KringleCon3 2020 Objective Two Writeup: Investigate S3 Bucket


KringleCon3 Overview

KringleCon is the annual Holiday Hacking Challenge put on by the SANS Institute. Players are presented with a variety of security themed objectives and CLI challenges which provide valuable hints. In addition, the KringleCon YouTube Channel provides additional training, helpful for solving obstacles within the game, as well as practical security advice outside the game.

When KringleCon is over, players publish writeups. Each player tackles the objectives in their own unique way. These writeups help us gain insight into the minds of each individual player.

Objective Overview

Main Objective

When you unwrap the over-wrapped file, what text string is inside the package? Talk to Shinny Upatree in front of the castle for hints on this challenge.

Objective from the CLI:

Can you help me? Santa has been experimenting with new wrapping technology, and we’ve run into a ribbon-curling nightmare! We store our essential data assets in the cloud, and what a joy it’s been! Except I don’t remember where, and the Wrapper3000 is on the fritz! Can you find the missing package, and unwrap it all the way? Hints: Use the file command to identify a file type. You can also examine tool help using the man command. Search all man pages for a string such as a file extension using the apropos command.

Objective Detailed Writeup

Initial Findings

After logging into the terminal and examining the files in the current directory, there is a file called TIPS:

elf@f1f91b2bb7f2:~$ cat TIPS 
# TIPS
- If you need an editor to create a file you can run nano (vim is also
  available).
- Everything you need to solve this challenge is provided in this terminal
  session.

and set of scripts:

elf@f1f91b2bb7f2:~/bucket_finder$ ls -al
total 28
drwxr-xr-x 1 elf elf 4096 Dec 17 13:08 .
drwxr-xr-x 1 elf elf 4096 Dec 17 13:08 ..
-rw-r--r-- 1 elf elf 2550 Dec  5 00:00 README
-rwxr-xr-x 1 elf elf 9121 Dec 17 13:08 bucket_finder.rb
-rw-r--r-- 1 elf elf   28 Dec  5 00:00 wordlist

Assumptions After Initial Observations

  • S3 buckets have the wrong permissions and end up world readable
  • One of these buckets contains the information we need to solve the task
  • The ./bucket_finder.rb script is needed to find the S3 bucket
  • The bucket has something to do with the wordlist

Solving

I started this objective by running the script to see what it does:

elf@f1f91b2bb7f2:~/bucket_finder$ ./bucket_finder.rb wordlist 
http://s3.amazonaws.com/kringlecastle
Bucket found but access denied: kringlecastle
http://s3.amazonaws.com/wrapper
Bucket found but access denied: wrapper
http://s3.amazonaws.com/santa
Bucket santa redirects to: santa.s3.amazonaws.com
http://santa.s3.amazonaws.com/
        Bucket found but access denied: santa

It appears to determine if S3 buckets are readable. At this point I assume, based on the hint, additional words (buckets) need to be added to the word list file. I add obvious S3 bucket names based on the objective name:

elf@f1f91b2bb7f2:~/bucket_finder$ ./bucket_finder.rb wordlist 
http://s3.amazonaws.com/kringlecastle
Bucket found but access denied: kringlecastle
http://s3.amazonaws.com/wrapper
Bucket found but access denied: wrapper
http://s3.amazonaws.com/santa
Bucket santa redirects to: santa.s3.amazonaws.com
http://santa.s3.amazonaws.com/
        Bucket found but access denied: santa
http://s3.amazonaws.com/Wrapper3000
Bucket does not exist: Wrapper3000
http://s3.amazonaws.com/Wrapper-3000
Bucket does not exist: Wrapper-3000
http://s3.amazonaws.com/wrapper3000
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
        <Public> http://s3.amazonaws.com/wrapper3000/package
http://s3.amazonaws.com/wrapper-3000
Bucket does not exist: wrapper-3000
http://s3.amazonaws.com/santa-wrapper
Bucket does not exist: santa-wrapper
http://s3.amazonaws.com/santa-wrapper3000
Bucket does not exist: santa-wrapper3000
http://s3.amazonaws.com/kringlecastle-wrapper
Bucket does not exist: kringlecastle-wrapper
http://s3.amazonaws.com/kringlecastle-santa-wrapper
Bucket does not exist: kringlecastle-santa-wrapper

Found something:

Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
        <Public> http://s3.amazonaws.com/wrapper3000/package

