4 box enum www-data
www-data@bucket:/$ cat /etc/passwd |grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
roy:x:1000:1000:,,,:/home/roy:/bin/bash
www-data@bucket:/var/www$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Feb 10 2021 .
drwxr-xr-x 14 root root 4096 Feb 10 2021 ..
drwxr-x---+ 4 root root 4096 Feb 10 2021 bucket-app
drwxr-xr-x 2 root root 4096 Nov 13 01:10 html
# no access to bucket-app; but it has exnteded perms
www-data@bucket:/var/www$ getfacl bucket-app/
# file: bucket-app/
# owner: root
# group: root
user::rwx
user:roy:r-x
group::r-x
mask::r-x
other::---
# there is a folder /home/roy/project
www-data@bucket:/home/roy$ cd project/
www-data@bucket:/home/roy/project$ ls -la
total 44
drwxr-xr-x 3 roy roy 4096 Sep 24 2020 .
drwxr-xr-x 3 roy roy 4096 Sep 24 2020 ..
-rw-rw-r-- 1 roy roy 63 Sep 24 2020 composer.json
-rw-rw-r-- 1 roy roy 20533 Sep 24 2020 composer.lock
-rw-r--r-- 1 roy roy 367 Sep 24 2020 db.php
drwxrwxr-x 10 roy roy 4096 Sep 24 2020 vendor
www-data@bucket:/home/roy/project$ cat composer.json
{
"require": {
"aws/aws-sdk-php": "^3.155"
}
}
www-data@bucket:/home/roy/project$ cat db.php
<?php
require 'vendor/autoload.php';
date_default_timezone_set('America/New_York');
use Aws\DynamoDb\DynamoDbClient;
use Aws\DynamoDb\Exception\DynamoDbException;
$client = new Aws\Sdk([
'profile' => 'default',
'region' => 'us-east-1',
'version' => 'latest',
'endpoint' => 'http://localhost:4566'
]);
$dynamodb = $client->createDynamoDb();
# there is .aws but cannot read
www-data@bucket:/.aws$ ls -la
total 16
drwxr-xr-x 2 root root 4096 Sep 23 2020 .
drwxr-xr-x 21 root root 4096 Feb 10 2021 ..
-rw------- 1 root root 22 Sep 16 2020 config
-rw------- 1 root root 64 Sep 16 2020 credentials
:4566 is dynamodb
Using aws dynamodb help, found commands that we can use to enumerate
www-data@bucket:/home/roy/project$ aws dynamodb --endpoint-url http://localhost:4566 list-backups
You must specify a region. You can also configure your region by running "aws configure".
www-data@bucket:/home/roy/project$ aws configure
AWS Access Key ID [None]: kashz
AWS Secret Access Key [None]: kashz
Default region name [None]: us-east-1
Default output format [None]:
[Errno 13] Permission denied: '/var/www/.aws'
# as www-data, we cannot write to /.aws/
PEAS
╣ Cleaned processes
root 1417 0.0 0.0 549656 3560 ? Sl 00:52 0:00 _ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 4566 -container-ip 172.18.0.2 -container-port 4566
╣ Active Ports
tcp 0 0 127.0.0.1:46205 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:4566 0.0.0.0:* LISTEN -
╣ Users with console
root:x:0:0:root:/root:/bin/bash
roy:x:1000:1000:,,,:/home/roy:/bin/bash
uid=1000(roy) gid=1000(roy) groups=1000(roy),1001(sysadm)
lrwxrwxrwx 1 root root 35 Sep 7 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
ServerName s3.bucket.htb
-rw-r--r-- 1 root root 1793 Sep 23 2020 /etc/apache2/sites-available/000-default.conf
<VirtualHost 127.0.0.1:8000>
<IfModule mpm_itk_module>
AssignUserId root root
</IfModule>
DocumentRoot /var/www/bucket-app
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html
RewriteEngine On
RewriteCond %{HTTP_HOST} !^bucket.htb$
RewriteRule /.* http://bucket.htb/ [R]
</VirtualHost>
<VirtualHost *:80>
ProxyPreserveHost on
ProxyPass / http://localhost:4566/
ProxyPassReverse / http://localhost:4566/
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ServerAdmin webmaster@localhost
ServerName s3.bucket.htb
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# The first virtual host is routing for the localhost server on port 8000.
# The second one is looking at all traffic that doesn’t end in bucket.htb and returns 302 to http://bucket.htb/.Document Root is /var/www/html.
# The third server is for s3.bucket.htb, and it will proxy everything to http://localhost:4566.
# we can connect to dynamodb using s3.bucket.htb as all request is routed to docker-proxy on 4566
Last updated