Investigate S3 Bucket

Objective2

After recovering Santa’s gift list, I take the snow lift and arrive to the Kringle Castle’s Front Lawn. Here, I find a few characters here, including Santa himself, who greets me right away:

Front Lawn Greeting

Hello and welcome to the North Pole! We’re super excited about this year’s KringleCon 3: French Hens. My elves have been working all year to upgrade the castle. It was a HUGE construction project, and we’ve nearly completed it. Please pardon the remaining construction dust around the castle and enjoy yourselves!

The 2nd objective in the badge instructs me to investigate some S3 bucket used at the North Pole. For hints, I talk with Shinny Upatree in the bottom right corner. But before, he asks for a favor with the Kringle Kiosk terminal:

Shinny Upatree

Hiya hiya - I’m Shinny Upatree! Check out this cool KringleCon kiosk! You can get a map of the castle, learn about where the elves are, and get your own badge printed right on-screen! Be careful with that last one though. I heard someone say it’s “ingestible.” Or something… Do you think you could check and see if there is an issue?

The Kringle Kiosk challenge involves escaping from the application via a Command Injection:

1Welcome to our castle, we're so glad to have you with us!
2Come and browse the kiosk; though our app's a bit suspicious.
3Poke around, try running bash, please try to come discover,
4Need our devs who made our app pull/patch to help recover?
5
6Escape the menu by launching /bin/bash   << THE TASK!

Once I open the Kiosk and hit enter, I see a list of menu items to choose from:

 1~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 2 Welcome to the North Pole!
 3~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 41. Map
 52. Code of Conduct and Terms of Use
 63. Directory
 74. Print Name Badge
 85. Exit
 9
10Please select an item from the menu by entering a single number.
11Anything else might have ... unintended consequences.
12Enter choice [1 - 5]

Keeping in mind Shinny’s advice about option 4 that’s used to print badges, I chose that option. This may be the one that has the Command Injection flaw. When it’s selected it even has a warning about special characters. Let’s see how it handles my username + some special characters: FLRNKS; /bin/bash

Command Injection in Kringle Kiosk

Now that wasn’t too hard! I then talk to Shinny to get those hints he promised:

Golly - wow! You sure found the flaw for us! Say, we’ve been having an issue with an Amazon S3 bucket. Do you think you could help find Santa’s package file? Jeepers, it seems there’s always a leaky bucket in the news. You’d think we could find our own files! Digininja has a great guide, if you’re new to S3 searching. He even released a tool for the task - what a guy! The package wrapper Santa used is reversible, but it may take you some trying. Good luck, and thanks for pitching in!

Some hints also from the badge:

  • It seems there’s a new story every week about data exposed in unprotected AWS S3 buckets
  • Find Santa’s package file in S3, see Josh Wright’s talk for tips
  • Robin Wood wrote up a guide about finding these open S3 buckets
  • He even wrote a tool to search for unprotected buckets
  • Santa’s Wrapper3000 is pretty buggy. It uses several compression tools, binary to ASCII conversion, and other tools to wrap packages.

To get started I click on the terminal to the right side of Shinny, that brings up a new terminal CLI:

Wrapper3000 Welcome

On the terminal’s file system there is a folder called bucket_finder that contains a Ruby Script and a wordlist. The script can take this wordlist and iterate over each line and test if a S3 bucket with such a name exists and whether it’s public. With the --download flag, it can also download all available objects if a public bucket is found.

The wordlist initially contains only 3 words and none of them map to the bucket I need. Part of the challenge was to come up with new entries in the wordlist in order to find the bucket. While thinking of possibilities, I remembered the Terminal MOTD which had a brightly emphasized word Wrapper3000, so I added two variants of it to the list. First I added it as it was, then with lowercase W, remembering that S3 bucket names are case-sensitive. Lo and behold, the lower-case version was the name of the bucket which had the package file I needed:

1elf@6baea2e4fddd:~/bucket_finder$ cat wordlist 
2...
3Wrapper3000
4wrapper3000
5elf@6baea2e4fddd:~/bucket_finder$ ./bucket_finder.rb wordlist 
6...
7Bucket does not exist: Wrapper3000
8Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
9        <Public> http://s3.amazonaws.com/wrapper3000/package       << THE FILE WE NEED!

