 Hello everyone and welcome back to another YouTube video. My name is John Hammond and today we're looking at some hack the box I want to showcase the bucket machine from hack the box Which is a medium in difficulty rated machine should be retiring very soon as this video releases So I want to give it the old college try and we'll see what we get into I think this will be a little bit of fun here. So I'll hop over to my computer screen I am connected to the VPN I do have a little space set up for me in the hack the box directory out of my CTF directory And I'm gonna make directory for YouTube Bucket and let's hop over there. I'll get started with a read me Although I don't know how much I'll actually use it as I tend to So we'll just note who I am and what I'm doing the dates and stuff maybe now Who cares let's grab the IP address for this machine Which I have over on the website kind of as you saw my other monitor here The website for this machine or the IP address for this is a 10 10 10 2 1 2 So let's start some enumeration, right? Let's go. I'm gonna make an nmap directory So I can go ahead and run the command nmap tack SC for default scripts tack SV to enumerate versions tack on nmap Initial I'm gonna output it in an nmap format That tack capital and I'll specify tack V for verbose and I guess I'll add in the IP address since it kind of needs to know that So now let's go ahead and hit enter here and let's see what comes back I see a new port. Okay, 22 so SSH and port 80 So it looks like maybe running a server here a little web server We could open that up in Like sublime text to get a better view of that. Yep. Okay, so port 22 and port 80 Good enough. So if we have port 80 open that might be worth looking into because to connect with SSH We would kind of need to know some user credentials So that's not super helpful for us right now because we don't know anything. We're still kind of looking around Let's take a look at that port 80. I'll go ahead and get a web browser open I guess I'll just use Google Chrome here and the IP address is 10 10 10 2 1 2, right? Yeah Oh, okay, so that redirected me or tried to bring me to bucket dot HTB and it looks like I'll need to go ahead and add that into our It's that rehosts file. So I will pseudo nano that and slap in that IP address And bucket dot HTB is kind of what we're looking for there. Okay. Well, we're kind of looking around here Let's actually start up another and map scan. I'll use a aggressive attack p-tack So we looking at all ports just in case Anything we're overlooking here. I think it may be good to do let's just let it go in the background That's totally fine for us. Oh, okay, and now we have a bucket dot HTB website that is loaded Bug bounty in zero-day research ransomware alerts, okay He's rotating back to March cloud updates customized ads that suits to your business You can contact us at this email address and a mobile number. That's totally not real I wonder if that support email actually like goes anywhere like is the bucket kind of gimmick for this machine like You send stuff into an email bucket I don't know we get we kid if we wanted to if we're really scraping its drawers if we getting kind of desperate And we can try and send an email over there. I don't know Clicking on these links though. They all seem to take me to nowhere. I get the anchor or that Hashtag that Octo Thorpe that pound symbol that just brings me back to the homepage I let's view the source here You can right-click and view page source or hit control you on your keyboard and now we're looking at the HTML So there's not a lot Really here CSS inline CSS so kind of boring. That's all gonna be static Nothing extremely interesting that we could actually work with or interact with some JavaScript a little bit, but Just resizing Coffee Ooh, these image sources have a different link. They go to HTTP s3 dot bucket ad server images bug dot jpeg What is that? Oh So is s3 is s3 bucket meant to be like an aws s3 bucket I'm sure So, uh, I am not super familiar with aws s3 buckets, but it's essentially just like a storage Object object storage built to store and retrieve any amount of data from anywhere that amazon goes ahead and puts out In the world with their cloud services, right? Oh amazon s3 is designed for 9.9 9 9 9 11 9's of durability, but we're in the double digits, baby Holy goodness So, okay If we do have a s3 bucket that we are up against then if it's kind of being referred to here with this link in this URL We want to make sure that we actually Can call back and respond to that too. Did it my end map come back already? Yeah, okay only only the same ports that we already found so Let's grab the same exact line and set our hosts and just add that s3 prefix So we can work with that s3 bucket good enough. All right So we'll type that in here as htps3 dot bucket dot htp. Yeah, okay Uh response with a little json message. Hey the status is running Cool my guy Super helpful. I mean, I guess like that makes sense. That's kind of what like AWS and s3 will probably just return with a little update I wonder though if there's anything else in here. I wonder if there's stuff that we can kind of poke at and explore My lights are flickering over there. I'm sorry. I don't know if