Hack The Box Registry Detailed Walkthrough – 10.10.10.159

Hack The Box Registry Walkthrough - 10.10.10.159

Hack the box registry machine is categoriezed as “hard” with 40 points. In today’s post I’m going to talk you a walkthrough of the steps I used to root the machine. let us start with adding the machine IP 10.10.10.159 to etc/registry.htb as always. Once done let us start with namp port scan.

NMAP PORT SCAN and ENUMERATION

Here is the namp scan report:

The namp scan revealed SSH on port 22, Webserver on port 80 and SSL on port 443 is open. The SSL port is of nginx server. Nmap as well reported there is another CN docker.registry.htb is an nginx server. I’m going to add docker.registry.htb to my host file.

As a next step, I browsed the newly found subdomain (https://docker.registry.htb), but nothing interesting was found.

Gobuster Scan

Since I couldn’t find anything on the main page or on the subdomain https://docker.registry.htb, I assumed that there should be something behind the scene. So I decided to take GoBuster for a ride on both. I fired-up GoBuster with default settings using the dirbuster directory-list-2.3-small.txt as a wordlist.

HTB Registry GoBuster Scan Report for http://registry.htb/

The http://registry.htb has two directories: /install and /bolt. Will enumerate this later, let us scan http://docker.registry.htb/ suing the same settings as above.

The second GoBuster scan revealed quite a few new subdirectories. Lets check one by one. The http://registry.htb/install and http://registry.htb/bolt as some webpages hosted. The http://docker.registry.htb/v2 seem to be more intersting to me so I dicided to concentrate on it.

The http://docker.registry.htb/v2 needs credentials for login, however, the failed authentication revealed that it hosts API for the docker. I tried the common passwords. I was managed to log in using admin:admin credentials.

As I already confirmed above the docker/v2 hosts API files, let us find a way to exploit it and get more information and credentials if possible. Also, according to some in HTB Forums, this: https://docs.docker.com/engine/reference/commandline/manifest/ will be helpful. Let’s not leave anything untouched in the recon.

Lets crack the hash we found using John.

As I have the password, I come to know that there is a login page which I need to find out, taking consideration of HTB forum suggestions, I set-off the GoBuster for another round of scanning. This time on http://registry.htb/bolt .

GoBuster result:

I managed to login to the page using bolt:strawberry as credentials. After loging-in I found the webpage is Bolt CMS version 3.6.4. A quick Google search showed me couple of explots.

Click to rate this post!
[Total: 0 Average: 0]

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.
0
Would love your thoughts, please comment.x
()
x
%d bloggers like this: