はまやんはまやんはまやん

hamayanhamayan's blog

Recover the Cloud Ring - Holiday Hack Challenge 2022 Writeup by hamayanhamayan [6/8]

Security

競プロのコード例について補足 競技プログラミング練習問題集 Twitter 競技セキュリティまとめのまとめ

English ver. -> https://hackmd.io/@POkJ8tzYSMKRnIFAFaPw4w/SJnFgxLYj
まとめトップ

 
 
 

Recover the Cloud Ring

すごい機械が置いてある。

AWS CLI Intro

Difficulty: ★
Try out some basic AWS command line skills in this terminal. Talk to Jill Underpole in the Cloud Ring for hints.

横の人に話しかけるとヒントがもらえる。

Hint: In the AWS command line (CLI), the Secure Token Service or STS has one very useful function.
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-caller-identity.html

ふむ。なるほどね。コンソールを開くと、指示が来るので従っていく。

You may not know this, but AWS CLI help messages are very easy to access. First, try typing:
$ aws help

指示通り、aws helpする。

Great! When you're done, you can quit with q.

qを押して終了。

Next, please configure the default aws cli credentials with the access key AKQAAYRKO7A5Q5XUY2IY,
the secret key qzTscgNdcdwIo/soPKPoJn9sBrl5eMQQL19iO5uf and the region us-east-1 .
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config

aws configureと打って指定していく。

Excellent! To finish, please get your caller identity using the AWS command line. For more details please reference:
$ aws sts help
or reference:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/index.html

リファレンスを読むとaws sts get-caller-identityでいいみたい。
実行するとクリア。

次のチャレンジ…の前に

階段横から壁抜きができ、宝箱がある。

Difficulty: ★★
Use Trufflehog to find secrets in a Git repo. Work with Jill Underpole in the Cloud Ring for hints. What's the name of the file that has AWS credentials?

コンソールの無い問題。
https://haugfactory.com/asnowball/aws_scripts.git からAWSの認証情報を抜き出すために認証情報が入ったファイルを探す。
一見、クレデンシャルは含まれていないので編集履歴を漁ってみる。
git log -p
すると、aws_secret_access_keyといった部分が見つかって過去書きこまれていたことがわかる。これが書かれているファイルのファイル名が答え。

put_policy.py

Exploitation via AWS CLI

Difficulty: ★★★
Flex some more advanced AWS CLI skills to escalate privileges! Help Gerty Snowburrow in the Cloud Ring to get hints for this challenge.

こちらも指示に従いなら解いていく。

Use Trufflehog to find credentials in the Gitlab instance at https://haugfactory.com/asnowball/aws_scripts.git.
Configure these credentials for us-east-1 and then run:
$ aws sts get-caller-identity

repoを落としてきて中身を見るが、クレデンシャルは含まれていない。
編集履歴にないか探ってみると、ある。

$ git log -p | grep aws_access_key_id
aws_access_key_id="AKIAAIDAYRANYAHGQOHD"
$ git log -p | grep aws_secret_access_key
aws_secret_access_key="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"

aws configureで設定してaws sts get-caller-identityとすると次に進む。

Managed (think: shared) policies can be attached to multiple users. Use the AWS CLI to findall/ any policies attached to your user.
The aws iam command to list attached user policies can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html
Hint: it is NOT list-user-policies.

色々ググるaws iam list-attached-user-policies --user-name haugで抜ける。

$ aws iam list-attached-user-policies --user-name haug
{
    "AttachedPolicies": [
        {
            "PolicyName": "TIER1_READONLY_POLICY",
            "PolicyArn": "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY"
        }
    ],
    "IsTruncated": false
}

Now, view or get the policy that is attached to your user.
The aws iam command to get a policy can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html

aws iam get-policy --policy-arn 'arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY'で情報が抜ける。

$ aws iam get-policy --policy-arn 'arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY'
{
    "Policy": {
        "PolicyName": "TIER1_READONLY_POLICY",
        "PolicyId": "ANPAYYOROBUERT7TGKUHA",
        "Arn": "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 11,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "Description": "Policy for tier 1 accounts to have limited read only access to certain resources in IAM, S3, and LAMBDA.",
        "CreateDate": "2022-06-21 22:02:30+00:00",
        "UpdateDate": "2022-06-21 22:10:29+00:00",
        "Tags": []
    }
}

ok.

