KringleCon3 2020 Objective Two Writeup: Investigate S3 Bucket
KringleCon3 Overview
KringleCon is the annual Holiday Hacking Challenge put on by the SANS Institute. Players are presented with a variety of security themed objectives and CLI challenges which provide valuable hints. In addition, the KringleCon YouTube Channel provides additional training, helpful for solving obstacles within the game, as well as practical security advice outside the game.
When KringleCon is over, players publish writeups. Each player tackles the objectives in their own unique way. These writeups help us gain insight into the minds of each individual player.
Objective Overview
Main Objective
When you unwrap the over-wrapped file, what text string is inside the package? Talk to Shinny Upatree in front of the castle for hints on this challenge.
Objective from the CLI:
Can you help me? Santa has been experimenting with new wrapping technology, and we’ve run into a ribbon-curling nightmare! We store our essential data assets in the cloud, and what a joy it’s been! Except I don’t remember where, and the Wrapper3000 is on the fritz! Can you find the missing package, and unwrap it all the way? Hints: Use the file command to identify a file type. You can also examine tool help using the man command. Search all man pages for a string such as a file extension using the apropos command.
Objective Detailed Writeup
Initial Findings
After logging into the terminal and examining the files in the current directory, there is a file called TIPS:
elf@f1f91b2bb7f2:~$ cat TIPS
# TIPS
- If you need an editor to create a file you can run nano (vim is also
available).
- Everything you need to solve this challenge is provided in this terminal
session.
and set of scripts:
elf@f1f91b2bb7f2:~/bucket_finder$ ls -al
total 28
drwxr-xr-x 1 elf elf 4096 Dec 17 13:08 .
drwxr-xr-x 1 elf elf 4096 Dec 17 13:08 ..
-rw-r--r-- 1 elf elf 2550 Dec 5 00:00 README
-rwxr-xr-x 1 elf elf 9121 Dec 17 13:08 bucket_finder.rb
-rw-r--r-- 1 elf elf 28 Dec 5 00:00 wordlist
Assumptions After Initial Observations
- S3 buckets have the wrong permissions and end up world readable
- One of these buckets contains the information we need to solve the task
- The
./bucket_finder.rbscript is needed to find the S3 bucket - The bucket has something to do with the wordlist
Solving
I started this objective by running the script to see what it does:
elf@f1f91b2bb7f2:~/bucket_finder$ ./bucket_finder.rb wordlist
http://s3.amazonaws.com/kringlecastle
Bucket found but access denied: kringlecastle
http://s3.amazonaws.com/wrapper
Bucket found but access denied: wrapper
http://s3.amazonaws.com/santa
Bucket santa redirects to: santa.s3.amazonaws.com
http://santa.s3.amazonaws.com/
Bucket found but access denied: santa
It appears to determine if S3 buckets are readable. At this point I assume, based on the hint, additional words (buckets) need to be added to the word list file. I add obvious S3 bucket names based on the objective name:
elf@f1f91b2bb7f2:~/bucket_finder$ ./bucket_finder.rb wordlist
http://s3.amazonaws.com/kringlecastle
Bucket found but access denied: kringlecastle
http://s3.amazonaws.com/wrapper
Bucket found but access denied: wrapper
http://s3.amazonaws.com/santa
Bucket santa redirects to: santa.s3.amazonaws.com
http://santa.s3.amazonaws.com/
Bucket found but access denied: santa
http://s3.amazonaws.com/Wrapper3000
Bucket does not exist: Wrapper3000
http://s3.amazonaws.com/Wrapper-3000
Bucket does not exist: Wrapper-3000
http://s3.amazonaws.com/wrapper3000
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
<Public> http://s3.amazonaws.com/wrapper3000/package
http://s3.amazonaws.com/wrapper-3000
Bucket does not exist: wrapper-3000
http://s3.amazonaws.com/santa-wrapper
Bucket does not exist: santa-wrapper
http://s3.amazonaws.com/santa-wrapper3000
Bucket does not exist: santa-wrapper3000
http://s3.amazonaws.com/kringlecastle-wrapper
Bucket does not exist: kringlecastle-wrapper
http://s3.amazonaws.com/kringlecastle-santa-wrapper
Bucket does not exist: kringlecastle-santa-wrapper
Found something:
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
<Public> http://s3.amazonaws.com/wrapper3000/package
What other options are available in ./bucket_finder.rb:
elf@f1f91b2bb7f2:~/bucket_finder$ ./bucket_finder.rb --help
bucket_finder 1.0 Robin Wood (robin@digininja.org) (www.digininja.org)
Usage: bucket_finder [OPTION] ... wordlist
--help, -h: show help
--download, -d: download the files
--log-file, -l: filename to log output to
--region, -r: the region to use, options are:
us - US Standard
ie - Ireland
nc - Northern California
si - Singapore
to - Tokyo
-v: verbose
wordlist: the wordlist to use
Edit the word list with the wrapper3000 bucket and add the --download option:
elf@f1f91b2bb7f2:~/bucket_finder$ ./bucket_finder.rb --download ./wordlist
http://s3.amazonaws.com/wrapper3000
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
<Downloaded> http://s3.amazonaws.com/wrapper3000/package
Examine the file:
# Package file is there
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ ls -al
total 16
drwxr-xr-x 2 elf elf 4096 Dec 20 19:25 .
