00:50 - Begin of Recon, discovering hostname in SSL Certificate
05:10 - Running GoBuster against Registry.htb and Docker.Registry.htb to discover CA Certificate in /install/
09:00 - /v2/ on Docker.Registry.HTB requires login, guessing admin:admin and then looking into the Docker Registry API
12:30 - Manually downloading a Blob off the Registry and extracting it to reveal files
15:50 - A bit more elegant way to do this, configure Docker to use this registry by adding the CA to our Docker SSL Cert Store. Then downloading the Bolt-Image Container
20:40 - Discovering an Encrypted SSH Key on the container
22:30 - Explaining SSH Config Files
24:00 - Using find to show files modified between two dates to discover a file with the SSH Key Password
28:15 - Using more forensic artifacts (viminfo) to dicover the file with SSH Key Password
32:40 - Checking /var/www/html to discover the Web User can probably use sudo with restic. Try to get a shell as www-data
36:30 - Checking out Bolt CMS Exploits to discover an authenticated RCE
40:20 - Downloading the bolt SQLite database then viewing the contents and cracking the admin password
42:45 - Identifying the algorithm bolt uses to hash passwords
46:00 - Exploiting Bolt by editing the config to allow PHP Files and then uploading a webshell
50:00 - Could not get a reverse shell, checking iptable rules to see iptables blocks packets initiating a connection on OUTBOUND. Switching to localhost for reverse shell
55:00 - Setting up a Reverse SSH Tunnel to forward 127.0.0.1:8000 to our box, so Restic can talk to us
57:30 - Setting up a Restic Server on our box
1:02:00 - Using Restic to download /root and get the Root SSH Key to login to the box