Three
January 12, 2024
# Nmap 7.94 scan initiated Sat Jan 27 05:16:08 2024 as: nmap -sC -sV -oN nmap -vv -Pn 10.129.226.121
Nmap scan report for 10.129.226.121
Host is up, received user-set (0.25s latency).
Scanned at 2024-01-27 05:16:08 PST for 70s
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 17:8b:d4:25:45:2a:20:b8:79:f8:e2:58:d7:8e:79:f4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCitBp4qe2+WEqMGa7+L3eEgbrqD/tH3G5PYsQ9nMFx6Erg9Rp+jn7D9QqC9GqKdraCCUQTzVoW3zqEd83Ef4iWR7VXjTb469txJU+Y8XlG/4JzegbjO6WYyfQTtQ3nLkqpa21BZEdH9ap28mcJAggj4/uHTiA3yTgZ2C+zPA6LoIS7CaB1DPK2q/8wrxDiRNv4gGiSjcxEilpL8Qls4R3Ny3QJD89hvgEdV9zapTS5T9hOfUdwbkElabjrWL4zs/E+cyHSZF5pPREiv6QkdMmk7cvMND5epXA29womDuabJsDLhrFYFecJxDmXhv6yspRAemCewOX+GnWckerKYeOf
| 256 e6:0f:1a:f6:32:8a:40:ef:2d:a7:3b:22:d1:c7:14:fa (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEkEPksFeIH9z6Ds6r7s2Uff45kDk/PEnvXYwP0ny6pKsP2s62W3PZVCywfF3aC8ONsAqQh6zy0s44Zv8B8g+rI=
| 256 2d:e1:87:41:75:f3:91:54:41:16:b7:2b:80:c6:8f:05 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINwGMkF/JG8KPrh19vLPmhe+RC0WBQt06gh1zE3EOo2q
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-methods:
|_ Supported Methods: GET POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 27 05:17:18 2024 -- 1 IP address (1 host up) scanned in 70.89 seconds
Add the domain in the /etc/hosts for you to access the web page
Then after that you will use the gobuster to find some sub domain in the main domain
gobuster vhost -u http://thetoppers.htb -w /usr/share/wordlists/subdomains-top1million-110000.txt --append-domain
Then we found the "s3.thetoppers.htb" sub domain
After that we will add the amazon s3 subdomain in the /etc/hosts for us to access the website
Then we will configure the aws through aws cli
aws configure
aws --endpoint=http://s3.thetoppers.htb s3 ls
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
Then we will create a simple php remote code execution
After that we will put the shell.php into the amazon s3 bucket for us to access it in the web page
Now we have access to the website through cmd
Or we can just upload php reverse shell to the amazon s3 bucket, so that we will have much better perspective to the machine
Then use a nc listener for the incoming traffic
After that just access the php file in the webpage
This is a nice box for abusing the amazon s3 bucket that we can get a reverse shell to the machine through webpage.
Last updated