Fron nmap I have 3 ports open. 22,80,443. On port 80 I get nginx default page, doing directory bruteforcing leads to nowhere.
I look at port 443 and get a hostname docker.registry.htb. This shows a blank page. By doing directory bruteforcing I get a directory
/v2/. I go on that directory and I am presented with basic auth. Guessing admin/admin I am inside. This seems like a json thing.
I try to search about docker registry. And I find a post about this: https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/.
I do this and download all the blobs. Extract them and Find inside one of them. A private ssh key. On the other one, I find the ssh private key password.
Upon entering the box, I see that I am logged in as
bolt. Inside /var/www/html directory I see a web app named
I get the administrator password from this by going to database folder, and then copying the .db file. After opening it with
sqlviewer and then getting the hash. I crack the hash, and enter the webapp.
I have the file manager and I can upload .php files but I cannot rename the file. I goto main configuration file, and then add the php extension as allowed. And fast I upload the php file, because these configurations get deleted very fast. Then I upload nc64 so I can bind a shell to the box, via the php file I uploaded. After I get into the box as www-data
As root I can run restic backups as root. The misconfig here is the rest*. So I spin a https://github.com/restic/rest-server on my local box. Then add a new repo, and give a password. On the box then I backup the /root folder on my localmachine, so I get the root and the root ssh private key.
Take aways: Never give other users the ability to run restic commands as sudo.Be carefull with docker registry.