Winja CTF, Quiz #3 — WriteUp

Winja CTF is an initiative by nullcon, they already posted a few interesting quizzes, quiz#2 was about android Reverse Engineering, my friend did a good job and actually won the quiz, so check the amazing writeup — winja ctfquiz#2 — writeup

What Quiz#3 is about?

In quiz#3 they provided CognitoIdentify’s PoolId and region. To be honest when I started this challenge, had no idea what it was but it gave me a perfect oportunity to learnt it.

Amazon Cognito

Getting AWS credentials

AWS Cognito supports both authenticated and unauthenticated roles. Each role can have a different IAM permission set.

boto3 (Python) can be used to interact with AWS Cognito, authenticate users, obtain AWS credentials from identity pools, and consume other AWS services.

We can obtain AWS credentials from an identity pool, but there are few requirements:

  • The identity pool needs to be a valid identity pool identifier
  • The identity pool needs to have an unauthenticated role

with the following code, we can obtain Aws credentials: Access key, secret key, and session token

We got the credentials, Now we can access AWS CLI, but first, configure these credentials

Open ~/.aws/credentials and put: aws_access_key_id, aws_secret_access_key and AWS_SESSION_TOKEN

After configuring AWS credentials we can access it

The following command Returns details about the IAM user or role whose credentials are used to call the operation.

Never mind the tee command, my terminal outputs it on full screen…

So, we have unauthRole.

First thing first, I tried to enumerate available commands with — cloud-service-enum script, Which gave me zero results.

After this hint from Winja, it was obvious that the flag was on s3 bucket

After that hint, I tried to somehow guess the s3 name…

Because, With these credentials, we can’t just ls and see s3 buckets

after some googling I found this amazing post about s3 — A practical guide to testing security

Which in this situation was not helpful at all but guess what, I learned a lot from it. It will be helpful for me in future Pentest projects.

Getting the flag

After trying every available option I had, I looked at this Photo again and ….
Oh Crap!

They actually gave us the s3 bucket name, after figuring that out, we can just grab the flag.

Born at a very young age.