Hackthebox Bucket WriteUp


Bucket is a fun linux machine exploiting aws bucker server. After fuzz subdomain there is a bucket server running. Use aws CLI commands to find a endpoint and use put-item to upload a reverse shell. PriEsc is also to exploit aws bucket. but its abit hard to do. After forawrd a port, We could create a table and take advantage of put item about root’s id_rsa key then save it to a default directory. This box it’s awesome to learn some aws CLI stuff. With all that being said, Let’s just jump in!


The Foothold:

Head over to http://bucket.htb/ and below web page.

Poking around not find anything, So let’s fuzz sub-domains.

Cool, So this about aws bucket, below are resources about exploit aws bucket and aws CLI commands line.

Setting up aws on our attacker machine.

Find tables and endpoints etc.

upload a php reverse shell (https://github.com/pentestmonkey/php-reverse-shell) to the server by put-object command.

check http://s3.bucket.htb/adserver/dir-1/rev.php bucket and we uploaded a reverse shell on the server.

Execute it on the http://bucket.htb/dir-1/rev.php to get a shell.

And we can use password found on the bucket to get to user roy

PriEsc to root:

There a port 8000 running, So, let’s do a local port forward and check what it has .

It’s also a aws bucke.

Exploit AWS pdf generator:

we create a table and put a root id_rsa key in it, (do these on attacker machine). It will create a pdf file on the server.

After created it, Pull the pdf file to a default directory /var/www/bucket-app/files.

Check the pdf result file and we got a root id_rsa key.

logged in as root!

Christian, Studying Cyber Security and Digital Forensics, Security Consultant at 12security.com | OSCP