":33,"value":55},"First, let's perform an Nmap scan and convert the output into a more readable format.",{"type":23,"tag":57,"props":58,"children":62},"pre",{"className":59,"code":60,"language":61,"meta":7,"style":7},"language-bash shiki shiki-themes catppuccin-latte one-dark-pro","nmap -p- -sCV --open -Pn -n 10.10.132.174 -T4 -oX Desktop\u002FnmapFullScan.xml\nxsltproc ~\u002FDesktop\u002FnmapFullScan.xml -o NmapScan.html\n","bash",[63],{"type":23,"tag":64,"props":65,"children":66},"code",{"__ignoreMap":7},[67,127],{"type":23,"tag":68,"props":69,"children":72},"span",{"class":70,"line":71},"line",1,[73,79,85,90,95,100,105,111,116,121],{"type":23,"tag":68,"props":74,"children":76},{"style":75},"--shiki-default:#1E66F5;--shiki-default-font-style:italic;--shiki-dark:#61AFEF;--shiki-dark-font-style:inherit",[77],{"type":33,"value":78},"nmap",{"type":23,"tag":68,"props":80,"children":82},{"style":81},"--shiki-default:#40A02B;--shiki-dark:#D19A66",[83],{"type":33,"value":84}," -p-",{"type":23,"tag":68,"props":86,"children":87},{"style":81},[88],{"type":33,"value":89}," -sCV",{"type":23,"tag":68,"props":91,"children":92},{"style":81},[93],{"type":33,"value":94}," --open",{"type":23,"tag":68,"props":96,"children":97},{"style":81},[98],{"type":33,"value":99}," -Pn",{"type":23,"tag":68,"props":101,"children":102},{"style":81},[103],{"type":33,"value":104}," -n",{"type":23,"tag":68,"props":106,"children":108},{"style":107},"--shiki-default:#FE640B;--shiki-dark:#D19A66",[109],{"type":33,"value":110}," 10.10.132.174",{"type":23,"tag":68,"props":112,"children":113},{"style":81},[114],{"type":33,"value":115}," -T4",{"type":23,"tag":68,"props":117,"children":118},{"style":81},[119],{"type":33,"value":120}," -oX",{"type":23,"tag":68,"props":122,"children":124},{"style":123},"--shiki-default:#40A02B;--shiki-dark:#98C379",[125],{"type":33,"value":126}," Desktop\u002FnmapFullScan.xml\n",{"type":23,"tag":68,"props":128,"children":130},{"class":70,"line":129},2,[131,136,141,146],{"type":23,"tag":68,"props":132,"children":133},{"style":75},[134],{"type":33,"value":135},"xsltproc",{"type":23,"tag":68,"props":137,"children":138},{"style":123},[139],{"type":33,"value":140}," ~\u002FDesktop\u002FnmapFullScan.xml",{"type":23,"tag":68,"props":142,"children":143},{"style":81},[144],{"type":33,"value":145}," -o",{"type":23,"tag":68,"props":147,"children":148},{"style":123},[149],{"type":33,"value":150}," NmapScan.html\n",{"type":23,"tag":24,"props":152,"children":154},{"src":153},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-couch-writeup\u002F2.jpg",[],{"type":23,"tag":29,"props":156,"children":157},{},[158,160,166,168,174,176,182],{"type":33,"value":159},"When we open the generated ",{"type":23,"tag":64,"props":161,"children":163},{"className":162},[],[164],{"type":33,"value":165},"html",{"type":33,"value":167}," file, we see that ports ",{"type":23,"tag":64,"props":169,"children":171},{"className":170},[],[172],{"type":33,"value":173},"22",{"type":33,"value":175}," and ",{"type":23,"tag":64,"props":177,"children":179},{"className":178},[],[180],{"type":33,"value":181},"5984",{"type":33,"value":183}," are open. Upon researching CouchDB, we find that it is a NoSQL database developed by Apache.",{"type":23,"tag":29,"props":185,"children":186},{},[187,189,198,200],{"type":33,"value":188},"After some research, we discover that the service has a web interface in the ",{"type":23,"tag":64,"props":190,"children":195},{"className":191,"id":193,"style":194},[192],"example-info","just-like-this","color: #4DFFBE",[196],{"type":33,"value":197},"_utils",{"type":33,"value":199}," directory. ",{"type":23,"tag":36,"props":201,"children":204},{"href":202,"rel":203},"https:\u002F\u002Fcouchdb.apache.org\u002Ffauxton-visual-guide\u002Findex.html",[40],[205],{"type":33,"value":206},"see",{"type":23,"tag":24,"props":208,"children":210},{"src":209},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-couch-writeup\u002F3.jpg",[],{"type":23,"tag":45,"props":212,"children":214},{"id":213},"initial-access",[215],{"type":33,"value":216},"Initial Access",{"type":23,"tag":24,"props":218,"children":220},{"src":219},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-couch-writeup\u002F4.gif",[],{"type":23,"tag":29,"props":222,"children":223},{},[224,226,232],{"type":33,"value":225},"From here, we obtain the credentials ",{"type":23,"tag":64,"props":227,"children":229},{"className":228,"id":193,"style":194},[192],[230],{"type":33,"value":231},"atena:t4qfzcc4qN##",{"type":33,"value":233},". Now, let's try to log in via SSH with them.",{"type":23,"tag":24,"props":235,"children":237},{"src":236},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-couch-writeup\u002F5.jpg",[],{"type":23,"tag":45,"props":239,"children":241},{"id":240},"privilege-escalation",[242],{"type":33,"value":243},"Privilege Escalation",{"type":23,"tag":29,"props":245,"children":246},{},[247,249,255],{"type":33,"value":248},"To escalate our privileges, let's upload ",{"type":23,"tag":64,"props":250,"children":252},{"className":251},[],[253],{"type":33,"value":254},"linpeas.sh",{"type":33,"value":256}," to the target machine. We'll grant the necessary