4 box enum www-data

www-data@bucket:/$ cat /etc/passwd |grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
roy:x:1000:1000:,,,:/home/roy:/bin/bash

www-data@bucket:/var/www$ ls -la
total 16
drwxr-xr-x   4 root root 4096 Feb 10  2021 .
drwxr-xr-x  14 root root 4096 Feb 10  2021 ..
drwxr-x---+  4 root root 4096 Feb 10  2021 bucket-app
drwxr-xr-x   2 root root 4096 Nov 13 01:10 html

# no access to bucket-app; but it has exnteded perms
www-data@bucket:/var/www$ getfacl bucket-app/
# file: bucket-app/
# owner: root
# group: root
user::rwx
user:roy:r-x
group::r-x
mask::r-x
other::---

# there is a folder /home/roy/project

www-data@bucket:/home/roy$ cd project/
www-data@bucket:/home/roy/project$ ls -la
total 44
drwxr-xr-x  3 roy roy  4096 Sep 24  2020 .
drwxr-xr-x  3 roy roy  4096 Sep 24  2020 ..
-rw-rw-r--  1 roy roy    63 Sep 24  2020 composer.json
-rw-rw-r--  1 roy roy 20533 Sep 24  2020 composer.lock
-rw-r--r--  1 roy roy   367 Sep 24  2020 db.php
drwxrwxr-x 10 roy roy  4096 Sep 24  2020 vendor
www-data@bucket:/home/roy/project$ cat composer.json
{
    "require": {
        "aws/aws-sdk-php": "^3.155"
    }
}
www-data@bucket:/home/roy/project$ cat db.php
<?php
require 'vendor/autoload.php';
date_default_timezone_set('America/New_York');
use Aws\DynamoDb\DynamoDbClient;
use Aws\DynamoDb\Exception\DynamoDbException;

$client = new Aws\Sdk([
    'profile' => 'default',
    'region'  => 'us-east-1',
    'version' => 'latest',
    'endpoint' => 'http://localhost:4566'
]);

$dynamodb = $client->createDynamoDb();

# there is .aws but cannot read
www-data@bucket:/.aws$ ls -la
total 16
drwxr-xr-x  2 root root 4096 Sep 23  2020 .
drwxr-xr-x 21 root root 4096 Feb 10  2021 ..
-rw-------  1 root root   22 Sep 16  2020 config
-rw-------  1 root root   64 Sep 16  2020 credentials

:4566 is dynamodb
Using aws dynamodb help, found commands that we can use to enumerate

www-data@bucket:/home/roy/project$ aws dynamodb --endpoint-url http://localhost:4566 list-backups
You must specify a region. You can also configure your region by running "aws configure".
www-data@bucket:/home/roy/project$ aws configure
AWS Access Key ID [None]: kashz
AWS Secret Access Key [None]: kashz
Default region name [None]: us-east-1
Default output format [None]:

[Errno 13] Permission denied: '/var/www/.aws'

# as www-data, we cannot write to /.aws/

PEAS

 Cleaned processes
root        1417  0.0  0.0 549656  3560 ?        Sl   00:52   0:00  _ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 4566 -container-ip 172.18.0.2 -container-port 4566

 Active Ports
tcp        0      0 127.0.0.1:46205         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:4566          0.0.0.0:*               LISTEN      -

 Users with console
root:x:0:0:root:/root:/bin/bash
roy:x:1000:1000:,,,:/home/roy:/bin/bash
uid=1000(roy) gid=1000(roy) groups=1000(roy),1001(sysadm)

lrwxrwxrwx 1 root root 35 Sep  7  2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
        ServerName s3.bucket.htb


-rw-r--r-- 1 root root 1793 Sep 23  2020 /etc/apache2/sites-available/000-default.conf
<VirtualHost 127.0.0.1:8000>
        <IfModule mpm_itk_module>
                AssignUserId root root
        </IfModule>
        DocumentRoot /var/www/bucket-app
</VirtualHost>
<VirtualHost *:80>
        DocumentRoot /var/www/html
        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^bucket.htb$
        RewriteRule /.* http://bucket.htb/ [R]
</VirtualHost>
<VirtualHost *:80>
        ProxyPreserveHost on
        ProxyPass / http://localhost:4566/
        ProxyPassReverse / http://localhost:4566/
        <Proxy *>
                 Order deny,allow
                 Allow from all
         </Proxy>
        ServerAdmin webmaster@localhost
        ServerName s3.bucket.htb
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

# The first virtual host is routing for the localhost server on port 8000.
# The second one is looking at all traffic that doesn’t end in bucket.htb and returns 302 to http://bucket.htb/.Document Root is /var/www/html.
# The third server is for s3.bucket.htb, and it will proxy everything to http://localhost:4566.

# we can connect to dynamodb using s3.bucket.htb as all request is routed to docker-proxy on 4566

Last updated