2. Investigate S3 Bucket

Introduction

Shinny Upatree in Front of the Castle

Say, we've been having an issue with an Amazon S3 bucket.

Do you think you could help find Santa's package file?

Jeepers, it seems there's always a leaky bucket in the news. You'd think we could find our own files!

Digininja has a great guide, if you're new to S3 searching.

He even released a tool for the task - what a guy!

The package wrapper Santa used is reversible, but it may take you some trying.

Good luck, and thanks for pitching in!

Objective

Hints

• Find Santa's Package
• Leaky AWS S3 Buckets
• Finding S3 Buckets
• Bucket_finder.rb
• Santa's Wrapper3000

Solution

Can you help me? Santa has been experimenting with new wrapping technology, and
we've run into a ribbon-curling nightmare!
We store our essential data assets in the cloud, and what a joy it's been!
Except I don't remember where, and the Wrapper3000 is on the fritz!

Can you find the missing package, and unwrap it all the way?

Let's see what is available:

elf@ee5849501466:~$ ls -al 
total 28
drwxr-xr-x 1 elf  elf  4096 Dec  1 19:25 .
drwxr-xr-x 1 root root 4096 Dec  1 19:25 ..
-rw-r--r-- 1 elf  elf   220 Apr 18  2019 .bash_logout
-rwxr-xr-x 1 elf  elf    90 Dec  1 19:17 .bashrc
-rw-r--r-- 1 elf  elf   807 Apr 18  2019 .profile
-rw-r--r-- 1 elf  elf   179 Dec  1 19:17 TIPS
drwxr-xr-x 1 elf  elf  4096 Dec  1 19:25 bucket_finder
elf@ee5849501466:~$ cat TIPS
# TIPS
- If you need an editor to create a file you can run nano (vim is also
  available).
- Everything you need to solve this challenge is provided in this terminal
  session.

It looks like we need to use bucket_finder, which is discussed in Josh Wright's talk.

elf@ee5849501466:~$ cd bucket_finder/
elf@ee5849501466:~/bucket_finder$ ls
README  bucket_finder.rb  wordlist
elf@ee5849501466:~/bucket_finder$ cat wordlist
kringlecastle
wrapper
santa
elf@ee5849501466:~/bucket_finder$ vi wordlsit

Add some more words to the list, consisting of 'santa', 'wrapper' and '3000'.

elf@ee5849501466:~/bucket_finder$ cat wordlist
kringlecastle
wrapper
wrapper3000
wrapper-3000
santa
santawrapper
santawrapper3000
santa-wrapper
santa-wrapper-3000
santa-wrapper3000
elf@ee5849501466:~/bucket_finder$

Now run bucket_finder.rb on the wordlist and there is a hit on http://s3.amazonaws.com/wrapper3000

elf@ee5849501466:~/bucket_finder$ ./bucket_finder.rb --help
bucket_finder 1.0 Robin Wood (robin@digininja.org) (www.digininja.org)
Usage: bucket_finder [OPTION] ... wordlist
        --help, -h: show help
        --download, -d: download the files
        --log-file, -l: filename to log output to
        --region, -r: the region to use, options are:
                                        us - US Standard
                                        ie - Ireland
                                        nc - Northern California
                                        si - Singapore
                                        to - Tokyo
        -v: verbose
        wordlist: the wordlist to use
elf@ee5849501466:~/bucket_finder$ ./bucket_finder.rb wordlist
http://s3.amazonaws.com/kringlecastle
Bucket found but access denied: kringlecastle
http://s3.amazonaws.com/wrapper
Bucket found but access denied: wrapper
http://s3.amazonaws.com/wrapper3000
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
        <Public> http://s3.amazonaws.com/wrapper3000/package
http://s3.amazonaws.com/wrapper-3000
Bucket does not exist: wrapper-3000
http://s3.amazonaws.com/santa
Bucket santa redirects to: santa.s3.amazonaws.com
http://santa.s3.amazonaws.com/
        Bucket found but access denied: santa
http://s3.amazonaws.com/santawrapper
Bucket does not exist: santawrapper
http://s3.amazonaws.com/santawrapper3000
Bucket does not exist: santawrapper3000
http://s3.amazonaws.com/santa-wrapper
Bucket does not exist: santa-wrapper
http://s3.amazonaws.com/santa-wrapper-3000
Bucket does not exist: santa-wrapper-3000
http://s3.amazonaws.com/santa-wrapper3000
Bucket does not exist: santa-wrapper3000
elf@ee5849501466:~/bucket_finder$ 

Create a simple wordlist with the bucket name that matched. elf@ee5849501466:~/bucket_finder$ echo "wrapper3000" > wordlist.found

Now download the contents of the bucket.

elf@ee5849501466:~/bucket_finder$ ./bucket_finder.rb --download wordlist.found 
http://s3.amazonaws.com/wrapper3000
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
        <Downloaded> http://s3.amazonaws.com/wrapper3000/package
elf@ee5849501466:~/bucket_finder$ 

There is one file in the bucket: wrapper3000/package.

