HackTheBox Writeup — Bucket

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is

Port Scan

Running NMAP full port scan on it , we get

We get only two open ports, one for SSH and the other for web

Way To User

Running the IP in the browser was redirecting to a domain bucket.htb which I had to later add in my hosts file

Nothing much interesting from the main webpage , so moving towards checking the source code , we see that it is fetching the images from a subdomain s3.bucket.htb and we add that too on our hosts file

Running Gobuster against the subdomain, we get only 3 results , the interesting one being the /shell

The /shell directory redirects us to AWS DynamoDB Web Shell

Checking the API Templates, we have a lot of options available for use

Scanning for tables using the ListTables option, we have a code which when run gives us the table named “users

We use the other features to get the contents of the table users

We have the username and password column and now we get the contents of those columns

We get 3 different credentials, also when checking where the images are stored under the adserver bucket

We will now use awscli to do the steps now, using aws configure command, we configure the AWS with the credentials we got from the table users

We then using aws cp command to upload the php reverse shell script and then we try to execute the script from the main bucket.htb domain since the AWS bucket cannot execute php files

We got our reverse shell successfully as www-data and now we check the current users on the box and we see there is only one user with console ,i.e, roy

Trying the passwords which we got earlier as the password for user roy, one of them worked

We get the user flag now

Way To Root

Checking for the locally open ports, we see 4 local open ports

Checking the webroot directory, there is a folder named bucket-app and inside of is another web contents

Checking the contents of index.php, we see that its running a passthru function and inside of it is running a Pd4Cmd command on a $name variable which is a file content and then outputting it on a pdf file

Upon review the php code, we see that we need to create a table named alerts and then create a column named title which has the Attribute Value of Ransomware where we can put the content of any file using directory traversal and here we can use that to get the root ssh key

To execute all these, we need to do a POST request with the parameter action having the value of get_alerts to execute the passthru function

After trying that we get a blank page which means it has executed the passthru function commands

Now we have to do the steps of creating the tables and the contents, to automate this, I use a bash script which we do all of the stuffs

We saved the code into a bash script and then run the aws configure command on the roy terminal to set up the awscli first so that we can run our aws commands

After running the script, we get the ssh key of root

Now we use the ssh key to login to root account

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store