Running the Ruby script again with --download flag cloned the bucket to a subdirectory called wrapper3000. Next I navigated to this directory and started inspecting the contents of package:

1elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ file package 
2package: ASCII text, with very long lines
3elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ cat package 
4UEsDBAoAAAAAAIAwhFEbRT8anwEAAJ8BAAAcABwAcGFja2FnZS50eHQuWi54ei54eGQudGFyLmJ6MlVUCQADoBfKX6AXyl91eAsAAQT2AQAABBQAAABCWmg5MUFZJlNZ2ktivwABHv+Q3hASgGSn//AvBxDwf/xe0gQAAAgwAVmkYRTKe1PVM9U0ekMg2poAAAGgPUPUGqehhCMSgaBoAD1NNAAAAyEmJpR5QGg0bSPU/VA0eo9IaHqBkxw2YZK2NUASOegDIzwMXMHBCFACgIEvQ2Jrg8V50tDjh61Pt3Q8CmgpFFunc1Ipui+SqsYB04M/gWKKc0Vs2DXkzeJmiktINqjo3JjKAA4dLgLtPN15oADLe80tnfLGXhIWaJMiEeSX992uxodRJ6EAzIFzqSbWtnNqCTEDML9AK7HHSzyyBYKwCFBVJh17T636a6YgyjX0eE0IsCbjcBkRPgkKz6q0okb1sWicMaky2Mgsqw2nUm5ayPHUeIktnBIvkiUWxYEiRs5nFOM8MTk8SitV7lcxOKst2QedSxZ851ceDQexsLsJ3C89Z/gQ6Xn6KBKqFsKyTkaqO+1FgmImtHKoJkMctd2B9JkcwvMr+hWIEcIQjAZGhSKYNPxHJFqJ3t32Vjgn/OGdQJiIHv4u5IpwoSG0lsV+UEsBAh4DCgAAAAAAgDCEURtFPxqfAQAAnwEAABwAGAAAAAAAAAAAAKSBAAAAAHBhY2thZ2UudHh0LloueHoueHhkLnRhci5iejJVVAUAA6AXyl91eAsAAQT2AQAABBQAAABQSwUGAAAAAAEAAQBiAAAA9QEAAAAA

Right away it looked like it was base64 encoded text, so I ran it through base64 -d . Then I checked what kind of file was recovered, and it was in fact a compressed ZIP file:

1elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ cat package | base64 -d > package-decoded
2elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ file package-decoded 
3package-decoded: Zip archive data, at least v1.0 to extract

Next I used unzip to recover the file that was hiding in this ZIP. The resulting file had a rather long list of extensions which suggested there was more unwrapping to do:

1elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ unzip package-decoded 
2Archive: package-decoded extracting: package.txt.Z.xz.xxd.tar.bz2  
3elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ file package.txt.Z.xz.xxd.tar.bz2        
4package.txt.Z.xz.xxd.tar.bz2: bzip2 compressed data, block size = 900k

Next, I started peeling back each layer of encoding/compression in reverse order to finally reveal the solution of this Objective:

1elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ bunzip2 package.txt.Z.xz.xxd.tar.bz2
2elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ tar xopf package.txt.Z.xz.xxd.tar
3elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ xxd -r package.txt.Z.xz.xxd  > package.txt.Z.xz
4elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ unxz package.txt.Z.xz
5elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ uncompress package.txt.Z
6elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ cat package.txt
7North Pole: The Frostiest Place on Earth

Brrrrrr … 🥶 On to the next objective!

Previous
Next

Last updated on Jan 11, 2021