In this walk-through, we covered finding vulnerabilities in Influx Database in addition to docker exploitation.

Sweettooth Inc. needs your help to find out how secure their system is!.

Room Link

InfluxDB Exploitation

My first step was to run an Nmap scan, which showed me that InfluxDB version 1.3.0 was running on port 8086. I found a zero-day exploit for this version that let me leak a username by accessing a specific URL.

With the username, I crafted a JSON Web Token (JWT) to authenticate with the database. I made sure to set the expiration date far in the future so it wouldn’t expire on me.

Using this token with a curl command, I was able to query the database. I found several databases, including “credentials,” “docker,” “tanks,” and “mixer.”

Getting Information from the Database

Now that I had access, I started digging for information. I found the database user and then queried the “tanks” database to find the water tank’s temperature at a specific time.

Next, I looked at the “mixer” database to find the highest RPM of the mixer’s motor. Finally, I explored the “creds” database and found a username and password for SSH.

Docker Exploitation and Root Access

I used the credentials I found to SSH into the machine on port 2222. I discovered that the docker.sock file was writable by the group I was in, which meant I could probably exploit Docker.

I used netstat to find an internal service running on port 8080 that wasn’t exposed to the outside world. I set up an SSH tunnel to access this service from my own machine, which gave me access to the Docker containers.

I then created a bash reverse shell script, hosted it on a Python HTTP server on my machine, and used wget inside the Docker container to download it. After setting up a Netcat listener, I executed the script and got a root shell!

Getting the Flags 🚩

With root access, I was able to find the user.txt flag in the /home/influxdb directory and the root.txt flag in the /root directory inside the Docker container.

To “escape” the Docker container and get to the host’s file system, I mounted the main partition to a temporary directory inside the container. This gave me access to the host’s file system, where I found the final root.txt flag.

Technical Commands Used

Here are the technical commands I used in the terminal during the demonstration:

  • nmap
  • curl
  • show databases
  • query DB equal tanks
  • show series on
  • select start from water tank
  • select mixer
  • select star from mixer stats
  • select Max from motor RPM
  • show series on crits
  • select star from H
  • SSH
  • ID
  • who am I
  • ls -La V run
  • net stat
  • sudo SSH
  • Docker H TCP Local Host container ls
  • execute container execute commands
  • LS
  • Nano Docker shell
  • W get
  • nc -lvp 4545
  • bash -i
  • PWD
  • CD home CDU Z
  • cat user.txt
  • CD root
  • cat root.XT
  • DF -d-h
  • CD to Temp
  • make directory Dash
  • Mount slev SL xvda A1 to Temp mount
  • CD MNC
  • CD to root
  • cat root car cat

TryHackMe Sweettooth Inc Room Answers

Do a TCP portscan. What is the name of the database software running on one of these ports?

What is the database user you find?

What was the temperature of the water tank at 1621346400 (UTC Unix Timestamp)?

What is the highest rpm the motor of the mixer reached?

What username do you find in one of the databases?

user.txt

/root/root.txt
The second /root/root.txt
Video Walk-through

,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles