Myles Nieman
← All writeups

Bucket

Overview

Bucket is a medium Linux box running a web application fronted by a locally hosted S3-compatible object store. The bucket endpoint accepts unauthenticated PUT requests, making it possible to upload a PHP web shell directly into the web root. Accessing the shell through the web application then yields remote code execution.

Path: unauthenticated S3 bucket PUT → PHP web shell upload → RCE.

Enumeration

The target runs a web server:

Web application landing page on Bucket

Closer inspection of the application reveals it is backed by an S3-compatible object store running locally:

S3 bucket endpoint exposed alongside the web application

S3 bucket contents showing the web application’s assets

Foothold — PHP Web Shell via Unauthenticated S3 Upload

The S3 bucket endpoint does not require authentication for PUT requests, so arbitrary files can be uploaded directly:

S3 bucket listing confirms write access for unauthenticated uploads

Uploading a PHP web shell to the bucket places it in the web-accessible path. Sending a request to the uploaded file through the web server triggers execution:

PHP web shell uploaded to the S3 bucket and accessible via the web application

With command execution established as the web server user, standard post-exploitation enumeration leads to user and root flags.

Takeaways

  • Locally exposed S3-compatible endpoints with no access controls are a common misconfiguration in development and CTF environments; unauthenticated PUT access to a web-backed bucket is equivalent to arbitrary file upload on the web server.
  • Pairing an open bucket with a PHP-serving web root is an immediate RCE primitive — no credentials or exploitation required.