Official Bucket Discussion

Type your comment> @r0mar10 said:

You’re going the right way. Look for what you upload in a different place where things you upload belong and can serve the purpose.

Thanks, finally I’ve got user flag! Many thanks for the nudges. For me, the key point is to know the link between the main website and s*. Then you have all the ingredients to get the user flag. Now I’ll try the root stage, probably harder… :blush:

Hey all,
This is my first box (not so sure if it’s a wise choice haha), and I’m pretty stuck.
I found the s* service, I am able to upload files, and know how to access them from the main domain, but when I access them they’re not being executed. Also found the creds and the d******* s***.
Tried extra enum, reading through a**-c** docs and reading this discussion but no luck so far.
Any hints?
Thanks!

@aviv1993 said:

… and know how to access them from the main domain, but when I access them they’re not being executed…

I suppose the above assumption is wrong and you still need to find another place where execution is possible.

Rooted!!!
This box is about a part of *w* and It’s a very broad technology, so patience. If you don’t have previous experience, you will need to read articles and documentation about that.
It’s a fantastic box, pretty well designed. Thanks to @MrR3boot for this machine.

Rooted finally, Thx @MrR3boot, it’s a fun box, learned many things.
Some tips:
1.Read the doc
2.Enum
3.Read the doc…

If you set the SUID bit on binaries please cleanup after yourself, it ruins the box when the foothold becomes a root shell automatically.

Hi, I just found an open writeup for Bucket without password, where can I report it?

Finally, after about 2 days.

  1. Got stuck with foothold. There are some great hints here that helped me, in particular, the importance of RTFM, which can help you flag a way in.

  2. User was pretty straight forward. Nothing to add here that wasn’t mentioned.

  3. Root… This was tricky. Other than what was already mentioned, I must warn you to use other Search engines. I had a good idea of what to use, but I use Duck-Duck-Go. It’s usually pretty reliable, but it didn’t bring any interesting results. So, I had dismissed my idea for a while. Then, I decided to try Google and a good answer appeared, then it was just a matter of finding the keys to the kingdom.

Nevertheless, I am not sure if I got the best way in. I assumed quite a bit of misconfiguration for a standard service and it paid out. Others mentioned it was close to a real life exercise, and I don’t want to believe people still do that.

(I hope there’s not much spoiling here).

I have a script for root which seems like it should work but keep getting a 404 - would appreciate if anyone could DM to find out whats going wrong :slight_smile:

Far out this ones been a challenge haha. Just got user.

For foothold: Once you’ve found the interesting stuff it truly its just a matter of finding the right commands to get what you want up there in a place you can execute it(from a__ c__, NOT D____o S___l) and just spamming.

For User: If you’re at this point you’ve played around with the D____o S___l enough to have found something interesting, see whos around and see which one opens the gate

I’ve never had any experience with s3 so spent a lot of time chasing my tail trying to g_n cr_ds when I didn’t need to, just needed the right sequence of commands. Onto root…

Finally rooted: This was a hard box. Hint: 8000 is the local one you want

The user flag is easy, as long as you can find a way to upload file to the website, you can get the user flag. But root flag is harder, spent some time to find the hint. The system reset is also very annoy, it took me awhile to realize it is not my script has problem, but just some system reset going on. But this is the first time I used axx api.

That was a weird box, enjoyable because I had no experience with this service before but I can’t get over why my files right after upload was there and sometimes wasn’t I feel like timing was so tight at first I thought it is rabbit hole. And after a while it just worked. But overall it was nice break from gitlab boxes. Would hack again!

Rooted.

Fun box even though I faced a bit of problems with the user (which IMO was harder than root, but maybe I was just lucky).

Tips:

  • Foothold: Enumerate and read the docs.
  • User: Did you find anything interesting during enumeration, something you didn’t know what to do with thus far?
  • Root: Good google search and basic code knowledge will help you a lot here, alternatively - RTFM.

Overall - RTFM basically

I am really confused about this one. I get server not found if i go to bucket.htb. Ran nmap so I pretty sure I am in the right spot. Is there an issue with the box or is the server not found part of the game this time around? I can get to other machines so I know it’s not a vpn issue. I also clicked the reset button on the box just in case.

@MaximumBob said:

I am really confused about this one. I get server not found if i go to bucket.htb.

Have you set it up in your hosts file?

Ran nmap so I pretty sure I am in the right spot.

Are you running nmap against the IP or domain name?

@TazWake wow i just found a typo i my hosts file. I doubled checked when you asked. thx for the help. 2 weeks off and I haven’t had enough coffee yet to catch those mistakes.

@MaximumBob said:

@TazWake wow i just found a typo i my hosts file. I doubled checked when you asked. thx for the help. 2 weeks off and I haven’t had enough coffee yet to catch those mistakes.

No worries - glad it is resolved now.

Spoiler Removed

@pagal said:

Can some please help me getting error **Could not connect to the endpoint URL: ** while trying to get root flag ??

I don’t think you need that for the root flag.

Rooted nice Box :smile: :wink:

root@bucket:~# id
uid=0(root) gid=0(root) groups=0(root)

PM me if anyone need help