HackTheBox - Registry
Last updated
Was this helpful?
Last updated
Was this helpful?
Let's start off with simple nmap scan followed by a full port scan. First let's ping the machine to check if the machine is up or not.
We will keep the all port scan running in the background and proceed further with the enumeration. Let's add the Virtual hosting route i.e docker.registry.htb to /etc/hosts file.
After running a bunch of gobuster scans, I was able to identify a few endpoints on docker.registry.htb and registry.htb
Docker API v2 found on the following endpoint: https://docker.registry.htb/v2/
Note: Blob - A Binary Large OBject is a collection of binary data stored as a single entity. Blobs are typically images, audio or other multimedia objects, though sometimes binary executable code is stored as a blob.
We can pentest the v2 API using the following referenced website to download a bunch of blob objects and extracting it to find sensitive information.
We can download each fsLayers using the following url and adding each blobSum to it.
This is the one way to download all the files and examine it or we can configure Docker to use this registry by adding the CA to our Docker SSL Cert Store.
One of the blobs contain a private SSH key and we can use that key to get access as bolt user on the target machine. The key requires a password and we do have password also found from one of the blobs.
Working on it !!
One of the blob gave us a private key to connect to the target machine via SSH. We also have password for it from another blob.
Now we can connect to the machine as bolt user via SSH. Command that we are going to use:
Now that we have shell, we can lookout for some interesting and found this bolt.db file under /var/www/html/bolt/app/database
We can transfer it to our machine by setting up a python server as sqlite3 is not installed on the system.
We will use JohnTheRipper to crack the hash.
Credentials found - admin:strawberry
Now we can say that www-data have sudo privileges by looking at the following file.
So we can try to get shell as www-data as we have username and password for admin on the bolt website. We also have Bolt Remote Code Execution vulnerability present and for that we first need to be Authenticated.
After logging in, we need to allow the app to accept .php file extensions. To do that, we need to go to the Configuration -> Main Configuration
Change the accept file types to php and now we can upload shell.php file on to the website.
Let's get a reverse shell as www-data.
For some reason, we can't get a connection back due to configured firewall rules. If you want to check the config file, browse the following file : /etc/iptables.conf
All the outgoing traffic to 10.0.0.0/8 subnet is set to DROP i.e it won't give us any remote connections.
What we can do is first upload a shell.php file and then give Read, Write and Execute permission to /var/www/html/bolt directory.
After that we can create a another shell.php file into that directory so that we can get rid of uploading shell file again and again.
Now as we already have a shell as bolt user, we can use netcat to listen on any port and then connect to that using shell.php file. Follow me
And we a shell as www-data.
What we can do over here is forward the port 8000 to our machine at 8000. The main intention overhere is to setup a rest-server at our machine and as the firewall rules blocks any outgoing connection, so we need to forward the port.
We can use SSH to forward the port (Trick by Ippsec)
Press Enter and then type : ~C
I have downloaded rest-server from the Github repo. Link: https://github.com/restic/rest-server
First we need to initialize a repository using the following directory.
Now we can check all the snapshots on the demo1 directory.
We can mount the snapshot using the restore command.
And we are root :))
