HackTheBox - Registry

00:50 - Begin of Recon, discovering hostname in SSL Certificate 05:10 - Running GoBuster against Registry.htb and Docker.Registry.htb to discover CA Certificate in /install/ 09:00 - /v2/ on Docker.Registry.HTB requires login, guessing admin:admin and then looking into the Docker Registry API 12:30 - Manually downloading a Blob off the Registry and extracting it to reveal files 15:50 - A bit more elegant way to do this, configure Docker to use this registry by adding the CA to our Docker SSL Cert Store. Then downloading the Bolt-Image Container 20:40 - Discovering an Encrypted SSH Key on the container 22:30 - Explaining SSH Config Files 24:00 - Using find to show files modified between two dates to discover a file with the SSH Key Password 28:15 - Using more forensic artifacts (viminfo) to dicover the file with SSH Key Password 32:40 - Checking /var/www/html to discover the Web User can probably use sudo with restic. Try to get a shell as www-data 36:30 - Checking out Bolt CMS Exploits to discover an authenticated RCE 40:20 - Downloading the bolt SQLite database then viewing the contents and cracking the admin password 42:45 - Identifying the algorithm bolt uses to hash passwords 46:00 - Exploiting Bolt by editing the config to allow PHP Files and then uploading a webshell 50:00 - Could not get a reverse shell, checking iptable rules to see iptables blocks packets initiating a connection on OUTBOUND. Switching to localhost for reverse shell 55:00 - Setting up a Reverse SSH Tunnel to forward 127.0.0.1:8000 to our box, so Restic can talk to us 57:30 - Setting up a Restic Server on our box 1:02:00 - Using Restic to download /root and get the Root SSH Key to login to the box