Three

January 12, 2024

# Nmap 7.94 scan initiated Sat Jan 27 05:16:08 2024 as: nmap -sC -sV -oN nmap -vv -Pn 10.129.226.121
Nmap scan report for 10.129.226.121
Host is up, received user-set (0.25s latency).
Scanned at 2024-01-27 05:16:08 PST for 70s
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 17:8b:d4:25:45:2a:20:b8:79:f8:e2:58:d7:8e:79:f4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCitBp4qe2+WEqMGa7+L3eEgbrqD/tH3G5PYsQ9nMFx6Erg9Rp+jn7D9QqC9GqKdraCCUQTzVoW3zqEd83Ef4iWR7VXjTb469txJU+Y8XlG/4JzegbjO6WYyfQTtQ3nLkqpa21BZEdH9ap28mcJAggj4/uHTiA3yTgZ2C+zPA6LoIS7CaB1DPK2q/8wrxDiRNv4gGiSjcxEilpL8Qls4R3Ny3QJD89hvgEdV9zapTS5T9hOfUdwbkElabjrWL4zs/E+cyHSZF5pPREiv6QkdMmk7cvMND5epXA29womDuabJsDLhrFYFecJxDmXhv6yspRAemCewOX+GnWckerKYeOf
|   256 e6:0f:1a:f6:32:8a:40:ef:2d:a7:3b:22:d1:c7:14:fa (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEkEPksFeIH9z6Ds6r7s2Uff45kDk/PEnvXYwP0ny6pKsP2s62W3PZVCywfF3aC8ONsAqQh6zy0s44Zv8B8g+rI=
|   256 2d:e1:87:41:75:f3:91:54:41:16:b7:2b:80:c6:8f:05 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINwGMkF/JG8KPrh19vLPmhe+RC0WBQt06gh1zE3EOo2q
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 27 05:17:18 2024 -- 1 IP address (1 host up) scanned in 70.89 seconds

Add the domain in the /etc/hosts for you to access the web page

Then after that you will use the gobuster to find some sub domain in the main domain

gobuster vhost -u http://thetoppers.htb -w /usr/share/wordlists/subdomains-top1million-110000.txt  --append-domain

Then we found the "s3.thetoppers.htb" sub domain

After that we will add the amazon s3 subdomain in the /etc/hosts for us to access the website

Then we will configure the aws through aws cli

aws configure
aws --endpoint=http://s3.thetoppers.htb s3 ls
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

Then we will create a simple php remote code execution

After that we will put the shell.php into the amazon s3 bucket for us to access it in the web page

Now we have access to the website through cmd

Or we can just upload php reverse shell to the amazon s3 bucket, so that we will have much better perspective to the machine

Then use a nc listener for the incoming traffic

After that just access the php file in the webpage

This is a nice box for abusing the amazon s3 bucket that we can get a reverse shell to the machine through webpage.

PreviousBizness NextRedeemer

Last updated 1 year ago