Another day, another challenge.
Today’s blog post we will solve the third level of the flAWS CTF challenge.
To read the post for the second level click HERE.
Let’s get started.
Going to the URL: http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/, we see:
OK, we need to find an AWS key. Let’s see if we can find it.
First, we’re going to run the aws sync command. The sync command synchronize directories in a S3 buckets.
We’re going to enter the following: aws sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ .
Let’s break it down.
- We’re calling aws and specifying we want to sync a bucket
- We’re specifying the s3 bucket
- We’re specifying we want to have the synced files to be in our current folder (.)
After entering the command we get the following:
We see the bucket is using GitHub. Let’s get the logs.
We’re going to run the git log command, which shows the following:
Hmm… we have a commit hash, let’s see if we can get more information.
Executing the command git checkout f52ec03b227ea6094b04e43f475fb0126edb5a61, we see the following:
Next, we’re going to list the contents of the folder, and see what we find.
Hmm… there’s an access_key.txt file, let’s see what’s in the file.
Opening the file (type ./access_keys.txt). We see an access_key and secret_access_key!
Let’s try to log into the AWS account.
We’re going to enter the command aws –profile level3 configure.
Let’s break this down
- Were stating we want to use aws with a named profile (of a specific user)
- We’re specifying the profile (user level3)
- We’re specifying configuration variables (from the config file)
Entering the access key, secret access key, region name (we found this in level 1), and pressing enter, we get the command prompt.
Let’s see if we have access to the bucket.
Entering the command aws –profile level3 s3 ls we see:
The contents are displayed, which means we have successfully gained access to the bucket.
Takeaways from the challenge:
Be careful what you store in git – logs are publicly accessible!
For this challenge, we were able to find access, secret access keys, and log into a AWS bucket all from a git commit message.