that's like seizure inducing Yeah, they're tweaking out. I'm just gonna I'm just gonna turn those off Forgive me Okay, okay, okay, okay Let's see if there's stuff we can access in that s3 bucket. I'm gonna go ahead and use go buster So I will use go buster with uh tack you for the url Https3 bucket dot hack the box tack w for The word list we're gonna use Opt directory list medium and I'm pretty sure you might have to use a go buster dur Maybe I'm using an old version of go buster My syntax is just a little bit off. Sorry. So you might need to use dir if you're if you're using that syntax We get a health response Let's try and go to that http health Services s3 is running and dynamo db is running. What is dynamo db? Let's take a gander I'll google that I guess dynamo db Dynamo db amazon dynamo db no sequel key value database What it what was that little blurb the google was giving me Amazon dynadb is a fully managed proprietary no sequel database service that supports key value and document data structures and is offered by amazon.com It's part of the amazon web services portfolio. Okay So no sequel makes me think of like mongo db Or other other variations of it essentially database but without you know The thing that makes it Sequel it's it's no sequel. It's hip. It's cool. It's mainstream in hipster So we also have a shell, which is kind of more interesting than just straight up health So let's go see if I can reach that I'll go to Shell And it just brought me somewhere weird Do I need like a forward slash following that? Yeah, oh what the heck Way too zoomed in Welcome to the dynamo db web shell. Oh get started with some api templates by clicking that Uh on the menu screener start the tour by pressing tutorial dot start To take a getting started tour. Hello and welcome uh Okay, so we can we can work with a console I have a little prompt here. Can I do stuff? Help is not defined great, um JavaScript SDK What is the dynamo db? Oh that little help brought got like frequently asked questions Interactive way to experience and try out the dynamo db service through dynamo db local. It's used for learning and testing purposes Okay, what's the syntax? What do I do with it? How do I use it? Oh, there are links here down on the bottom like the developer guide Uh and the api reference. Let's try and go to those What is amazon dynamo db? Amazon dynamo db developer guide, okay How it works setting up dynamo db Accessing dynamo db you you can access dynamo db using the console, which I think is what we're looking at awscli or api If we can use the awscli that might be significantly nicer and easier to use for so How do I do that? You can access amazon dynamo db using the aws management console the adbs command line in your face Yeah, yeah, let me use the cli Downloading and configuring the awscli Download it here. It runs on windows mac or linux. I'm running linux right now I'm pretty sure it's something that I can just like get out of the repositories, right There's a linux installer. I don't want to use the curl thing. Is it just in the repositories You can you can stop go buster You're good, buddy Take it take a chill pill. Ah, sorry. Let's do the app to install go buster I was talking and typing at the same time. Uh awscli Hmm Maybe you know hyphen awscli. Oh I already have it installed Okay, so aws. Yeah, it's a thing. It's a thing. So I need to configure it though. I don't know if I've already done that Hello Using the awscli Download and configuring. How do I configure? No, no, no, no. I don't want to get into the uh, okay Dynamo db syntax I need to after install awscli configure the awscli So configuration basics hit me up Quick configuration with aws configure. That's what I need Just run aws configure and an access key. Oh, do we need to supply an access key? It has like default values though none idos configure Oh, I guess I already did set it up the Hing Hing must be for me like typing anything Yeah, that must be for me typing Anything at some point before yep us east is totally fine And I think json is kind of what I had set it before so if you hadn't set it up Type in wherever region you think works best for you. I'm in us east And json is I think a fine output format. So now That that is configured and again, we just threw in garbage as access keys or secret keys. So that should be should be pretty easy um How do I Interact with dynamo db now. Yeah. Yeah. Yeah, let's go back to the documentation here The command line format consists of dynamo db operation named followed by the parameters for that operation idos cli supports a shorthand syntax for parameter values as well as json Okay, so here's the syntax to create a table Put an item Okay, and it returns it all kind of out as json right as the the data format that we already specified would do Using the awcli with downloadable dynamo Uh You can specify an endpoint url. Okay, so that might be how we can reach like the target like this remote machine here Here's an example list tables endpoint url Let's try that. I'm gonna I'm gonna Use this syntax with the endpoint url being s3.bucket.htb Yeah, ooh A user's table I don't think that's like a default response. I think that's got to be something actually coming from the server So we're we got somewhere we