HTB Three Walktrough

4 min readDec 30, 2023

Three is a htb machine in the level starting point 1. In this little article, we will explain the methods we use to catch the flags. While reading, note that the IP address of the pwned machine and attacker machine can be different of mines

Task 1 : How many tcp ports are open ?

The easiest way is to do a nmap scan, then we will have this result

Task 2 : What is the domain of the email address provided in the “Contact” section of the website?

The previous nmap scan result show that the port 80 is open, that is mean that there is a website at the address of pwned machine. Just open the contact page at the site and then see the domain of email adress.

TASK 3 : In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?

With little research on Google or another search engine, we can easily get the response to this question

TASK 4 : Which subdomain is discovered during further enumeration?

To achieve this task, we just have to use an enumeration tool like amass,ffuff,wffuf or gobuster. But first, we will add one line on our /etc/hosts file, then we will be able to use these tools

Then, we can use gobuster for subdomain enumeration

TASK 5 : Which service is running on the discovered sub-domain?

A research about s3 subdomains show that it is the amazon S3 service that run on

TASK 6 : Which command line utility can be used to interact with the service running on the discovered sub-domain?

Samely, just an Google search to find awscli

TASK 7 : Which command is used to set up the AWS CLI installation?

Just refer to aws cli documentation : https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-help.html

TASK 8 : What is the command used by the above utility to list all the S3 buckets?

https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-help.html

TASK 9 : This server is configured to run files written in what web scripting language?

After well-read the aws cli documentation, we note that there is a ls command that help us to see the different buckets on the server. But first we have to configure credentials on aws

Then we can use ls command and see the main extension

TASK 10 : ROOT FLAG

To achieve this, we have to take a control of the pwned machine. It can be done by open a reverse shell and connect to with our parrot machine.

The first things to do, is to verify if we can upload a file on the s3 buckets server. We create this simple rev_shell.php that take a command as argument and execute

Then we upload the file on server

We try to open the url : http://thetoppers.htb and it works

So we can replace the content of the rev_shell.php by a reverse shell write in php , this is an good one : https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php. Just take care to replace the IP and port by the IP of attacker machine and the chosen port.

With netcat, we open a listener on port 4444

Then we update the rev_shell.php file by modifying with right port and IP

Re-upload the new file

And open the URL : http://thetoppers.htb/rev_shell.php on a brower

In a netcat listener we are automatically connected to the victim machine

And we can retrieve the flag at /var/www or simply search his location with the command : find -name flag.txt

It is all for this article, if you have any questions you can ask in comment and follow me for more.