What other options are available in ./bucket_finder.rb:

elf@f1f91b2bb7f2:~/bucket_finder$ ./bucket_finder.rb  --help
bucket_finder 1.0 Robin Wood (robin@digininja.org) (www.digininja.org)
Usage: bucket_finder [OPTION] ... wordlist
        --help, -h: show help
        --download, -d: download the files
        --log-file, -l: filename to log output to
        --region, -r: the region to use, options are:
                                        us - US Standard
                                        ie - Ireland
                                        nc - Northern California
                                        si - Singapore
                                        to - Tokyo
        -v: verbose
        wordlist: the wordlist to use

Edit the word list with the wrapper3000 bucket and add the --download option:

elf@f1f91b2bb7f2:~/bucket_finder$ ./bucket_finder.rb --download ./wordlist 
http://s3.amazonaws.com/wrapper3000
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
        <Downloaded> http://s3.amazonaws.com/wrapper3000/package

Examine the file:

# Package file is there
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ ls -al
total 16
drwxr-xr-x 2 elf elf 4096 Dec 20 19:25 .
drwxr-xr-x 1 elf elf 4096 Dec 20 19:25 ..
-rw-r--r-- 1 elf elf  829 Dec 20 19:25 package

# The file is ASCII text
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package 
package: ASCII text, with very long lines

# But what type of file is it?
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ cat package 
UEsDBAoAAAAAAIAwhFEbRT8anwEAAJ8BAAAcABwAcGFja2FnZS50eHQuWi54ei54eGQudGFyLmJ6MlVUCQADoBfKX6AX
yl91eAsAAQT2AQAABBQAAABCWmg5MUFZJlNZ2ktivwABHv+Q3hASgGSn//AvBxDwf/xe0gQAAAgwAVmkYRTKe1PVM9U0
ekMg2poAAAGgPUPUGqehhCMSgaBoAD1NNAAAAyEmJpR5QGg0bSPU/VA0eo9IaHqBkxw2YZK2NUASOegDIzwMXMHBCFAC
gIEvQ2Jrg8V50tDjh61Pt3Q8CmgpFFunc1Ipui+SqsYB04M/gWKKc0Vs2DXkzeJmiktINqjo3JjKAA4dLgLtPN15oADL
e80tnfLGXhIWaJMiEeSX992uxodRJ6EAzIFzqSbWtnNqCTEDML9AK7HHSzyyBYKwCFBVJh17T636a6YgyjX0eE0IsCbj
cBkRPgkKz6q0okb1sWicMaky2Mgsqw2nUm5ayPHUeIktnBIvkiUWxYEiRs5nFOM8MTk8SitV7lcxOKst2QedSxZ851ce
DQexsLsJ3C89Z/gQ6Xn6KBKqFsKyTkaqO+1FgmImtHKoJkMctd2B9JkcwvMr+hWIEcIQjAZGhSKYNPxHJFqJ3t32Vjgn
/OGdQJiIHv4u5IpwoSG0lsV+UEsBAh4DCgAAAAAAgDCEURtFPxqfAQAAnwEAABwAGAAAAAAAAAAAAKSBAAAAAHBhY2th
Z2UudHh0LloueHoueHhkLnRhci5iejJVVAUAA6AXyl91eAsAAQT2AQAABBQAAABQSwUGAAAAAAEAAQBiAAAA9QEAAAAA

From past experience, I know a lot of ASCII files that look similar to this are base64 encoded.

Try to base64 decode it:

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ base64 -d ./package > package.img

This worked, the file is a zip archive:

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.img 
package.img: Zip archive data, at least v1.0 to extract

Based on the filename, I expect multiple compression techniques were used:

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ unzip package.img 
Archive:  package.img
 extracting: package.txt.Z.xz.xxd.tar.bz2  

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ bunzip2 package.txt.Z.xz.xxd.tar.bz2 

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.txt.Z.xz.xxd.tar 
package.txt.Z.xz.xxd.tar: POSIX tar archive

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ tar xvf package.txt.Z.xz.xxd.tar 
package.txt.Z.xz.xxd

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ xxd -r package.txt.Z.xz.xxd > package.txt.Z.xz

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.txt.Z.xz
package.txt.Z.xz: XZ compressed data

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ xz -d package.txt.Z.xz

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.txt.Z
package.txt.Z: compress'd data 16 bits

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ uncompress package.txt.Z

We are now left with a ASCII text file:

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.txt
package.txt: ASCII text

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ cat package.txt
North Pole: The Frostiest Place on Earth

Helpful Advice

Watch the help training video earlier. They talk about trying variations of S3 names, attempting to find hidden buckets.

Answer

North Pole: The Frostiest Place on Earth