2. Investigate S3 Bucket
Introduction
Shinny Upatree in Front of the Castle
Say, we've been having an issue with an Amazon S3 bucket.
Do you think you could help find Santa's package file?
Jeepers, it seems there's always a leaky bucket in the news. You'd think we could find our own files!
Digininja has a great guide, if you're new to S3 searching.
He even released a tool for the task - what a guy!
The package wrapper Santa used is reversible, but it may take you some trying.
Good luck, and thanks for pitching in!
Objective
Hints
Solution
Can you help me? Santa has been experimenting with new wrapping technology, and
we've run into a ribbon-curling nightmare!
We store our essential data assets in the cloud, and what a joy it's been!
Except I don't remember where, and the Wrapper3000 is on the fritz!
Can you find the missing package, and unwrap it all the way?
Let's see what is available:
elf@ee5849501466:~$ ls -al
total 28
drwxr-xr-x 1 elf elf 4096 Dec 1 19:25 .
drwxr-xr-x 1 root root 4096 Dec 1 19:25 ..
-rw-r--r-- 1 elf elf 220 Apr 18 2019 .bash_logout
-rwxr-xr-x 1 elf elf 90 Dec 1 19:17 .bashrc
-rw-r--r-- 1 elf elf 807 Apr 18 2019 .profile
-rw-r--r-- 1 elf elf 179 Dec 1 19:17 TIPS
drwxr-xr-x 1 elf elf 4096 Dec 1 19:25 bucket_finder
elf@ee5849501466:~$ cat TIPS
# TIPS
- If you need an editor to create a file you can run nano (vim is also
available).
- Everything you need to solve this challenge is provided in this terminal
session.
It looks like we need to use bucket_finder, which is discussed in Josh Wright's talk.
elf@ee5849501466:~$ cd bucket_finder/
elf@ee5849501466:~/bucket_finder$ ls
README bucket_finder.rb wordlist
elf@ee5849501466:~/bucket_finder$ cat wordlist
kringlecastle
wrapper
santa
elf@ee5849501466:~/bucket_finder$ vi wordlsit
Add some more words to the list, consisting of 'santa', 'wrapper' and '3000'.
elf@ee5849501466:~/bucket_finder$ cat wordlist
kringlecastle
wrapper
wrapper3000
wrapper-3000
santa
santawrapper
santawrapper3000
santa-wrapper
santa-wrapper-3000
santa-wrapper3000
elf@ee5849501466:~/bucket_finder$
Now run bucket_finder.rb on the wordlist and there is a hit on http://s3.amazonaws.com/wrapper3000
elf@ee5849501466:~/bucket_finder$ ./bucket_finder.rb --help
bucket_finder 1.0 Robin Wood (robin@digininja.org) (www.digininja.org)
Usage: bucket_finder [OPTION] ... wordlist
--help, -h: show help
--download, -d: download the files
--log-file, -l: filename to log output to
--region, -r: the region to use, options are:
us - US Standard
ie - Ireland
nc - Northern California
si - Singapore
to - Tokyo
-v: verbose
wordlist: the wordlist to use
elf@ee5849501466:~/bucket_finder$ ./bucket_finder.rb wordlist
http://s3.amazonaws.com/kringlecastle
Bucket found but access denied: kringlecastle
http://s3.amazonaws.com/wrapper
Bucket found but access denied: wrapper
http://s3.amazonaws.com/wrapper3000
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
<Public> http://s3.amazonaws.com/wrapper3000/package
http://s3.amazonaws.com/wrapper-3000
Bucket does not exist: wrapper-3000
http://s3.amazonaws.com/santa
Bucket santa redirects to: santa.s3.amazonaws.com
http://santa.s3.amazonaws.com/
Bucket found but access denied: santa
http://s3.amazonaws.com/santawrapper
Bucket does not exist: santawrapper
http://s3.amazonaws.com/santawrapper3000
Bucket does not exist: santawrapper3000
http://s3.amazonaws.com/santa-wrapper
Bucket does not exist: santa-wrapper
http://s3.amazonaws.com/santa-wrapper-3000
Bucket does not exist: santa-wrapper-3000
http://s3.amazonaws.com/santa-wrapper3000
Bucket does not exist: santa-wrapper3000
elf@ee5849501466:~/bucket_finder$
Create a simple wordlist with the bucket name that matched.
elf@ee5849501466:~/bucket_finder$ echo "wrapper3000" > wordlist.found
Now download the contents of the bucket.
elf@ee5849501466:~/bucket_finder$ ./bucket_finder.rb --download wordlist.found
http://s3.amazonaws.com/wrapper3000
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
<Downloaded> http://s3.amazonaws.com/wrapper3000/package
elf@ee5849501466:~/bucket_finder$
There is one file in the bucket: wrapper3000/package
.