got some progress How Do I How I list the stuff Out of that. No, I don't want sdk. I want to I want to working with tables Section ascribes how to use the aws command line interface To create update and delete tables in amazon dynamo db. Okay Okay Basic operations on dynamo tables. Yeah, just let me read the table. Please. I want to know what's in that users I don't need to create it. I don't need to I don't need to create it Holy cow Describing a table Updating a table deleting a table listing table names. We've done that already Okay, what about reading it? What about reading the table or the items the items are the things that are inside of the table, right? Put item get item read an item Is that what I need to do Get item. Oh, and you can specify a table name. Yeah. Yeah. Yeah, and a Key is that a mandatory argument? Let's try to run that Let's use our let's use our read me Because we should seriously do that Let's use bash kind of denote this. Oh, and that way we can actually get the endpoint url in here I will copy their same sort of setup to have The backslashes following these commands So we know our table name is users At that endpoint url will that work? What? Oh, oh, oh, oh The following arguments are required the key. I don't know what the key would be though Just like specifying an id Is that seriously gonna work prob's not The number of conditions on the keys is invalid. Okay What is there a way to not specify a key? Dynamo db read Table read the whole table Reading david from a table. This is back in a documentation. Get I know they're using get item again with the key I don't I don't want the key read table without Oh primary key without the primary key. Is that a thing querying dynamo db without using a primary key Here we are at stack overflow everybody It all comes to this every single time I need to query a dynamo db table By a key. It's different than its primary key querying using index This is my implementation with node js of querying by another field with scan scan Now this is a node js though It's also not a language that I read How did we get here? um, okay It used a scan though Is that a that's another thing working with scans? I'm looking through the documentation here working with scans Scan operation reads every item at a table. Oh Okay Filter expressions for scans. I don't want a filter expression. Can I just like scan everything? Let's try Users and now we don't need the key there try that Oh That is stuff like a password Items with password Management their their username management has the password of management that thing cloud admin has the password of that thing Is this going to be helpful? Let's grab this Let's put this in our read me The thing is Like my knee jerk reaction is to want to use this with ssh But these usernames Are probably more like usernames for the aws setup Not an actual user on the system But because we have credentials because we have passwords that's still like Something we can keep that in mind and use that later Which one did I copy that I copy the welcome and use the wrong password? This needs to be cloud admin if I were to try that I don't think any of these will actually work sysadm sysadmin likely Let's try that But I don't know too easy for us. Yeah, that would just be too easy. So What else can we do here? Um, what else can we do that? That Link that we saw on this page was referring to s3.bucket.htb And it had ad server in there dope Malware, yeah, that's the picture. That's what malware really looks like I don't know if you guys know but like if you've ever held up a micro You've held up or held up a magnifying glass to your computer and you saw red bugs. That's when you know you have malware Take it from me Um s3 buckets, is there a way like are there other s3 buckets awscli enumerate s3 buckets What you got uncle google? List buckets s3 api list buckets Does it need that end point URL again end point url? htp bucket No s3 bucket dot htp s3 bucket dot htp Oh Oh, that is a thing ad server Which is kind of what we saw Can I Do anything else with that? help command Available commands copy object create bucket. There's a lot in here. Can I like can I legit copy stuff though? or upload things Delete objects. Yo, let's try it. Can I can I list anything out of ad server? No And aws oh aws package aws help What else is in here for s3 buckets? Oh, there's just like its own s3 thing So using a sub command s3 in aws. Can I get help on that? Section explains prominent concepts and notations and the set of high level s3 commands We just use s3 api As a sub command. There's also an s3 uri Oh single local file and s3 object operations Some commands perform operations only on single files and s3 objects the following commands Okay, so maybe we can use like regular like copy move and rm to delete stuff Is there like a oh, there's is there an ls command some commands only perform operations in the contents of public directory So if I were to use aws s3 With this endpoint url of s3 dot bucket dot hack the box ls It gives me ad server Can I ls ad server? I can And it has like a web website structure Images image. Oh, sorry need a slash after that Okay, these are the same images that we just saw on the web page So this must be a bucket like for the