The next step is to examine the file to see what it might be. It turns out to be a base64 encoded zip file.

elf@ee5849501466:~/bucket_finder$ file wrapper3000/package 
wrapper3000/package: ASCII text, with very long lines
elf@ee5849501466:~/bucket_finder$ cat wrapper3000/package
UEsDBAoAAAAAAIAwhFEbRT8anwEAAJ8BAAAcABwAcGFja2FnZS50eHQuWi54ei54eGQudGFyLmJ6MlVUCQADoBfKX6AXyl9
1eAsAAQT2AQAABBQAAABCWmg5MUFZJlNZ2ktivwABHv+Q3hASgGSn//AvBxDwf/xe0gQAAAgwAVmkYRTKe1PVM9U0ekMg2p
oAAAGgPUPUGqehhCMSgaBoAD1NNAAAAyEmJpR5QGg0bSPU/VA0eo9IaHqBkxw2YZK2NUASOegDIzwMXMHBCFACgIEvQ2Jrg
8V50tDjh61Pt3Q8CmgpFFunc1Ipui+SqsYB04M/gWKKc0Vs2DXkzeJmiktINqjo3JjKAA4dLgLtPN15oADLe80tnfLGXhIW
aJMiEeSX992uxodRJ6EAzIFzqSbWtnNqCTEDML9AK7HHSzyyBYKwCFBVJh17T636a6YgyjX0eE0IsCbjcBkRPgkKz6q0okb
1sWicMaky2Mgsqw2nUm5ayPHUeIktnBIvkiUWxYEiRs5nFOM8MTk8SitV7lcxOKst2QedSxZ851ceDQexsLsJ3C89Z/gQ6X
n6KBKqFsKyTkaqO+1FgmImtHKoJkMctd2B9JkcwvMr+hWIEcIQjAZGhSKYNPxHJFqJ3t32Vjgn/OGdQJiIHv4u5IpwoSG0l
sV+UEsBAh4DCgAAAAAAgDCEURtFPxqfAQAAnwEAABwAGAAAAAAAAAAAAKSBAAAAAHBhY2thZ2UudHh0LloueHoueHhkLnRh
ci5iejJVVAUAA6AXyl91eAsAAQT2AQAABBQAAABQSwUGAAAAAAEAAQBiAAAA9QEAAAAA
elf@ee5849501466:~/bucket_finder$ base64 -d wrapper3000/package | file -
/dev/stdin: Zip archive data, at least v1.0 to extract
elf@ee5849501466:~/bucket_finder$ mkdir tmp
elf@ee5849501466:~/bucket_finder$ base64 -d wrapper3000/package > tmp/package.zip

The zip file is now extracted:

elf@ee5849501466:~/bucket_finder/tmp$ unzip package.zip 
Archive:  package.zip
 extracting: package.txt.Z.xz.xxd.tar.bz2  

There is a bzipped tar file that needs to be extracted. The -j option for tar will decompress bzip files.

elf@ee5849501466:~/bucket_finder/tmp$ tar -xjf package.txt.Z.xz.xxd.tar.bz2
elf@ee5849501466:~/bucket_finder/tmp$ ls
package.txt.Z.xz.xxd  package.txt.Z.xz.xxd.tar.bz2  package.zip

Next we have a .xxd file, which is a hexdump. xxd has an option, r, to revert the hexdump into a binary file.

elf@ee5849501466:~/bucket_finder/tmp$ xxd -r package.txt.Z.xz.xxd > package.txt.Z.xz 

xz is another compress format. So let's decompress this file.

elf@ee5849501466:~/bucket_finder/tmp$ xz --decompress package.txt.Z.xz
elf@ee5849501466:~/bucket_finder/tmp$ ls
package.txt.Z  package.txt.Z.xz.xxd  package.txt.Z.xz.xxd.tar.bz2  package.zip

.Z files are compressed with the LZW compression algorithm and is quite an old compression method.

elf@ee5849501466:~/bucket_finder/tmp$ uncompress package.txt.Z
elf@ee5849501466:~/bucket_finder/tmp$ ls
package.txt  package.txt.Z.xz.xxd  package.txt.Z.xz.xxd.tar.bz2  package.zip

So finally, a text file with the answer.

elf@ee5849501466:~/bucket_finder/tmp$ cat package.txt
North Pole: The Frostiest Place on Earth
elf@ee5849501466:~/bucket_finder/tmp$

This objective has demostrated 2 ways to handle binary data as ASCII text and 4 ways to compress data. Both things that can be useful in data exfiltration.

Answer

North Pole: The Frostiest Place on Earth