CouchDB

Reconnaissance

Port scanning revealed the following services:

• SSH (OpenSSH 7.2p2)
• CouchDB (port 5984)

The exposed CouchDB service suggested a potential API attack surface, particularly if authentication was not enforced.

Initial Findings

The CouchDB instance was accessible without authentication, allowing database enumeration through the web interface.

Credentials were discovered within an internal database:

• User: atena
• Password: t4qfzcc4qN##

Key Finding: Unauthenticated CouchDB Access

The database service was exposed without authentication, allowing attackers to enumerate data and extract sensitive credentials.

This misconfiguration provided a direct path to system access via credential reuse.

Exploitation

SSH access was obtained using the discovered credentials. Post-access enumeration revealed a Docker command in the user's bash history, indicating the Docker API was exposed locally.

By interacting with the Docker daemon on port 2375, a privileged container was launched with the host filesystem mounted, allowing full access to the system.

Impact

The combination of an unauthenticated CouchDB instance and an exposed Docker API resulted in full system compromise. An attacker could retrieve sensitive credentials, gain SSH access, and escalate privileges to root without significant resistance.

In a real-world environment, this level of access would allow complete control over the host system, including data exfiltration, service manipulation, and persistence. The exposed Docker daemon effectively granted root-level access to the underlying infrastructure.