website Can we legitimately put stuff there though? Like let's uh Make a dummy text file And let's try and copy that Hello dot text to ad server images local path s3 uri What is an s3 uri? This is just me. This is just a showcase of me being stupid and not understanding it amazon s3 I don't honestly use it all that much What is an s3 url? Yeah What's an s3 uri How to access an s3 bucket when presented with the url like this? Is there like an s3 schema? Like I need to have a prefix for s3 colon slash slash I guess so Um Did that just straight put it on the website hello dot text? It's not there Is it there? Images, what about the home? It's not there It just uploaded it Wait, wait, wait, wait. No, I put it in images. I put it in images images It's there What is this voodoo magic? What is this dark magic that's happening? Uh, is it just gonna end up? Like deleting it every like after a couple seconds Now we stay and put now we sit in pretty Did did it display earlier in the images output and I just like didn't see it for some reason Whatever can I reach that on? The website Oh, okay. I hit control shift r to get like a cache refresh and that got it It's still it's still alive and kicking so If this is a web server can we take advantage of this to like get Code execution or something um Part of me wonders if this is Gonna end up running php code Um, the file is an index.html though Oh, jeez. I'm way too way too zoomed in So if I were to like view the network tab, uh, we could try kind of as we just did Checking if index dot php would return something or if we'd actually get a response If like the home page redirects to a dot php file extension We can also check out in the network tab In our developer tools if there are any like headers that might tell us hey the server is powered by php or something we might be able to get a better idea But I I don't see anything That tells me like hey, this is php version 7 point million I mean we could try it worth a try. I do say Try everything, um So I have a php reverse shell um the one that's you can get from like php reverse shell the one that you can get from like pentess monkey So pentess monkey rest in peace. I don't know if their website's still hurting or not You have All this code that does a decent job of actually getting a proper php reverse shell. So let's try that I'll copy that over here and What's my ip address by the way? I'm 14 three. Okay So let's modify this php reverse shell And We'll listen on like connect back to port 888 or something Then let's get a Another listener ready I'll use ponkat because I I tried to in the older in the previous video For hack the box and absolutely failed because I didn't have it fully installed and I was like, uh, it's too late in the video I'm not going to bother with this. So I just bailed on it and looked like an idiot Now it should be installed Oh, I need an extra eight my bad Okay, so ponkat's gonna do its thing cool cool cool And we have our php reverse shell that should be modified and set up So let's go ahead and try and upload this I'll use that copy command one more time and php reverse shell dot php to s3 So we have the s3 uri 80 server and we'll call it like rev dot php. Okay, so that should be uploaded now let's ls that And rev dot php is a thing it exists So if I were to go To rev dot php will it call back? No What the heck did it delete it already? No, it's still there. What are you doing? Can I like curl this down? What if I curl it? I guess I don't need that s3 prefix. Give me rev dot php What you you literally exist you do I know you do what if I Go strictly to 80 server That's the contents of the file Can you execute it please? No, no, no Maybe maybe going strictly to s3 isn't right What did I do? Okay So s3 the bucket itself when we go to that s3 dot like subdomain prefix That's not going to end up actually evaluating or executing the php code but running on the actual website bucket.htb It will I guess it just took a little bit till I get there. So we've got We've got pong cat set up. We got our reverse shell connection Our prompt is super wonky So I'm just going to run bash to clean that up and I'll hit control d to restore back to uh my regular Display There we go. All right. We're dubbed of data Let's see what we got here Roy has a home directory. Let's tackle a Oh, Roy has the user dot text, but we can't read it because we're dubbed of data and it's only owned by him so Is he the only user? I'm the cat. It's a repassword Yeah He's the only one with a uid of a thousand or greater. It looks like yes So what can we do? We can try and run lin peas, right? Um, let's get over to devshm I'm gonna go ahead and upload opts. I think it's osep lin peas dot sh osep Lin peas is literally just lin peas, but it has the section of like checking internet connectivity connectivity Nerfed out because I know this hack the box thing won't actually work. Why does that? Why does it not get there? Is it not on this machine? osep Do I have lin peas? What? What happened? All right, let's think and get lin peas Save that in opt Let me um, actually modify that So that the internet access portion we will go ahead and nerf out internet access Yeah, it tries these check tcp stuff Pretty sure that's all That needs to die Let's