Registry

Enjoying the box so far… Got user and have access to b***/b*** in order to gain access to w**-****, any nudges would be appreciated. Thanks.

Hello,
I’m stuck. Can’t login with s** on the machine. I founded the private document with the password, impossible to use it for ssh.
Anybody have an hint ?
Thx !

Lots of hints already on here so I’m not gonna troll by reiterating whats already here. What I would say is that, after a few weeks of mulling it over, this is absolutely one of my favorite ever boxes. The entire thing, imo, was epic from start to finish. Happy to provide nudges on via DM / Discord (5ysk3y#6172) for those who are stuck.

Very cool box, being a borgbackup guy myself, it was fun to play with r***.
Another hint that cost me some time: There’s something in the way going outbound from the box, but you already have SSH. Always remember your options…

Stuck at b*** user, found b*** cms files and r***** cli app but got no clues on how to proceed. Can’t find a way to login into the cms, can’t upload a file, just the index.php page. Can someone give a nudge? Thanks!

Edit: Found a hash on b***.d*, cracked it, but don’t know where to input it…

Very cool box so far, I’m just struggling with the last root step.
I keep getting the following error

! EOF ReadFull main.read Password - unable to read password||

Received nudges from multiple other users so far that have all told me I’m doing the right thing yet I still get the error shown above. Weird stuff. Gotta try harder :smiley:

Edit :
And as it always goes, I cracked it 30 minutes later. :slight_smile: Great box!

Rooted. I have learnt and enjoyed a lot during doing this box. Thanks so much @Rolesa and @noi for helping me!

I’m so close, and so annoyed. Can’t root via d***** , as I’m 32 and not 64. 2 days of my life I wish I’d spent elsewhere! :slight_smile: If anyone knows an unintended method, I’d appreciate a nudge over PM as I can’t do it the intended way(unless I’m missing something?)

Edit - Now done. Definitely don’t look at this if you running the Kali OSCP exam VM as your base.

Rooted ! Fun box

Great box, really, learned a lot from this, thanks to all for the precious hints

root@bolt:~# id
uid=0(root) gid=0(root) groups=0(root)
root@bolt:~# wc root.txt
1 1 33 root.txt
root@bolt:~#

nice Box thank u ! mp for help

Need someone to kindly give me a nudge, I’m running the d***** im*** and I can see that I can ssh to the remote box but I can’t seem to crack the passphrase for the ssh key?

edit1: Never mind, thanks @3l0nMu5k for the nudge

edit2: rooted, but i think someone had borked the box a bit, had to reset it before i could do my exploit to pivot to second user, that was a really fun box :slight_smile:

I’m stuck with this error

Error response from daemon: Get https://d*****.r*****.htb/v2/: dial tcp: lookup d*****.r*****.h on ..**.:53: no such host

any help ???

@SaMuTa said:

I’m stuck with this error

Error response from daemon: Get https://d*****.r*****.htb/v2/: dial tcp: lookup d*****.r*****.h on ..**.:53: no such host

any help ???

Looking at the port, can you confirm you’ve added the address to your hosts file?

Type your comment> @TazWake said:

@SaMuTa said:

I’m stuck with this error

Error response from daemon: Get https://d*****.r*****.htb/v2/: dial tcp: lookup d*****.r*****.h on ..**.:53: no such host

any help ???

Looking at the port, can you confirm you’ve added the address to your hosts file?

tried lots of solutions same problem, I added the url as insecure registry in d****n.json still the same

Weeelll… got the root flag but no root shell.

This was my path: enum --(d****r-r*******y)--> user b***t --(b***t-C*S)--> user w**-***a --(r****c)--> root flag and more hashes

Now attempting to crack them hashes.

Is this the intended way?

Finally end of 3 days journey, Registry Rooted!!, struggled on user2 with unstable shell, thanks to @coopertim13 and @madseason for nudge

got user b**t ,cracked the hash, found the app, got stuck. any tip/hint is appreciated .

On user www-data but not sure how to reach my rest server. Any hints/nudges will be appreciated!

Done, not convinced that the ‘protection’ around user2 is that true to life. I think that most installs would instead use immutable data rather than overwrite. BUt that would make this even more difficult then :slight_smile: