KringleCon3 2020 Objective Two Writeup: Investigate S3 Bucket

KringleCon3 Overview

KringleCon is the annual Holiday Hacking Challenge put on by the SANS Institute. Players are presented with a variety of security themed objectives and CLI challenges which provide valuable hints. In addition, the KringleCon YouTube Channel provides additional training, helpful for solving obstacles within the game, as well as practical security advice outside the game.

When KringleCon is over, players publish writeups. Each player tackles the objectives in their own unique way. These writeups help us gain insight into the minds of each individual player.

Objective Overview

Main Objective

When you unwrap the over-wrapped file, what text string is inside the package? Talk to Shinny Upatree in front of the castle for hints on this challenge.

Objective from the CLI:

Can you help me? Santa has been experimenting with new wrapping technology, and we’ve run into a ribbon-curling nightmare! We store our essential data assets in the cloud, and what a joy it’s been! Except I don’t remember where, and the Wrapper3000 is on the fritz! Can you find the missing package, and unwrap it all the way? Hints: Use the file command to identify a file type. You can also examine tool help using the man command. Search all man pages for a string such as a file extension using the apropos command.

Objective Detailed Writeup

Initial Findings

After logging into the terminal and examining the files in the current directory, there is a file called TIPS:

elf@f1f91b2bb7f2:~$ cat TIPS 
- If you need an editor to create a file you can run nano (vim is also
- Everything you need to solve this challenge is provided in this terminal

and set of scripts:

elf@f1f91b2bb7f2:~/bucket_finder$ ls -al
total 28
drwxr-xr-x 1 elf elf 4096 Dec 17 13:08 .
drwxr-xr-x 1 elf elf 4096 Dec 17 13:08 ..
-rw-r--r-- 1 elf elf 2550 Dec  5 00:00 README
-rwxr-xr-x 1 elf elf 9121 Dec 17 13:08 bucket_finder.rb
-rw-r--r-- 1 elf elf   28 Dec  5 00:00 wordlist

Assumptions After Initial Observations

  • S3 buckets have the wrong permissions and end up world readable
  • One of these buckets contains the information we need to solve the task
  • The ./bucket_finder.rb script is needed to find the S3 bucket
  • The bucket has something to do with the wordlist


I started this objective by running the script to see what it does:

elf@f1f91b2bb7f2:~/bucket_finder$ ./bucket_finder.rb wordlist
Bucket found but access denied: kringlecastle
Bucket found but access denied: wrapper
Bucket santa redirects to:
        Bucket found but access denied: santa

It appears to determine if S3 buckets are readable. At this point I assume, based on the hint, additional words (buckets) need to be added to the word list file. I add obvious S3 bucket names based on the objective name:

elf@f1f91b2bb7f2:~/bucket_finder$ ./bucket_finder.rb wordlist
Bucket found but access denied: kringlecastle
Bucket found but access denied: wrapper
Bucket santa redirects to:
        Bucket found but access denied: santa
Bucket does not exist: Wrapper3000
Bucket does not exist: Wrapper-3000
Bucket Found: wrapper3000 ( )
Bucket does not exist: wrapper-3000
Bucket does not exist: santa-wrapper
Bucket does not exist: santa-wrapper3000
Bucket does not exist: kringlecastle-wrapper
Bucket does not exist: kringlecastle-santa-wrapper

Found something:

Bucket Found: wrapper3000 ( )

What other options are available in ./bucket_finder.rb:

elf@f1f91b2bb7f2:~/bucket_finder$ ./bucket_finder.rb  --help
bucket_finder 1.0 Robin Wood ( (
Usage: bucket_finder [OPTION] ... wordlist
        --help, -h: show help
        --download, -d: download the files
        --log-file, -l: filename to log output to
        --region, -r: the region to use, options are:
                                        us - US Standard
                                        ie - Ireland
                                        nc - Northern California
                                        si - Singapore
                                        to - Tokyo
        -v: verbose
        wordlist: the wordlist to use

Edit the word list with the wrapper3000 bucket and add the --download option:

elf@f1f91b2bb7f2:~/bucket_finder$ ./bucket_finder.rb --download ./wordlist
Bucket Found: wrapper3000 ( )

Examine the file:

# Package file is there
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ ls -al
total 16
drwxr-xr-x 2 elf elf 4096 Dec 20 19:25 .
drwxr-xr-x 1 elf elf 4096 Dec 20 19:25 ..
-rw-r--r-- 1 elf elf  829 Dec 20 19:25 package

# The file is ASCII text
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package 
package: ASCII text, with very long lines

# But what type of file is it?
elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ cat package 

From past experience, I know a lot of ASCII files that look similar to this are base64 encoded.

Try to base64 decode it:

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ base64 -d ./package > package.img

This worked, the file is a zip archive:

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.img 
package.img: Zip archive data, at least v1.0 to extract

Based on the filename, I expect multiple compression techniques were used:

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ unzip package.img 
Archive:  package.img
 extracting: package.txt.Z.xz.xxd.tar.bz2  

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ bunzip2 package.txt.Z.xz.xxd.tar.bz2 

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.txt.Z.xz.xxd.tar 
package.txt.Z.xz.xxd.tar: POSIX tar archive

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ tar xvf package.txt.Z.xz.xxd.tar 

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ xxd -r package.txt.Z.xz.xxd > package.txt.Z.xz

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.txt.Z.xz
package.txt.Z.xz: XZ compressed data

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ xz -d package.txt.Z.xz

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.txt.Z
package.txt.Z: compress'd data 16 bits

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ uncompress package.txt.Z

We are now left with a ASCII text file:

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ file package.txt
package.txt: ASCII text

elf@f1f91b2bb7f2:~/bucket_finder/wrapper3000$ cat package.txt
North Pole: The Frostiest Place on Earth

Helpful Advice

Watch the help training video earlier. They talk about trying variations of S3 names, attempting to find hidden buckets.


North Pole: The Frostiest Place on Earth