Winja CTF, Quiz #3 — WriteUp

Winja CTF is an initiative by nullcon, they already posted a few interesting quizzes, quiz#2 was about android Reverse Engineering, my friend did a good job and actually won the quiz, so check the amazing writeup — winja ctfquiz#2 — writeup

What Quiz#3 is about?

In quiz#3 they provided CognitoIdentify’s PoolId and region. To be honest when I started this challenge, had no idea what it was but it gave me a perfect oportunity to learnt it.

Amazon Cognito

Amazon Cognito is a user identity and data synchronization service that makes it easy for developers to manage user data for their apps across multiple mobiles or connected devices they can create identities for users of their app use public log-in providers like Google Facebook and Amazon. Just save the user data using the Amazon Cognito API and sync it and that’s it the user’s data is securely synced and stored in the AWS cloud. If the website uses other AWS services (like Amazon S3, Amazon Dynamo DB, etc.) Amazon Cognito provides you with delivering temporary credentials with limited privileges that users can use to access database resources.

Getting AWS credentials

boto3 (Python) can be used to interact with AWS Cognito, authenticate users, obtain AWS credentials from identity pools, and consume other AWS services.

We can obtain AWS credentials from an identity pool, but there are few requirements:

  • The identity pool needs to be a valid identity pool identifier
  • The identity pool needs to have an unauthenticated role

with the following code, we can obtain Aws credentials: Access key, secret key, and session token

We got the credentials, Now we can access AWS CLI, but first, configure these credentials

Open ~/.aws/credentials and put: aws_access_key_id, aws_secret_access_key and AWS_SESSION_TOKEN

After configuring AWS credentials we can access it

Never mind the tee command, my terminal outputs it on full screen…

So, we have unauthRole.

First thing first, I tried to enumerate available commands with — cloud-service-enum script, Which gave me zero results.

After this hint from Winja, it was obvious that the flag was on s3 bucket

After that hint, I tried to somehow guess the s3 name…

after some googling I found this amazing post about s3 — A practical guide to testing security

Which in this situation was not helpful at all but guess what, I learned a lot from it. It will be helpful for me in future Pentest projects.

Getting the flag

They actually gave us the s3 bucket name, after figuring that out, we can just grab the flag.

Born at a very young age.