Registry HTB

user.txt

Fron nmap I have 3 ports open. 22,80,443. On port 80 I get nginx default page, doing directory bruteforcing leads to nowhere. I look at port 443 and get a hostname docker.registry.htb. This shows a blank page. By doing directory bruteforcing I get a directory /v2/. I go on that directory and I am presented with basic auth. Guessing admin/admin I am inside. This seems like a json thing. I try to search about docker registry. And I find a post about this: https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/. I do this and download all the blobs. Extract them and Find inside one of them. A private ssh key. On the other one, I find the ssh private key password. Upon entering the box, I see that I am logged in as bolt. Inside /var/www/html directory I see a web app named bolt. I get the administrator password from this by going to database folder, and then copying the .db file. After opening it with sqlviewer and then getting the hash. I crack the hash, and enter the webapp.

I have the file manager and I can upload .php files but I cannot rename the file. I goto main configuration file, and then
add the php extension as allowed. And fast I upload the php file, because these configurations get deleted very fast. Then I upload
nc64 so I can bind a shell to the box, via the php file I uploaded. After I get into the box as www-data

root.txt

As root I can run restic backups as root. The misconfig here is the rest*. So I spin a https://github.com/restic/rest-server on my local box. Then add a new repo, and give a password. On the box then I backup the /root folder on my localmachine, so I get the root and the root ssh private key.


Take aways: Never give other users the ability to run restic commands as sudo.Be carefull with docker registry.

The quieter you become, the more you are able to hear.
DHT4tMDxN34WgmtcX9em8AGMeqMpSechq4