S3

Box info | OS: Ubuntu 18.04.6 LTS (Apache 2.4.29) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: Virtual host enumeration, AWS S3/LocalStack, webshell upload, RCE Pwned: 2026-04-27 TL;DR Three is a Tier 1 box that teaches S3 bucket enumeration combined with virtual host discovery. A port scan finds SSH and HTTP. The website identifies the hostname thetoppers.htb. Subdomain fuzzing reveals s3.thetoppers.htb — a LocalStack (mock AWS S3) endpoint. The thetoppers.htb S3 bucket is publicly writable with no authentication. Uploading a PHP webshell to the bucket places it in the web root (LocalStack syncs bucket contents to /var/www/html/). The webshell provides RCE as www-data. The flag is at /var/www/flag.txt. The lesson: S3 bucket misconfiguration can be a direct path to server-side code execution when the bucket contents are served as a web application. ...