RegistryTwo
RegistryTwo
RegistryTwo 552
RegistryTwo
RETIRED MACHINE

RegistryTwo

RegistryTwo - Linux Linux
RegistryTwo - Insane Insane

4.7

MACHINE RATING

674

USER OWNS

639

SYSTEM OWNS

22/07/2023

RELEASED
Created by irogir

Machine Synopsis

RegistryTwo is an Insane Linux machine that starts with a webpage that presents a web hosting service. Moreover, the Docker registry is exposed and allows anonymous authentication. From the Docker registry, an attacker is able to download an exact replica of the container that hosts the web application. Inside the container resides the `WAR` file that is hosted using Tomcat, and Nginx is acting as a reverse proxy to the service. Reading through the source code of the `WAR` file an attacker is able to chain a Tomcat path traversal exploit, a leftover `SessionExample` snippet and an RCE vulnerability on `jdbc` in order to get a shell inside the container on the remote machine. Once inside the container, the attacker is able to exploit Java Remote Method Invocation (RMI) to get a pseudo-shell and read the password for the user `developer`. Now, logged into the main host using SSH, one can notice that `Clam-AV` is present. Manipulating RMI once again, the attacker is able to extract files from the `/root` directory and find another pair of credentials that are re-used by the `root` user.

Machine Matrix

Ready to start your
hacking journey?