Bucket
Overview
Bucket is a medium Linux box running a web application fronted by a locally hosted S3-compatible object store. The bucket endpoint accepts unauthenticated PUT requests, making it possible to upload a PHP web shell directly into the web root. Accessing the shell through the web application then yields remote code execution.
Path: unauthenticated S3 bucket PUT → PHP web shell upload → RCE.
Enumeration
The target runs a web server:

Closer inspection of the application reveals it is backed by an S3-compatible object store running locally:


Foothold — PHP Web Shell via Unauthenticated S3 Upload
The S3 bucket endpoint does not require authentication for PUT requests, so arbitrary files can be uploaded directly:

Uploading a PHP web shell to the bucket places it in the web-accessible path. Sending a request to the uploaded file through the web server triggers execution:

With command execution established as the web server user, standard post-exploitation enumeration leads to user and root flags.
Takeaways
- Locally exposed S3-compatible endpoints with no access controls are a common misconfiguration in development and CTF environments; unauthenticated PUT access to a web-backed bucket is equivalent to arbitrary file upload on the web server.
- Pairing an open bucket with a PHP-serving web root is an immediate RCE primitive — no credentials or exploitation required.