The next step is to examine the file to see what it might be. It turns out to be a base64 encoded zip file.
elf@ee5849501466:~/bucket_finder$ file wrapper3000/package
wrapper3000/package: ASCII text, with very long lines
elf@ee5849501466:~/bucket_finder$ cat wrapper3000/package
UEsDBAoAAAAAAIAwhFEbRT8anwEAAJ8BAAAcABwAcGFja2FnZS50eHQuWi54ei54eGQudGFyLmJ6MlVUCQADoBfKX6AXyl9
1eAsAAQT2AQAABBQAAABCWmg5MUFZJlNZ2ktivwABHv+Q3hASgGSn//AvBxDwf/xe0gQAAAgwAVmkYRTKe1PVM9U0ekMg2p
oAAAGgPUPUGqehhCMSgaBoAD1NNAAAAyEmJpR5QGg0bSPU/VA0eo9IaHqBkxw2YZK2NUASOegDIzwMXMHBCFACgIEvQ2Jrg
8V50tDjh61Pt3Q8CmgpFFunc1Ipui+SqsYB04M/gWKKc0Vs2DXkzeJmiktINqjo3JjKAA4dLgLtPN15oADLe80tnfLGXhIW
aJMiEeSX992uxodRJ6EAzIFzqSbWtnNqCTEDML9AK7HHSzyyBYKwCFBVJh17T636a6YgyjX0eE0IsCbjcBkRPgkKz6q0okb
1sWicMaky2Mgsqw2nUm5ayPHUeIktnBIvkiUWxYEiRs5nFOM8MTk8SitV7lcxOKst2QedSxZ851ceDQexsLsJ3C89Z/gQ6X
n6KBKqFsKyTkaqO+1FgmImtHKoJkMctd2B9JkcwvMr+hWIEcIQjAZGhSKYNPxHJFqJ3t32Vjgn/OGdQJiIHv4u5IpwoSG0l
sV+UEsBAh4DCgAAAAAAgDCEURtFPxqfAQAAnwEAABwAGAAAAAAAAAAAAKSBAAAAAHBhY2thZ2UudHh0LloueHoueHhkLnRh
ci5iejJVVAUAA6AXyl91eAsAAQT2AQAABBQAAABQSwUGAAAAAAEAAQBiAAAA9QEAAAAA
elf@ee5849501466:~/bucket_finder$ base64 -d wrapper3000/package | file -
/dev/stdin: Zip archive data, at least v1.0 to extract
elf@ee5849501466:~/bucket_finder$ mkdir tmp
elf@ee5849501466:~/bucket_finder$ base64 -d wrapper3000/package > tmp/package.zip
The zip file is now extracted:
elf@ee5849501466:~/bucket_finder/tmp$ unzip package.zip
Archive: package.zip
extracting: package.txt.Z.xz.xxd.tar.bz2
-j
option for tar will decompress bzip files.
elf@ee5849501466:~/bucket_finder/tmp$ tar -xjf package.txt.Z.xz.xxd.tar.bz2
elf@ee5849501466:~/bucket_finder/tmp$ ls
package.txt.Z.xz.xxd package.txt.Z.xz.xxd.tar.bz2 package.zip
Next we have a .xxd file, which is a hexdump. xxd
has an option, r
, to revert the hexdump into a binary file.
elf@ee5849501466:~/bucket_finder/tmp$ xxd -r package.txt.Z.xz.xxd > package.txt.Z.xz
xz is another compress format. So let's decompress this file.
elf@ee5849501466:~/bucket_finder/tmp$ xz --decompress package.txt.Z.xz
elf@ee5849501466:~/bucket_finder/tmp$ ls
package.txt.Z package.txt.Z.xz.xxd package.txt.Z.xz.xxd.tar.bz2 package.zip
.Z files are compressed with the LZW compression algorithm and is quite an old compression method.
elf@ee5849501466:~/bucket_finder/tmp$ uncompress package.txt.Z
elf@ee5849501466:~/bucket_finder/tmp$ ls
package.txt package.txt.Z.xz.xxd package.txt.Z.xz.xxd.tar.bz2 package.zip
So finally, a text file with the answer.
elf@ee5849501466:~/bucket_finder/tmp$ cat package.txt
North Pole: The Frostiest Place on Earth
elf@ee5849501466:~/bucket_finder/tmp$
This objective has demostrated 2 ways to handle binary data as ASCII text and 4 ways to compress data. Both things that can be useful in data exfiltration.
Answer
North Pole: The Frostiest Place on Earth