Winja CTF, Quiz #3 — WriteUp
Winja CTF is an initiative by nullcon, they already posted a few interesting quizzes, quiz#2 was about android Reverse Engineering, my friend did a good job and actually won the quiz, so check the amazing writeup — winja ctfquiz#2 — writeup
What Quiz#3 is about?
In quiz#3 they provided CognitoIdentify’s PoolId and region. To be honest when I started this challenge, had no idea what it was but it gave me a perfect oportunity to learnt it.
Amazon Cognito is a user identity and data synchronization service that makes it easy for developers to manage user data for their apps across multiple mobiles or connected devices they can create identities for users of their app use public log-in providers like Google Facebook and Amazon. Just save the user data using the Amazon Cognito API and sync it and that’s it the user’s data is securely synced and stored in the AWS cloud. If the website uses other AWS services (like Amazon S3, Amazon Dynamo DB, etc.) Amazon Cognito provides you with delivering temporary credentials with limited privileges that users can use to access database resources.
Getting AWS credentials
AWS Cognito supports both authenticated and unauthenticated roles. Each role can have a different IAM permission set.
boto3 (Python) can be used to interact with AWS Cognito, authenticate users, obtain AWS credentials from identity pools, and consume other AWS services.
We can obtain AWS credentials from an identity pool, but there are few requirements:
- The identity pool needs to be a valid identity pool identifier
- The identity pool needs to have an unauthenticated role
with the following code, we can obtain Aws credentials: Access key, secret key, and session token
We got the credentials, Now we can access AWS CLI, but first, configure these credentials
Open ~/.aws/credentials and put: aws_access_key_id, aws_secret_access_key and AWS_SESSION_TOKEN
After configuring AWS credentials we can access it
The following command Returns details about the IAM user or role whose credentials are used to call the operation.
So, we have unauthRole.
First thing first, I tried to enumerate available commands with — cloud-service-enum script, Which gave me zero results.
After this hint from Winja, it was obvious that the flag was on s3 bucket
After that hint, I tried to somehow guess the s3 name…
Because, With these credentials, we can’t just ls and see s3 buckets
after some googling I found this amazing post about s3 — A practical guide to testing security
Which in this situation was not helpful at all but guess what, I learned a lot from it. It will be helpful for me in future Pentest projects.
Getting the flag
After trying every available option I had, I looked at this Photo again and ….
They actually gave us the s3 bucket name, after figuring that out, we can just grab the flag.