TASK 1
How many TCP ports are open?
依然是老样子,开局扫描端口。先尝试默认脚本半开扫描前1000个端口,提高速度。
TASK 2
What is the domain of the email address provided in the "Contact" section of the website?
根据“前面”的经验,将该域名解析到虚拟主机的ip。
TASK 3
In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
/etc/hosts
TASK 4
Which sub-domain is discovered during further enumeration?
这里遇到的问题就多了,经历一天没解决,最后参照答案才理解了作者可能的意思。首先这里不是传统的dns子域名爆破,是虚拟主机爆破,即面对不可解析域时的爆破(个人理解,欢迎大佬讲解)。并且也不是传统理解的响应码200即为子域存在,404则不存在,因为经过测试,任何输入响应码都是200,反而正确子域的响应码是404,所以ffuf需要用-mc all,参数,不然会忽略响应码为404的输出。
其实到这里已经看出问题了,另外字典是我根据答案生成的……算是增长经验了,这里不看答案感觉一辈子过不去。记得将这个子域也解析到主机ip上。
TASK 5
Which service is running on the discovered sub-domain?
没啥好说的,直接百度,amazon s3
TASK 6
Which command line utility can be used to interact with the service running on the discovered sub-domain?
这里是要我学会看官方文档啊……不愧是baby教程,awscli
TASK 8
What is the command used by the above utility to list all of the S3 buckets?
同上,aws s3 ls
TASK 9
This server is configured to run files written in what web scripting language?
这里有个坑,默认访问亚马逊的节点,我们要用--endpoint=http://s3.thetoppers.htb设置为访问自己的节点
aws s3 --endpoint=http://s3.thetoppers.htb ls s3://thetoppers.htb
SUBMIT FLAG
通过标签可知,这关要用文件上传,找到aws上传命令,上传反弹shell,nc连接,找flag,结束
总结:这个机器的总体思路:
1、根据邮件服务器地址判断二级域名地址,接着通过虚拟主机爆破找到运行Amazon S3服务的子域s3.thetoppers.htb
2、通过这个服务进行文件上传攻击。
标签:domain,TASK,htb,s3,Three,子域,thetoppers,TIER From: https://www.cnblogs.com/HackHab/p/16990971.html