find out I'm gonna hit control f for internet just a little bit more. Yeah, that's the thing that actually runs it And you could of course turn that off like with some configuration stuff, but Internet functions. Yeah, it tries all those things, but those are just defining the functions. We can just nerf that out and not do it So now Back to pwncat. Let's actually upload opt lin peas Sorry This takes a little bit to like realize that it finished. I'm Honestly not positive. Why because it brings itself to a hundred percent If I control c Did I lose my shell? Fudge fudge. I said fudge guys Is it still alive? No, it's not. I want the copy command to copy it Curl it down. There we go. Okay, let's run bash Let's Get to devshm because it should have uploaded like it's here Let me reset this so I have our pretty colors um Let's mark that as executable Go ahead and run it. I'm gonna tee that out so I can save the output just in case uh, and let's Are you kidding? Text file busy. Does that mean like it's still uploading or like there's a handle on it still? Can I kill the thing? Yeah If this fails again, then we can stop because We don't need to be bouncing around wasting our time on this We can do our own manual enumeration if lin p's doesn't kind of come through for us wtf Who wrote this thing? Caleb and I are still kind of kicking around ideas for it, but uh, I'm done with that Upload please Give me a call back Sit here for a while Okay Sorry, I know that was agonizing and painful. Let's just do our own sink in enumeration. Um ps ps ox What's going on? I I recently learned that ps fox does a really cool job or fo fo pa Let me sync the terminal size and then I'll run ps fo So That lin p's upload process is still happening Something weird is going on. Maybe like dd. I don't know. I don't know what command might be doing weirdness, but Docker proxy is kind of in and out some uh Java thing happening That's kind of it Are there any local services that might be available? I'll do some netstat peanut Yeah, what is listening? I guess lnap is kind of what I need to look at or something like that for listening Listening listening 88 is me 8 000 is weird Or might that be whatever we just We have passwords like Maybe we should try this Let's just try if we can get into roi With some of these passwords I should have done that significantly earlier. I'm sorry. I see roi That looked like it failed. What about you? Oh Okay Now we are roi So we can go get that uh We can go get that user.txt flag Dunzo, okay Maybe uh go ahead and upload that paste that in something get it on the site get the points What else do we have? We have a project directory this looks like code for something These are like libraries for the vendor package. This is like an npm thing. This is a note thing. I might be totally wrong But what's going on with the website? Are there other stuff that like we're not seeing? HTML is it the very very same? That doesn't have the images folder though. That's the same web page. You can see the you can see the html there But it doesn't have the images so that must be stored in the bucket app That has a php file though. Little what? Uh a jar like a java file What is in files? Nothing, okay excellent more vendor folders. What's in this index dot php? Is this the very very same wait? No, this is there's php code in this. Okay Yo, uh, let's actually make this readable Shall we let's let's bring it over to sublime text and see what we're looking at here. So We load in something Am I missing a portion of this? Like they just go ahead and make a connection Wait, I was missing a portion of that. What's happening? Uh, maybe punkettes screw me over as it does Yeah Here we go. This is the full thing It was hiding some portions of the code probably because the terminal size wasn't synced and it was being weird In in less it might have hid some Uh, anyway We require vendor autoload We use the dynamo db client library And we check if we have a post method The indentation was weird on the other one. So this makes much more sense and that's in an actual if statement Like and the logic kind of flows Uh, so if a post method is supplied with the action variable or the action parameter being set to get alerts Then we go ahead and connect to dynamo the dynamo db And we Do a scan kind of like we did earlier checking out the alerts table but There is no alerts table We only saw users when we looked at that earlier Uh, filter expression title title expression attribute values title And then for iterator as item it creates Oh files for like the other thing that it finds. So it's like putting it in Putting the data of the item into a file Oh, it uses pass through okay, and that's a Can be a dangerous function call because it's going to run actual system commands uses java to Oh call that jar file pd4 ml. What is pd4 ml demo dot jar? pd4 cmd. What is that? Quick google. Oh, it's an html to pdf command line tool Okay File var dub dub dub bucket app files Name and that variable something Can we control that variable? Can we get like command injection in there code injection? No, it's a random dot html. There's totally no way we could get a hold of that So Is this even useful for us It's weird to me that it does this It weird it's weird to me