HackTheBox Writeup — Bucket
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.10.212
Port Scan
Running NMAP full port scan on it , we get
We get only two open ports, one for SSH and the other for web
Way To User
Running the IP in the browser was redirecting to a domain bucket.htb which I had to later add in my hosts file
Nothing much interesting from the main webpage , so moving towards checking the source code , we see that it is fetching the images from a subdomain s3.bucket.htb and we add that too on our hosts file
Running Gobuster against the subdomain, we get only 3 results , the interesting one being the /shell
The /shell directory redirects us to AWS DynamoDB Web Shell
Checking the API Templates, we have a lot of options available for use
Scanning for tables using the ListTables option, we have a code which when run gives us the table named “users”
We use the other features to get the contents of the table users
We have the username and password column and now we get the contents of those columns
We get 3 different credentials, also when checking where the images are stored under the adserver bucket
We will now use awscli to do the steps now, using aws configure command, we configure the AWS with the credentials we got from the table users
We then using aws cp command to upload the php reverse shell script and then we try to execute the script from the main bucket.htb domain since the AWS bucket cannot execute php files
We got our reverse shell successfully as www-data and now we check the current users on the box and we see there is only one user with console ,i.e, roy
Trying the passwords which we got earlier as the password for user roy, one of them worked
We get the user flag now
Way To Root
Checking for the locally open ports, we see 4 local open ports
Checking the webroot directory, there is a folder named bucket-app and inside of is another web contents
Checking the contents of index.php, we see that its running a passthru function and inside of it is running a Pd4Cmd command on a $name variable which is a file content and then outputting it on a pdf file
Upon review the php code, we see that we need to create a table named alerts and then create a column named title which has the Attribute Value of Ransomware where we can put the content of any file using directory traversal and here we can use that to get the root ssh key
To execute all these, we need to do a POST request with the parameter action having the value of get_alerts to execute the passthru function
After trying that we get a blank page which means it has executed the passthru function commands
Now we have to do the steps of creating the tables and the contents, to automate this, I use a bash script which we do all of the stuffs
We saved the code into a bash script and then run the aws configure command on the roy terminal to set up the awscli first so that we can run our aws commands
After running the script, we get the ssh key of root
Now we use the ssh key to login to root account