Cloud Challenge
Every year, DarkLab organises a Capture the Flag cybersecurity competition designed for undergraduate students aiming to raise the competency level of future talents to better prepare them for a meaningful career in cybersecurity.
HackaDay 2020 was held on 2 December 2020, and saw the Open University of Hong Kong’s YH team crowned as winning team, and the Hong Kong University of Science and Technology’s Machine Brickers as runners up.
The theme this year was “Security the Basics”, based on the experience and real life challenges that organisations in Hong Kong have faced in 2020 – as observed by our own Red Team and Incident Response professionals.
In this series of three blog posts, we want to provide the solution to the different challenges students faced. We hope that this will stimulate even more students to get their hands on the keyboard next year!
Make it Rain in the Bucket (50 pts, 14 solves)
Description: Unintended sensitive information disclosure comes in many shapes and forms. You would be surprised with the information you can find through detailed enumeration and a bit of online research. Can you unlock the secrets within to take you to the next part of the network? http://www.hackaday.info
P.S. AWS account is not required for this question
This first challenge is meant to emulate an unsecured AWS s3 bucket. The website hackaday.info is a static webpage hosted as an AWS S3 bucket. When hosting a website as an AWS S3 bucket, the bucket name (hackday.info) must match the domain name (hackday.info). By enumerating the site with a ping request, we get the following data:
The ping returns with the domain name s3-website.ap-east-1.amazon.com. If we access the domain, it will return the objects stored in the bucket.
An interesting file should catch your attention – admin_users_only/useraccess.txt -which contains the first flag.
Keys behind the wall (100 pts, 8 solves)
Description: There might be something insecure with this web application, if you could find the keys behind this application, you are one step closer to the image. The flag format is hackadayxxxxxxx
This challenge was meant to emulate a SSRF vulnerability in the application hosted on an AWS EC2 instance.
The SSRF attack allows to request the metadata of the EC2 instance. In AWS the metadata can be access by browsing to http://169.254.169.254.
As shown below, the AccessKeyId, SecretAccessKey and token are exposed, and an attacker could then impersonate the role attached on the machine using the temporary credentials and conduct additional discovery. The second flag is the role name.
Secret in the Image (200 pts, 1 solves)
Description: The secret lies in the image
This challenge was meant to emulate a misconfigured AMI-image which allows public access. With the credentials for programmatic access to AWS obtained from the second challenge, we can use our own AWS account to impersonate the role by changing the authentication file ~/.aws/credentials.
Once we assume the role, we can start enumerating the policies attached to the role to determine the level of privilege that the role has.
As shown above, the role has two policies attached. The hackadaypolicy is a custom policy created for this role. The next step would be to enumerate the hackadaypolicy to determine what permissions are assigned in the policy.
The screenshot above shows all the permissions that are assigned to the policy. If we enumerate all the permission given, we would stumble upon ec2:DescribeImage which has the parameter set to public = true with the AMI-ID shown.
This shows that the AMI-image created by this role is set to public, which allows everyone with an AWS account to access it.
We can then search for the instance from the community AMI group and launch the instance.
Once we launch the AMI , the 3rd flag can be found under the /tmp folder of the EC2 instance.
That’s it for this challenge, stay tuned for the third and last post which will walk through the Incident Response and Threat Intelligence challenge.
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.