Apr 5, 2020
Working with insecure Docker credentials we manage to extract a SSH key and corresponding password crumbs for an initial user foothold. Following that access we find a sqlite file containing Bolt CMS admin credentials. Logging into the CMS we modify the config to allow a PHP shell of our choosing to access the host as www-data. Finally once we have www-data access we are able to abuse a restic sudo rule to expose the root flag.
In what seems like a continuing trend from 2019 machines I made this box much more difficult on myself than was needed. Starting with the docker portion I should have simply started the docker image and explored further inside rather than the convoluted way I approached it. For the Bolt CMS portion I focused much too long on the Twig execution in an attempt to get something useful to execute. Once I realized the configuration could be modified it was much easier from there.
Registry was probably one of the more informative machines I have worked on. While not focusing too much on any one technology, it provided more than a single opportunity to improve my overall knowledge and as a learning experience I greatly appreciated the approach.
Let's kick it off with an NMAP scan.
Right off the bat we notice a new subdomain: docker.registry.htb. We can add both this and registry.htb to our /etc/hosts file before we continue. Checking both domains in a browser seems to return a default nginx page.
We can dive down into this a bit further. I kicked off dirb runs for each of the domains on 80/443 and got a few interesting hits. The below was the most useful however.
Browsing to the /v2 page we are presented with a Basic Auth challenge. I got slightly lucky here as my first guess was admin/admin and sure enough that was the proper credentials.
By this point it was fairly clear we were working with a Docker Registry API. Docker's docs provided some background information on how to interact with the API.
Images are stored in collections, known as a repository, which is keyed by a name, as seen throughout the API specification. A registry instance may contain several repositories. The list of available repositories is made available through the catalog.
The catalog for a given registry can be retrieved with the following request:
Sure enough, we are able to get some information out of the repository.
I also figured it would be easier to move to the command line at this point for future steps.
Next step was to leverage the bolt image. Disclaimer: from this part until I get proper shell access to the Registry machine I was quite messy. I'm omitting quite a few parts where I ended up going down deadends but I'm attempting to keep enough to show my thought process throughout it.
Once running as root within the image we find a few interesting tidbits. Firstly, a password protected SSH keyfile.
I could have saved myself a lot of pain if I kept exploring here instead of take a step back. Unfortunately I seem to like doing things the complicated way and went back to the docker image on my local machine.
With the image layers saved as tar files, we descended into madness. Madness did end up being fruitful however and we are able to gather the SSH key's password required.
Sure enough, with the required information we are able to get on to Registry and claim the user flag.
With our newfound access we can poke around and see if anything interesting pops up. Sure enough we find a very interesting file under /var/www/html we didn't see previously.
If we keep going down the rabbit hole, we see a bolt folder under /var/www/html as well. A bit of poking and proding and we find that there is a Bolt CMS running under /bolt/bolt/.
Unfortunately admin/admin did not work out this time, nor did any other obvious choices - guess we can't get lucky twice.
Switching our focus back to the the /var/www/html/bolt/app folder, we do find something interesting - a sqlite file, bolt.db. Let's get a copy of that back over to our machine and see what we can get from it.
Alright interesting! A quick search online and we find the right format to run this through hashcat.
Let's run it through rockyou.txt and see if we can get a hit.
Beautiful! With our newfound strawberry password we should be able to access the CMS instance.
I ended up wasting quite a bit of time here playing with the twig formating. Since we weren't able to upload php files I attempted to get arbitrary code execution through twig, however I was only able to get basic things executed properly.
After taking a breath I took a different approach. It looks like we have the ability to modify configuration files. Let's add php explicitly and see if we can add our webshell files.
Two complications arose at this point. Firstly, it seems that the config file is being reverted every 2 minutes or so. Anything we want to accomplish needs to be done quickly to avoid being blocked. Second issue encountered was that any remote connections seemed to be blocked from our uploaded php shell. Thankfully this issue was a bit easier to solve as we already had a shell on the host as bolt.
The plan came down to:
Edit the configuration to allow PHP upload
Upload a PHP bind shell
Then connect to the bind shell using our bolt shell
And all before the automated revert wipes out any of our progress. Thankfully within a minimal amount of attempts I managed to get through.
Once on we are able to confirm our previous observation regarding the sudo rule we can run as www-data.
Not being familiar with rustic operations a quick search later and Rustic's docs helped me understand the gist of what needs to happen. Despite that, I still managed to botch the command syntax and I anticlimatically got the root flag immediately. In all honesty I didn't realize at first the output WAS the flag itself - definitely a facepalm moment until I realized what my command was actually doing.
Where ntrkzgnkotaxyju0ntrinda4yzbkztgw was indeed the root flag.
Well, what a trip! With that our journey with Registry is complete! Thanks folks, until next time.
I always enjoy being on a machine where other folks are actively working on it as well. It generally results in interesting moments such as the below. I feel your pain my friend, I feel your pain...