You know what’s a bucketlist? In simple terms, it’s just a list of wishes people want to achieve before the leavee this world. I found it to be very limiting & ironic because how can you know when you’ll leave the world behind? It’s better to enjoy every moment and take on every opportunity you can. One of my whishes though is to pet a cat, do you mind checking this one out. So cute. What a cutie patootie!
🎯 Challenge Files & Infrastructure
Provided Files
1
Files:None
🔍 Initial Analysis
First Steps
Initially, the website appears as follows:
Site Presentation
The first thing I did was research AWS S3 buckets since I had never solved challenges of this type before. While searching, I found several resources (References & Resources). I learned that buckets are containers for objects within the Amazon S3 (Simple Storage Service). A bucket is essentially a “space” where you can store various types of files and data, such as documents, images, videos, and backups. So, I thought that the flag might be hidden in a bucket, possibly as a .txt file (although initially, I explored a couple of different approaches, such as enumerating .jpeg images and analyzing some of them using exiftool, file, steghide, and binwalk). However, after reading this intigriti guide on hacking AWS (Hacking Misconfigured AWS S3 Buckets - A Complete Guide), I realized that this was not the right approach. Now that we understand what it is, we can move on to the exploitation phase.
🔬 Vulnerability Analysis
Potential Vulnerabilities
AWS S3 Bucket Misconfigurations
🎯 Solution Path
Exploitation Steps
Initial setup
First, we need to determine the current bucket we are “in.” AWS URLs are structured like https://bucket_name.s3.region.amazonaws.com, for example. So, from the challenge URL, it’s easy to extract the first bucket since it’s the first domain specified in the URL: https://opening-account-acectf.s3.ap-south-1.amazonaws.com/fun/can_we_get_some_dogs/026.jpeg. In this case, the bucket is opening-account-acectf. The previously mentioned guide explains a way to enumerate these buckets. So the first thing I did was install aws-cli:
1
yay -S aws-cli
And then, following the guide, I tried to enumerate other existing buckets by specifying the bucket name.
1
aws s3 ls s3://opening-account-acectf --no-sign-request
Bucket Enumeration
But as we can see, this approach requires manually visiting each bucket one by one until we find the file containing the flag, which is not very efficient. Let’s move on to the next phase.
Exploitation
So, I started looking for a way to recursively enumerate all the discovered buckets. Eventually, I found aws s3api, which allows me to list all objects belonging to a given bucket by specifying just one:
As we can see from the output of this command, it returns a JSON object containing all the objects belonging to the previously discovered buckets. I hypothesized that the flag would be in .txt format, so using tmux, I searched for .txt (/.txt).
Secret
I found cry-for-me/acectf/secret.txt and fun/aws-cli/hint.txt. I was inclined to exclude hint.txt since secret.txt seemed much more promising. So, I tried visiting: https://opening-account-acectf.s3.ap-south-1.amazonaws.com/cry-for-me/acectf/secret.txt
Base64 Flag
I found a string that appeared to be Base64 encoded. So, I decided to decode it using the cli:
The automated exploit makes a GET request directly to secret.txt and performs a Base64 decode of the response (since the “complete” alternative would have been to execute the command described above with subprocess, and then extract the .txt route with a regex and apply the same procedure as described).
Automated FlagScreenshot of successful exploitation
🔧 Tools Used
Primary Tools
Tool
Purpose
aws-cli
AWS Bucket Enumeration
Base64
Base64 Decoding
💡 Key Learnings
New Knowledge
I have learned to exploit AWS S3 bucket misconfiguration errors.
Time Optimization
Instead of manually visiting the buckets with aws s3 ls, you can directly use s3api, and by specifying list-objects, all the buckets with their content are extracted:aws s3api list-objects --bucket {bucket_name} --no-sign-request
