[HTB] Registry — Write-up

Welcome to the HTB Registry write-up! This was a hard-difficulty box and had many fun components to complete it. For the initial shell, I had to inspect the website certificate to identify its subdomain associated with the Docker instance. Then, by abusing the Docker registry, I obtained the first user’s SSH private key to gain shell access. Further enumeration identified bolt.db inside the box which contained password hash for admin user for…