drwxr-xr-x 1 elf elf 4096 Dec 20 19:25 ..
-rw-r--r-- 1 elf elf 829 Dec 20 19:25 package
# The file is ASCII text
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package
package: ASCII text, with very long lines
# But what type of file is it?
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ cat package
UEsDBAoAAAAAAIAwhFEbRT8anwEAAJ8BAAAcABwAcGFja2FnZS50eHQuWi54ei54eGQudGFyLmJ6MlVUCQADoBfKX6AX
yl91eAsAAQT2AQAABBQAAABCWmg5MUFZJlNZ2ktivwABHv+Q3hASgGSn//AvBxDwf/xe0gQAAAgwAVmkYRTKe1PVM9U0
ekMg2poAAAGgPUPUGqehhCMSgaBoAD1NNAAAAyEmJpR5QGg0bSPU/VA0eo9IaHqBkxw2YZK2NUASOegDIzwMXMHBCFAC
gIEvQ2Jrg8V50tDjh61Pt3Q8CmgpFFunc1Ipui+SqsYB04M/gWKKc0Vs2DXkzeJmiktINqjo3JjKAA4dLgLtPN15oADL
e80tnfLGXhIWaJMiEeSX992uxodRJ6EAzIFzqSbWtnNqCTEDML9AK7HHSzyyBYKwCFBVJh17T636a6YgyjX0eE0IsCbj
cBkRPgkKz6q0okb1sWicMaky2Mgsqw2nUm5ayPHUeIktnBIvkiUWxYEiRs5nFOM8MTk8SitV7lcxOKst2QedSxZ851ce
DQexsLsJ3C89Z/gQ6Xn6KBKqFsKyTkaqO+1FgmImtHKoJkMctd2B9JkcwvMr+hWIEcIQjAZGhSKYNPxHJFqJ3t32Vjgn
/OGdQJiIHv4u5IpwoSG0lsV+UEsBAh4DCgAAAAAAgDCEURtFPxqfAQAAnwEAABwAGAAAAAAAAAAAAKSBAAAAAHBhY2th
Z2UudHh0LloueHoueHhkLnRhci5iejJVVAUAA6AXyl91eAsAAQT2AQAABBQAAABQSwUGAAAAAAEAAQBiAAAA9QEAAAAA
From past experience, I know a lot of ASCII files that look similar to this are base64 encoded.
Try to base64 decode it:
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ base64 -d ./package > package.img
This worked, the file is a zip archive:
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.img
package.img: Zip archive data, at least v1.0 to extract
Based on the filename, I expect multiple compression techniques were used:
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ unzip package.img
Archive: package.img
extracting: package.txt.Z.xz.xxd.tar.bz2
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ bunzip2 package.txt.Z.xz.xxd.tar.bz2
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.txt.Z.xz.xxd.tar
package.txt.Z.xz.xxd.tar: POSIX tar archive
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ tar xvf package.txt.Z.xz.xxd.tar
package.txt.Z.xz.xxd
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ xxd -r package.txt.Z.xz.xxd > package.txt.Z.xz
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.txt.Z.xz
package.txt.Z.xz: XZ compressed data
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ xz -d package.txt.Z.xz
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.txt.Z
package.txt.Z: compress'd data 16 bits
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ uncompress package.txt.Z
We are now left with a ASCII text file:
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.txt
package.txt: ASCII text
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ cat package.txt
North Pole: The Frostiest Place on Earth
Helpful Advice
Watch the help training video earlier. They talk about trying variations of S3 names, attempting to find hidden buckets.
Answer
North Pole: The Frostiest Place on Earth