Attached policies can have multiple versions. View the default version of this policy.
The aws iam command to get a policy version can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html

get-policy-versionが使えそう

aws iam get-policy-version --policy-arn 'arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY' --version-id 'v1'
先ほどの出力からデフォルトバージョンはv1とあるので、それを使った。

Inline policies are policies that are unique to a particular identity or resource. Use the AWS CLI to list the inline policies associated with your user.
The aws iam command to list user policies can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html
Hint: it is NOT list-attached-user-policies.

aws iam list-user-policies --user-name haugで抜ける。

$ aws iam list-user-policies --user-name haug
{    "PolicyNames": [
        "S3Perms"
    ],
    "IsTruncated": false
}

Now, use the AWS CLI to get the only inline policy for your user.
The aws iam command to get a user policy can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html

aws iam get-user-policy --user-name haug --policy-name S3Permsでok.

$ aws iam get-user-policy --user-name haug --policy-name S3Perms
{
    "UserPolicy": {
        "UserName": "haug",
        "PolicyName": "S3Perms",
        "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "s3:ListObjects"
                    ],
                    "Resource": [
                        "arn:aws:s3:::smogmachines3",
                        "arn:aws:s3:::smogmachines3/*"
                    ]
                }
            ]
        }
    },
    "IsTruncated": false
}

The inline user policy named S3Perms disclosed the name of an S3 bucket that you have permissions to list objects.
List those objects!
The aws s3api command to list objects in an s3 bucket can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/index.html

aws s3api list-objects --bucket smogmachines3でok.

The attached user policy provided you several Lambda privileges. Use the AWS CLI to list Lambda functions.
The aws lambda command to list functions can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/index.html

aws lambda list-functionsでok.

$ aws lambda list-functions
{    "Functions": [
        {
            "FunctionName": "smogmachine_lambda",
            "FunctionArn": "arn:aws:lambda:us-east-1:602123424321:function:smogmachine_lambda",
            "Runtime": "python3.9",
            "Role": "arn:aws:iam::602123424321:role/smogmachine_lambda",                       db3277            "Handler": "handler.lambda_handler",
            "CodeSize": 2126,
            "Description": "",
            "Timeout": 600,
            "MemorySize": 256,
            "LastModified": "2022-09-07T19:28:23.634+0000",
            "CodeSha256": "GFnsIZfgFNA1JZP3TgTI0tIavOpDLiYlg7oziWbtRsa=",
            "Version": "$LATEST",
            "VpcConfig": {
                "SubnetIds": [                    "subnet-8c80a9cb8b3fa5505"
                ],
                "SecurityGroupIds": [
                    "sg-b51a01f5b4711c95c"
                ],
                "VpcId": "vpc-85ea8596648f35e00"                                               Dec-22
            },
            "Environment": {
                "Variables": {
                    "LAMBDASECRET": "975ceab170d61c75",
                    "LOCALMNTPOINT": "/mnt/smogmachine_files"
                }
            },
            "TracingConfig": {
                "Mode": "PassThrough"
            },
            "RevisionId": "7e198c3c-d4ea-48dd-9370-e5238e9ce06e",
            "FileSystemConfigs": [
                {
                    "Arn": "arn:aws:elasticfilesystem:us-east-1:602123424321:access-point/fsap-db3277b03c6e975d2",
                    "LocalMountPath": "/mnt/smogmachine_files"
                }
            ],
            "PackageType": "Zip",
            "Architectures": [
                "x86_64"
            ],
            "EphemeralStorage": {
                "Size": 512
            }
        }
    ]
}

Lambda functions can have public URLs from which they are directly accessible.
Use the AWS CLI to get the configuration containing the public URL of the Lambda function.
The aws lambda command to get the function URL config can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/index.html

aws lambda get-function-url-config --function-name smogmachine_lambdaでok.

$ aws lambda get-function-url-config --function-name smogmachine_lambda
{
    "FunctionUrl": "https://rxgnav37qmvqxtaksslw5vwwjm0suhwc.lambda-url.us-east-1.on.aws/",
    "FunctionArn": "arn:aws:lambda:us-east-1:602123424321:function:smogmachine_lambda",
    "AuthType": "AWS_IAM",
    "Cors": {
        "AllowCredentials": false,
        "AllowHeaders": [],
        "AllowMethods": [
            "GET",
            "POST"
        ],
        "AllowOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAge": 0
    },
    "CreationTime": "2022-09-07T19:28:23.808713Z",
    "LastModifiedTime": "2022-09-07T19:28:23.808713Z"
}

これでクリア。ボス問だったみたいで、リングが手に入った。かわいいリング。

最後のリング…の前に

Burning Ring Of Fireの右から進むと宝箱がある。
お金と変なhatがもらえる。

 
 
 

次 -> Recover the Burning Ring of Fire - Holiday Hack Challenge 2022 Writeup by hamayanhamayan [7/8] - はまやんはまやんはまやん