Hack the Box – Three
# Information:
Platform Name: Hack the Box
Machine Challenge: Three
Machine Status: Starting Point
Challenge Level: Very Easy
# Used Tools:
- Linux
- nmap
- AWS CLI
- nc
# Challenge Description:
This challenge has a list of questions that need to be answered in order to retrieve the flag. We will answer every question.
# Writeup:
Task 1:
“How many TCP ports are open?“
Answer: There are 2 ports opened.
To know the answer to this I performed a nmap scan like so:
As you can see in image 1, the port 80 can be hosting a website. To verify that, I searched the website on google. And there it was a website called “The Toppers”.
Task 2:
“What is the domain of the email address provided in the “Contact” section of the website?“
Answer: The domain is thetoppers.htb.
You can see this if you click first in “CONTACT” and then you’ll see in the email address. See this in the image below:
Task 3:
“In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?“
If you can’t access the website, add the IP to your “hosts” file. Do this by going to the “etc” directory and then edit the “hosts” file with a text editor like “nano”.
Don’t forget to substitute the IP “10.129.94.16” with yours.
Task 4:
“Which sub-domain is discovered during further enumeration?“
Answer: The sub-domain is s3.thetoppers.htb.
To know this, I did a subdomain enumeration with “gobuster”. I used the following command:
gobuster vhost -u http://thetoppers.htb/ -w /path/to/wordlists/seclists/Discovery/DNS/subdomain-top1million-20000.txt
The meaning of the switches in the command above are the following:
vhost thetoppers.htb –> specifies the virtual host to use in the HTTP request
-u http://thetoppers.htb –> specifies the target URL
-w /path/to/subdomain-top1million-20000.txt –> specifies the wordlist file containing the subdomains to enumerate.
The output was the following:
Now you can add the sub-domain s3.thetoppers.htb to the hosts list as we did in task 3.
Note: If you do not have a word list to use with gobuster you can search on google “wordilst for subdomain enumeration” and you’ll have a lot of choices there. If you have kali Linux you can go to “usr” then change directory to “share” and inside of share you’ll have “wordlists”.
Task 5:
“Which service is running on the discovered sub-domain?“
Answer: The service is Amazon S3.
To answer this I inserted on google “s3” (because you can see on the discovered subdomain s3), and the first thing that appeared was “Amazon s3”. Amazon S3 is like a digital storage space provided by Amazon, where you can manage and store your digital stuff safely and securely.
Task 6:
“Which command line utility can be used to interact with the service running on the discovered sub-domain?“
Answer: The command is awscli.
Here you just need to search “command to interact with Amazon S3” and you’ll see that the answer is awscli.
Task 7:
“Which command is used to set up the AWS CLI installation?“
Answer: The command is aws configure.
I had to set the credentials to something and as you can see in the image above, I set the credentials to “a”. This needs to be done because we need to authenticate in order to be able to upload a reverse shell later on this challenge. If you do not set up the credentials to something you will not be able to upload that reverse shell.
Task 8:
“What is the command used by the above utility to list all of the S3 buckets?“
Answer: The command is aws s3 ls.
Now we need to list what’s inside of our bucket. To do that I used the following command:
aws --endpoint=http://s3.thetoppers.htb s3 ls
The meaning of the switches in the command above are the following:
–endpoint: is used to specify where the s3 service is located
In other words, with this command we are telling “list every bucket on this endpoint “.
You can see this in the image below:
As you can see we have a bucket named “thetoppers.htb”.
Now, we want to list the contents inside of our bucket. To do that we can use the following command:
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
The output can be seen in the image below:
As you can see, we have 2 files inside of our bucket.
Task 9:
“This server is configured to run files written in what web scripting language?“
Answer: In php.
You can use Wappalyzer to know the technologies used on websites. If you go to “thetoppers.htb” website and see the Wappalyzer, you’ll see that the scripting language is php.
Now that we know all this we can make a reverse shell with a .php extension since “thetoppers.htb” website runs files in php. We do this to gain access to the targets system.
I’m using Kali Linux, which means I already have a PHP reverse shell file on my machine. But if you are not using Kali Linux you can use this one.
For those who are using Kali Linux and you don’t know where to find your reverse shell, you can insert on your terminal the following command:
locate shell.php
And you’ll have something like this:
I will use the first one. So I will copy the file “php-reverse-shell.php” to my “Downloads” directory and then I will edit it.
What you need to edit in the “php-reverse-shell.php” file is the IP and if you want to use other port you can change it as well. Remember that the IP is the one that belongs to your machine. You can see the IP by using the command “ifconfig” on your terminal.
You can see the file in the image below:
After making these changes, I uploaded the file using the following command:
aws --endpoint=http://s3.thetoppers.htb s3 cp <path/to/the/file/php-reverse-php-shell.php> s3://thetoppers.htb
You can see this in the image below:
To see if the upload was successful you can run the command that we used previously to list the contents of the bucket (see image 7).
And as you can see below, our upload was successful.
Now, we just need to start a netcat listener like so:
nc -nvlp <the_port_here>
In the command above, the port is the one that you specified on the “php-reverse-php-shell.php” file. I didn’t change mine so my port is 8888. You can see this below:
Now, we just need to go to the website and try to establish a connection. To do that we just need to add to our URL the name of our reverse shell. like so:
Now we go back to our netcat listener on our terminal and see if we were able to perform a connection.
And if you did every step right you will see something like this:
Now, we just need to locate the flag. To do that we can use the following command to search for it:
find -name flag.txt
As you can see in image 15, our flag is in the “www”directory. So we just need to navigate to that directory, and we can use the “cd” command as we do on a Linux operating system.
Then we list the contents of the directory “www” and there it is the flag.
Now we just need to read the file with the command “cat”. See this in the image below:
And we could retrieve the flag!
Submit root flag:
Thank you very much for reading!
Cheers,
SoBatista