Three (Tier 1)
Description
Tier -> 1
Difficult -> Very Easy
OS -> Linux
Tags -> Cloud / Custom Applications / AWS / Reconnaissance / Web Site Structure Discovery / Bucket Enumeration / Arbitrary File Upload / Anonymous-Guest Access
Write-up
I started doing an initial scan using Nmap
With this, I answered the first question
Answer: 2
Then I did an exhaustive scan to know more about the services running on the open ports
As I found the HTTP protocol running on port 80, I went to the browser to check the deployed content. I found what seemed to be a contact page for a band. Navigating through the site, I didn't find anything relevant apart from an email in the Contact section with a curious domain
To learn more about the HTTP protocol, you can go here
With this and a little research, I answered the next questions
Answer: thetoppers.htb
Answer: /etc/hosts
As this domain could be relevant, I added it to the known hosts by editing the /etc/hosts file. Not getting anything relevant from the web page, I tried using the Gobuster tool to fuzz the page and find any possible hidden routes. In this case, I enumerated the found domain to check if there were any related subdomains. With that, I found the subdomain s3.thetoppers.htb existed, and with a little research, I learned it was related to a cloud database on the Amazon servers
With this information and a little research about Amazon services, I answered the next questions
Answer: s3.thetoppers.htb
Answer: Amazon S3
Answer: awscli
Answer: aws configure
Answer: aws s3 ls
I also added the discovered subdomain to the known hosts to work properly with it
So knowing this was an AWS service, I tried to connect to it using the awscli utility. First, I configured the tool, in this case, indicating a temporary connection with the temp value. With this done, I tried to list the S3 instances and found one named thetoppers.htb. Then I listed the elements inside it and found an index.php file, which could be the source code of the web page
The temp value is the default credentials for AWS connections if everything is avoided
With this, I answered the next question
Answer: PHP
Then, as I had a connection to the S3 instance, I tried to upload a custom file to the bucket in an attempt to gain RCE. To do so, I created a Shell.php file with a proper payload to spawn a shell on the machine and execute a command. Then I uploaded it and checked if it had worked by listing the contents of the bucket again
After that, I accessed the bucket direction from the browser and tried to send a command using the cmd parameter as set on the payload. I saw the server executed it properly and confirmed I have gained RCE
With this, I could explore the filesystem arbitrarily. After some searching, I decided to check the /var/www folder, which is usually the default for the server files, and there I found a flag.txt file. Finally, retrieved the content of the file and got the flag
With this, I got the root flag and pwned the machine
Answer: a980d99281a28d638ac68b9bf9453c2b
Alternative Reverse Shell
Instead of abusing the RCE directly on the browser, I tried to get a Reverse Shell on the machine
First, I created a simple bash script to send the shell connection to my machine
Then I established a Netcat listener on the arbitrary port chosen above
After this, in another terminal, I established an HTTP server in the same folder where the shell.sh script was using Python, and setting another arbitrary port for the server
I used the RCE to send the shell from the target to my machine using the
curlcommand. I observed the page remained loading, and checking the Python server received the petition
Finally, I checked the Netcat listener and saw that I had gained the target shell. With that, I could interact with the system more comfortably
Last updated