that it just creates pdfs For the ransom these must be the alerts right that the web page was talking about kind of at the beginning when we take a look at it But there is no alerts table. There isn't one Can we just like create one? We had that in the uh documentation working with tables You can create a table. We need the table name primary key And stuff attribute definitions and key schema What is the provision table creating an on-demand table? What does that mean? Wasn't there an example like right at the very very start of just creating a table super simply? I mean, I know I know I just looked at one, but okay Let's go in our read me and mess with that. Let's see if we can actually Create a table We know that it should be called alerts So rather than music we'll call it alerts um and title needs to be A value Artist and song title key type and range key type is hash I was checking to see what syntax they use so I could kind of try and maybe make more sense of it But I'm bad at everything So let's try That title will that work? Wait a second We needed to have We needed to have the data value in there as well right Because it would read data From the item that we returned I was about to drive down that road and I think I Could have messed it up Let's use data Let's try that read capacity units, right? See the documentation used a different one when it was creating it just earlier Like they used 10 and 5 so My smooth brain will just try that And see if we get anywhere um I'm gonna use aws command line again Never occurred Oh, it needs to know where it's going. It needs that it needs the endpoint URL again tag tag endpoint URL htps3.bucket.htp yeah Yeah, yeah Will that work? No hash key not specified in address How do they do it here? Key type hash Isn't this the very same? alerts Oh, did I not have like it copied properly? title data 510 add in the endpoint URL, please This is the this is the real fail that it takes Yeah, yeah, yeah Okay That created things now When I listed tables earlier How did we do that? I think it was just list tables, wasn't it? It was Let's do that list tables Grab that syntax pass it in list tables with an s plural English we got alerts. Okay, great um Now what do we do? the PHP script would read something out of this table Scanning for elements or items in there Oh, and the title has to match ransomware Okay and Then it will put it in files How is this running? Is this running like as root? Is this bucket app gonna end up being something that actually runs as root I mean, maybe root is the one that's kind of using DynamoDB local So probably Yeah, yeah patchy is running as root Maybe PHP is going to be pushed in there just as well maybe The bucket app might be so let's just see what we do um We need to put an item in here working with items Put item creates an item Let's try that Put item update item No, no, no, no There's got to be more Example Put item All they did was Oh They can be stored in a JSON file Is that it? Should I just create a JSON file like that? Let's create a item.json And then the title we know needs to be ransomware And the data Oh, I killed the last curly brace Data can be HTML Right? Because that pdf command thing head end head body html Let's just work Let's try now in our readme Let's kind of keep track of the syntax to put that item alerts I think that should be okay Let's find out error record security token We need to add the stinking URL Every time I forget that endpoint URL HTTP I'm too lazy to type at this point running on empty Sorry frantic alt tab error record cannot do operations on a non existent table We just created that We just created alerts We literally just listed them What the heck? It keeps deleting my stuff I don't like it Let's put this here Good, okay We could scan earlier, couldn't we? Yeah Yeah So let's verify that it exists Being quick Moving real quick Before it deletes everything, please Ah Okay It seemingly exists But now I need to get it with curl Because it needs to have a get request or a post request So How does this What does this load? I'm just staging commands so I can have them nice and easy bucket.htb or xpost Is that right? Yeah, I mean that's how I make a post request But I don't know if that would be s3.bucket Or that's kind of coming in externally though And none of those seem to have an index.php to it Is that something that I can just reach like locally? On the target? Because we saw that Is that the port 8000? I think it is Local host Port 8000 Port 8000 Yeah Yeah, yeah, yeah PHP is not going to be present Because it's going to evaluate it But once that's set up We can curl data with that action being get alerts on localhost 8000 on the target Right? So do I still have Nope, okay Let's leave it to the table So let's kind of stage this and be quick We can script this if we really wanted to Let me actually do that I'll remove all these so it's going to be big One quick dump of stuff Create the table Create the thing scan to make sure it's there Now curl it down Looked like it would have responded Maybe I have to go check in files now Did I do it wrong? Action equals get alerts Pass through It would run it The title is ransomware We saw that when we pulled it down Delete it already. Is it like that fast? It