permissions and execute it.",{"type":23,"tag":24,"props":258,"children":260},{"src":259},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-couch-writeup\u002F6.jpg",[],{"type":23,"tag":29,"props":262,"children":263},{},[264,266,273],{"type":33,"value":265},"Here, the ",{"type":23,"tag":64,"props":267,"children":270},{"className":268,"id":193,"style":269},[192],"color: #efb11d",[271],{"type":33,"value":272},"2375:docker",{"type":33,"value":274}," service, which is only accessible locally, catches our attention.",{"type":23,"tag":24,"props":276,"children":278},{"src":277},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-couch-writeup\u002F7.jpg",[],{"type":23,"tag":29,"props":280,"children":281},{},[282,284,290,292],{"type":33,"value":283},"And when we read the ",{"type":23,"tag":64,"props":285,"children":287},{"className":286},[],[288],{"type":33,"value":289},".bash_history",{"type":33,"value":291}," file in the user's directory, we see the following Docker command. This looks very similar to a Docker privilege escalation technique. ",{"type":23,"tag":36,"props":293,"children":296},{"href":294,"rel":295},"https:\u002F\u002Fgtfobins.github.io\u002Fgtfobins\u002Fdocker\u002F",[40],[297],{"type":33,"value":298},"see.",{"type":23,"tag":24,"props":300,"children":302},{"src":301},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-couch-writeup\u002F8.jpg",[],{"type":23,"tag":29,"props":304,"children":305},{},[306,308,314],{"type":33,"value":307},"However, we don't get anything when we use the shell command from GTFOBins because we don't have the necessary permissions and are not in the ",{"type":23,"tag":64,"props":309,"children":311},{"className":310},[],[312],{"type":33,"value":313},"docker",{"type":33,"value":315}," group. But why can the following command make us root?",{"type":23,"tag":57,"props":317,"children":319},{"className":59,"code":318,"language":61,"meta":7,"style":7},"docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v\u002F:\u002Fmnt alpine\n",[320],{"type":23,"tag":64,"props":321,"children":322},{"__ignoreMap":7},[323],{"type":23,"tag":68,"props":324,"children":325},{"class":70,"line":71},[326,330,335,340,345,350,355,360,365,370],{"type":23,"tag":68,"props":327,"children":328},{"style":75},[329],{"type":33,"value":313},{"type":23,"tag":68,"props":331,"children":332},{"style":81},[333],{"type":33,"value":334}," -H",{"type":23,"tag":68,"props":336,"children":337},{"style":123},[338],{"type":33,"value":339}," 127.0.0.1:2375",{"type":23,"tag":68,"props":341,"children":342},{"style":123},[343],{"type":33,"value":344}," run",{"type":23,"tag":68,"props":346,"children":347},{"style":81},[348],{"type":33,"value":349}," --rm",{"type":23,"tag":68,"props":351,"children":352},{"style":81},[353],{"type":33,"value":354}," -it",{"type":23,"tag":68,"props":356,"children":357},{"style":81},[358],{"type":33,"value":359}," --privileged",{"type":23,"tag":68,"props":361,"children":362},{"style":81},[363],{"type":33,"value":364}," --net=host",{"type":23,"tag":68,"props":366,"children":367},{"style":81},[368],{"type":33,"value":369}," -v\u002F:\u002Fmnt",{"type":23,"tag":68,"props":371,"children":372},{"style":123},[373],{"type":33,"value":374}," alpine\n",{"type":23,"tag":29,"props":376,"children":377},{},[378,380,387,389],{"type":33,"value":379},"In this command, we use the ",{"type":23,"tag":64,"props":381,"children":384},{"className":382,"id":193,"style":383},[192],"color: #77BEF0",[385],{"type":33,"value":386},"-H 127.0.0.1:2375",{"type":33,"value":388}," prompt. This prompt instructs our Docker client to ",{"type":23,"tag":68,"props":390,"children":392},{"className":391,"id":193,"style":194},[192],[393,395,401,403,409],{"type":33,"value":394},"\"connect to the Docker service via TCP port ",{"type":23,"tag":64,"props":396,"children":398},{"className":397},[],[399],{"type":33,"value":400},"2375",{"type":33,"value":402}," at the address 127.0.0.1, instead of using the default ",{"type":23,"tag":64,"props":404,"children":406},{"className":405},[],[407],{"type":33,"value":408},"docker.sock",{"type":33,"value":410}," file.\"",{"type":23,"tag":29,"props":412,"children":413},{},[414],{"type":33,"value":415},"If we are root, it indicates that the Docker daemon on the system is insecurely configured to accept commands over the network without authentication. Port 2375 is the default plain text port for Docker without authentication.",{"type":23,"tag":417,"props":418,"children":419},"style",{},[420],{"type":33,"value":421},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":423,"depth":423,"links":424},4,[425,426,427],{"id":47,"depth":129,"text":50},{"id":213,"depth":129,"text":216},{"id":240,"depth":129,"text":243},"markdown","content:posts:2025:tryhackme-couch-writeup.md","content","posts\u002F2025\u002Ftryhackme-couch-writeup.md","posts\u002F2025\u002Ftryhackme-couch-writeup","md","\u002Fposts",[436,440],{"_path":437,"title":438,"date":439},"\u002F2025\u002Ftryhackme-archangel-writeup","TryHackMe - Archangel","2025-09-08T17:50:48.000Z",{"_path":441,"title":442,"date":443},"\u002F2025\u002Ftryhackme-publisher-writeup","TryHackMe - Publisher","2025-10-23T16:16:07.000Z",1777022958782]