Bucket,a Linux box created by HackTheBox user MrR3boot, was an overall medium difficulty box. Initial foothold was finding credentials in dynamo-db and using that to use that credentials on aws s3 cli. and then we upload a php shell and we get a shell as www-data and using another credential. we get roy(user). for Privilege Escalation we find another internal service running on 8000 and checking the code we see it is using pd4ml to convert an html to pdf. so we can inject and attach some files and download the result.pdf, using that we can download root.id_rsa with that we can ssh and we have pwned the box.
1 2 3 4 5 6 7 8 9 10 11 12 13
# Nmap 7.80 scan initiated Sun Oct 18 12:42:16 2020 as: nmap -sC -sV -oN nmap/bucket 10.10.10.212 Nmap scan report for 10.10.10.212 Host is up (0.093s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Did not follow redirect to http://bucket.htb/ Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Oct 18 12:42:28 2020 -- 1 IP address (1 host up) scanned in 12.41 seconds
Checking the source we find another subdomain s3.bucket.htb
Lets add that to the /etc/hosts and view the page again.
running gobuster we find /shell on s3.bucket.htb
/health (Status:200) /shell (Status:200)
following the tutorial and trying few things we can dump a users table which had some creds.
So with those creds i used cloudadm creds with aws cli to ls file and we see we can upload too.
After updating the index.html we see that updating after few seconds on the main bucket.htb
So i wrote a script to upload a php shell and keep polling on bucket.htb to get a reverse shell