exists Am I not Calling it? Maybe I wasn't calling it. Dammit I'm sorry You were probably screaming at your screen John, what the hell I'm dumb That would work Oh It deleted all, it's stinking already So we have to be quick, we have to be super quick Can we like copy this thing over when it's created? Maybe that's it Let's go into CTF Hack the box, YouTube bucket And let's stage a SCP command or something Because we know That's the password for Roy, right? So we should be able to log in I'm pretty sure We don't even need to be in PoNCAD anymore At this point, SCP Can I use SSH Pass for that? I don't even have SSH Pass installed So you have to install SSH Pass Let's go Now let's SSH to bucket.htb Just as a sanity check Yep, okay, that works SSH Pass TACP SCP Var www Bucket App Files, report.pdf Bring it here And it doesn't exist, good Because we need to do all those commands again Did it delete already? No Bucket App Why is that not working? Oh, it's result.pdf Dang it One more quick on the trigger That's all Let's curl that down Let's pull that down There we go Alright, we have result.pdf Finally Please sub in the mix Can you display that? Can you see it? Thanks I really appreciate that Can we get anything else from this now? Can I load data? Maybe even this item Can we do an iframe? An iframe to try and load a local resource or something? Let's try and get it set to a password Oh shoot I might need to escape these Yeah, let's just use that Let's see if that will work Grab the big long syntax one last time and we could totally script this I probably really should, I know you guys are upset at me Let's pull it down Work? Yes Okay Shoot, I should have tested like it's that reshadow to see if we actually have the read permission So let's do that Let's do that real quick I'm sure it's deleted it by now so I don't have a whole lot of issues running this all again Curling it in Activating it so it creates the file SSH past downloading it down Viewing the results We haven't said reshadow Dope, alright We root permissions and we could try and crack these passwords I don't know how likely that is Let's see if SSH is actually set up with a private key for root So let's go to root.ssh tag idrsa Because we know that SSH is enabled then Hey, there's an option There's a potential, maybe Did I lose my readme? Where did it go? I feel like I might have lost my readme Did I like close it or something stupid? So if SSH is enabled which it is, there's maybe hope that Table already is created Alright, curl it down Wait, wait, wait, wait Save this rendition Anyway Now it's cleared stuff Let's try it again Run curl, please Cool, copy it down Get the result View it, nice Got a private key Problem is we don't exactly have New line characters Do we? I mean, yeah That'll work Let's save that for root idrsa Let's see if we can log in as root Let's SSH tag idrsa We should probably see hmod600 on that So we don't have the permissions whine at us And then let's do that root at bucket.hackedabox Nice, awesome Holy cow, that took way too long That was fun, that was really cool That was a good one Nice to get a little bit of exposure With AWS and S3 buckets Because I genuinely don't do that stuff And kind of cool to analyze some of that PHP code And kind of mess with our minds with that for a little bit And it's also a really neat trick to just being able to load in files with like an iframe source It's like local file inclusion in a really weird way But wow That was fun That's that, I've been yapping for a decent amount of time But that was really slick, and maybe you saw some neat tricks, whether it's just nerfing out the internet requests and Limpies or kind of fumbling around with AWS syntax I would like to kind of formalize this and actually get maybe some like, here's a reference of like the commands that we ran to enumerate out and do specific things with the S3 bucket or with the DynamoDB database, noSQL and data enumeration Obviously I was just taking scrappy notes in my readme.md file and sublime text but maybe something in like Obsidian or Joplin or Cherry Tree or whatever Cherry note or whatever Everone drive notes However, you like to take your notes There's a lot to learn from this one and maybe keep building out your catalog of stuff as you progress through more hack the box machines and stuff like this, so I think that's it. I think that's all I want to showcase I think we've done the machine, we've done the box and we got root So that's the end of the video Thanks for sticking with me I know this one was a little bit more bouncy and crazy and off the wall as I tend to do sometimes, but I really appreciate you tuning in I really hope this was hopefully kind of a fun entertaining video and still a little bit of education mixed in there with some good learning Thanks so much for watching everybody If you like this video and you like to see some of the others that I do, please do the YouTube algorithm things I'd love if you could like the video Leave a comment, let me know what you think Did I go crazy in this little much more than I needed to How did you solve this machine and please do subscribe Thanks so much everybody I don't know how else to finish this outro so I'm not going to I love you, I'll see you in the next one