Hack The Box Writeup:Three(Very Easy)
By:Codepontiff
Three is Tier 1 at HackTheBox Starting Point, it’s tagged by Cloud, Custom, Applications, AWS, AWS Reconnaissance, Web Site Structure Discovery, Bucket Enumeration, Arbitrary File Upload, Anonymous/Guest Access
1.Connect your HTB machine with openvpn and spawn the machine
2.Firstly if you put the ip and the website is refused then you need to connect to DNS manualy by editing /etc/hosts the add the new lines, i’m using nano text editor to edit the /etc/hosts file
3. Task 1:
How many TCP ports are open ?
using nmap scan with nmap -sS -Pn -sV <ip>
- -sS syn stealth scan
- -Pn refuse hosts discovery focus on port discovery
- -sV software version of service that run on the target
the result show us the 2 tcp is open :
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu)))
Answer:
24. Task 2:
What is the domain of the email address provided in the “Contact” section of the website ?
open the site and then scroll then you will get the email section, thetoppers.htb should be the domain name of the email
Answer:
thetoppers.htb5.Task 3:
In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames ?
you can googling little bit /etc/hosts is the file to resolve hostnames to IP addresses
Answer:
/etc/hosts6. Task 4
Which sub-domain is discovered during further enumeration ?
by using gobuster,ffuf or wfuzz you can find the the subdomain
using gobuster by this command
gobuster vhost -u http://thetoppers.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
- -vhosts Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter)
- -w wordlists path
using ffuf you will need this command
ffuf -u http://FUZZ.thetoppers.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Answer:
s3.thetoppers.htb7. Task 5
Which service is running on the discovered sub-domain ?
from googling it said amazon s3 the service that run in the discovered sub-domain
Answer:
Amazon s38.Task 6
Which command line utility can be used to interact with the service running on the discovered sub-domain ?
googling again and google said aws cli
Answer:
aws cli9. Task 7
Which command is used to set up the AWS CLI installation ?
Answer:
aws configure10. Task 8
What is the command used by the above utility to list all of the S3 buckets ?
Answer:
aws s3 ls 11. Task 9
This server is configured to run files written in what web scripting language ?
using this command:
aws s3 ls — endpoint-url=http://s3.thetoppers.htb s3://thetoppers.htb
you can find the file lists
PHP12. Submit Flag
Submit root flag
you can upload shell into the amazon target and the download using netcat