Three (Tier 1)
Description
Tier -> 1
Difficult -> Very Easy
OS -> Linux
Tags -> Cloud / Custom Applications / AWS / Reconnaissance / Web Site Structure Discovery / Bucket Enumeration / Arbitrary File Upload / Anonymous-Guest Access
Write-up
I started doing an initial scan using Nmap
With this, I answered the first question
Answer: 2
Then I did an exhaustive scan to know more about the services running on the open ports
As I found the HTTP protocol running on port 80, I went to the browser to check the deployed content. I found what seemed to be a contact page for a band. Navigating through the site, I didn't find anything relevant apart from an email in the Contact section with a curious domain
To learn more about the HTTP protocol, you can go here
With this and a little research, I answered the next questions
Answer: thetoppers.htb
Answer: /etc/hosts
As this domain could be relevant, I added it to the known hosts by editing the /etc/hosts file. Not getting anything relevant from the web page, I tried using the Gobuster tool to fuzz the page and find any possible hidden routes. In this case, I enumerated the found domain to check if there were any related subdomains. With that, I found the subdomain s3.thetoppers.htb existed, and with a little research, I learned it was related to a cloud database on the Amazon servers
With this information and a little research about Amazon services, I answered the next questions
Answer: s3.thetoppers.htb
Answer: Amazon S3
Answer: awscli
Answer: aws configure
Answer: aws s3 ls
I also added the discovered subdomain to the known hosts to work properly with it
So knowing this was an AWS service, I tried to connect to it using the awscli utility. First, I configured the tool, in this case, indicating a temporary connection with the temp value. With this done, I tried to list the S3 instances and found one named thetoppers.htb. Then I listed the elements inside it and found an index.php file, which could be the source code of the web page
With this, I answered the next question
Answer: PHP
Then, as I had a connection to the S3 instance, I tried to upload a custom file to the bucket in an attempt to gain RCE. To do so, I created a Shell.php file with a proper payload to spawn a shell on the machine and execute a command. Then I uploaded it and checked if it had worked by listing the contents of the bucket again
After that, I accessed the bucket direction from the browser and tried to send a command using the cmd parameter as set on the payload. I saw the server executed it properly and confirmed I have gained RCE
With this, I could explore the filesystem arbitrarily. After some searching, I decided to check the /var/www folder, which is usually the default for the server files, and there I found a flag.txt file. Finally, retrieved the content of the file and got the flag
With this, I got the root flag and pwned the machine
Answer: a980d99281a28d638ac68b9bf9453c2b
Alternative Reverse Shell
Instead of abusing the RCE directly on the browser, I tried to get a Reverse Shell on the machine
First, I created a simple bash script to send the shell connection to my machine
Then I established a Netcat listener on the arbitrary port chosen above
After this, in another terminal, I established an HTTP server in the same folder where the shell.sh script was using Python, and setting another arbitrary port for the server
I used the RCE to send the shell from the target to my machine using the
curlcommand. I observed the page remained loading, and checking the Python server received the petition
Finally, I checked the Netcat listener and saw that I had gained the target shell. With that, I could interact with the system more comfortably
Last updated