Three (Tier 1)
Last updated
Was this helpful?
Last updated
Was this helpful?
Tier -> 1
Difficult -> Very Easy
OS -> Linux
Tags -> Cloud / Custom Applications / AWS / Reconnaissance / Web Site Structure Discovery / Bucket Enumeration / Arbitrary File Upload / Anonymous-Guest Access
With this, I answered the first question
Answer: 2
Then I did an exhaustive scan to know more about the services running on the open ports
As I found the HTTP protocol running on port 80, I went to the browser to check the deployed content. I found what seemed to be a contact page for a band. Navigating through the site, I didn't find anything relevant apart from an email in the Contact section with a curious domain
With this and a little research, I answered the next questions
Answer: thetoppers.htb
Answer: /etc/hosts
With this information and a little research about Amazon services, I answered the next questions
Answer: s3.thetoppers.htb
Answer: Amazon S3
Answer: awscli
Answer: aws configure
Answer: aws s3 ls
I also added the discovered subdomain to the known hosts to work properly with it
With this, I answered the next question
Answer: PHP
Then as I had a connection to the S3 instance, I tried to upload a custom file to the bucket in an attempt to gain RCE. To do so, I created a Shell.php file with a proper payload to spawn a shell on the machine and read a command. Then I uploaded it and checked if it had worked by listing the contents of the bucket again
After that, I accessed the bucket direction from the browser and tried to send a command using the cmd parameter as set on the payload. I saw the server executed it properly and confirmed I have gained RCE
With this, I could explore the filesystem arbitrarily. After some searching, I decided to check the /var/www folder, which usually is the default for the server files, and there I found a flag.txt file. Finally, retrieved the content of the file and got the flag
With this, I got the root flag and pwned the machine
Answer: a980d99281a28d638ac68b9bf9453c2b
Instead of abusing the RCE directly on the browser, I tried to get a Reverse Shell on the machine
First, I created a simple bash script to send the shell connection to my machine
After this, in another terminal, I established an HTTP server using Python in the same folder where the shell.sh file is, and setting another arbitrary port for the server
I used the RCE to send the shell from the target to my machine using the curl command. I observed the page remained loading and checking the Python server received the petition
Finally, I checked the Netcat listener and saw that I had gained a shell from the machine. With that, I could interact with the system more comfortably
I started doing an initial scan using
To learn more about the HTTP protocol you can go
As this domain could be relevant, I added it to the known hosts by editing the /etc/hosts file. Not getting anything relevant from the web page, I tried using the tool to fuzz the page and find any possible hidden routes. In this case, I enumerated the found domain to check if there were any related subdomains. With that, I found the subdomain s3.thetoppers.htb existed, and with a little research, I learned it was related to a cloud database on the Amazon servers
So knowing this was an service, I tried to connect to it using the utility. First, I configured the tool, in this case, indicating a temporary connection with the temp value. With this done I tried to list the S3 instances and found one named thetoppers.htb. Then I listed the elements inside it and found an index.php file, which could be the source code of the web page
Then I established a listener on the arbitrary port chosen above
