HTB — Tier 1 Starting Point: Three

I was getting a Proxy Server error, but decided to try and complete the room regardless

Task 1

How many TCP ports are open?

Answer: 2

Task 2

What is the domain of the email address provided in the “Contact” section of the website?

Answer: thetoppers.htb

Task 3

In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?

Answer: /etc/hosts

Task 4

Which sub-domain is discovered during further enumeration?

I eventually tried the s3 sub-domain again, and it resolved successfully

Tried gobuster, ffuf, and wfuzz. Wfuzz gave me an error with the s3 sub-domain

Answer: s3.thetoppers.htb

Task 5

Which service is running on the discovered sub-domain?

Answer: Amazon S3

Task 6

Which command line utility can be used to interact with the service running on the discovered sub-domain?

Use high-level (s3) commands with the AWS CLI

Answer: awscli

Task 7

Which command is used to set up the AWS CLI installation?

Set up the AWS CLI

Answer: aws configure

Task 8

What is the command used by the above utility to list all of the S3 buckets?

Command structure in the AWS CLI

Answer: aws s3 ls

Task 9

This server is configured to run files written in what web scripting language?

Let’s configure our aws cli (we can provide default/fake values)

When trying to connect to the s3 bucket on the machine, it’s re-directing us to AWS’s site

Is there any way to specify --endpoint-url in aws cli config file

Answer: PHP

Submit root flag

AWS

We can copy a file to an s3 bucket

We are going to upload a simple PHP webshell

Webshell

Now, let’s copy this file to the s3 copy, and then verify it uploaded successfully

Let’s cat out our flag

Answer: a980d99281a28d638ac68b9bf9453c2b