My Own Challenge - Last Forever
Talk about AWS S3 bucket with active versioning
Cover Illustration source https://www.pixiv.net/en/artworks/97570152
Hello all, i will continue write about cloud ctf challenges. But, instead of solving challenges from ctf competition out there. In this post i talk about my own challenges. Well, the challenges was listed on one of ctf playground platform but now the platform itself is closed so i decide to write about it.
(yapping) unrelated with challenge
So, first challenge is called Last Forever which is about aws s3 bucket. Here the challenge description.
I have erased all my memories of you. But, why are you still in the deepest part of my heart? :')
Well, the challenge is still up and maybe you can try to solve it by yourself before reading this post. I will give source code and how to deploy the challenge later in this post.
Let’s start to solve this challenge.
First open the link provided in description with browser, here the page we got.
Nothing special with the website itself just a static page. Since it is cloud challenge it might useful if we use dig to know what cloud provider that use in this challenge.
From dig answer section we can see that website are served as static website that provided by aws s3 bucket. Because it using CNAME s3-website.<region>.amazonaws.com.
Since it is static website the bucket should has public access to list objects. So, we can just go to http://forever.lychnobyte.my.id.s3.us-east-2.amazonaws.com to list all objects in the bucket.
As we can see there is several objects, the unusual objects are memories.txt and myheart.txt.
Try open the memories.txt object, seems like we need to open myheart.txt
While open myheart.txt object, it mentioned deepest.
So i guess it is related to bucket versioning in aws s3 bucket. It is a feature to enabled bucket to still stored the old version of object.
Well, we can list the old version by just append /?versions in the bucket url.
Well, there is many versions available for object myheart.txt. Let’s try to open one of old version myheart.txt. The link pattern to open object in certain version is by append <object-path>?versionId=<version-id>.
Hmm, it is only show 1 letter. So, i assume to get whole flag we need to retrieve all letters then combine it. Because manual works is so boring, let’s use some script solver. Here the solver i use
import requests
import xml.etree.ElementTree as ET
res = requests.get('http://forever.lychnobyte.my.id.s3.amazonaws.com/?versions')
root = ET.fromstring(res.text)
all_versions = []
for versions in root.findall('{http://s3.amazonaws.com/doc/2006-03-01/}Version'):
version_id = versions.find('{http://s3.amazonaws.com/doc/2006-03-01/}VersionId').text
file_name = versions.find('{http://s3.amazonaws.com/doc/2006-03-01/}Key').text
if file_name == "myheart.txt":
all_versions.append(version_id)
flag = ""
for version in all_versions[1:]:
res = requests.get('http://forever.lychnobyte.my.id.s3.amazonaws.com/myheart.txt?versionId=' + version)
flag += res.text.strip()
print(flag[::-1])
So, just run the solver then we got the flag.
Flag: TCP1P{jus7_l1k3_wh4t_1_s4id_y0u_4lw4ys_r3m4in5_h3r3_f0r3v3r_:')}
It just a simple challenge isn’t? :)
Well, you can see all source code for this challenge in my repository here https://github.com/afmaghribi/BrokenHeartEdition/tree/master/Cloud/Last_Forever
Since, the challenge is still up and bucket still exist if you want to deploy your own bucket you change the credentials and bucket name in main.tf file
provider "aws" {
profile = "awscli"
region = "us-east-2"
shared_credentials_files = ["/home/curiozan/.aws/credentials"] >> Change here
}
# S3 Bucket name
resource "aws_s3_bucket" "my_s3_bucket" {
bucket = "forever.lychnobyte.my.id" >> Change here
}
