Objective 2: Investigate S3 Bucket
Difficulty:
When you unwrap the over-wrapped file, what text string is inside the package? Talk to Shinny Upatree in front of the castle for hints on this challenge.
TL;DR - Answer
Hints
It seems like there's a new story every week about data exposed through unprotected Amazon S3 buckets.
Robin Wood wrote up a guide about finding these open S3 buckets.
Santa's Wrapper3000 is pretty buggy. It uses several compression tools, binary to ASCII conversion, and other tools to wrap packages.
Find Santa's package file from the cloud storage provider. Check Josh Wright's talk for more tips!
Solution
Let's see what Shinny Upatree has to say:
Say, we've been having an issue with an Amazon S3 bucket.
Do you think you could help find Santa's
package
file?Jeepers, it seems there's always a leaky bucket in the news. You'd think we could find our own files!
Digininja has a great guide, if you're new to S3 searching.
He even released a tool for the task - what a guy!
The package wrapper Santa used is reversible, but it may take you some trying.
Good luck, and thanks for pitching in!
Accessing the terminal to the right of Shinny Upatree we see a TIPS
file, and a directory containing the bucket_finder
tool. When working with a new tool, it usually helps to RTFM. So let's execute bucket_finder
with the --help
argument.
elf@e22915676357:~/bucket_finder$ ./bucket_finder.rb --help
bucket_finder 1.0 Robin Wood (robin@digininja.org) (www.digininja.org)
Usage: bucket_finder [OPTION] ... wordlist
--help, -h: show help
--download, -d: download the files
--log-file, -l: filename to log output to
--region, -r: the region to use, options are:
us - US Standard
ie - Ireland
nc - Northern California
si - Singapore
to - Tokyo
-v: verbose
wordlist: the wordlist to use
There are two arguments we will care about in here: wordlist
will be the names of the buckets we will try, and --download
will download the files from any buckets the tool manages to find. Conveniently, we're provided with a wordlist
. Let's see what it contains:
elf@e22915676357:~/bucket_finder$ cat wordlist
kringlecastle
wrapper
santa
When performing dictionary attacks (passwords, directories, etc) a good wordlist is what will ultimately determine if we are successful or not. In this case, there's an obvious omission from the wordlist. Let's add "wrapper3000", the name of the project as Shinny tells us.
elf@e22915676357:~/bucket_finder$ echo "wrapper3000" >> wordlist
With the modified wordlist
, let's go hunting for S3 buckets!
elf@e22915676357:~/bucket_finder$ bucket_finder.rb wordlist --download
http://s3.amazonaws.com/kringlecastle
Bucket found but access denied: kringlecastle
http://s3.amazonaws.com/wrapper
Bucket found but access denied: wrapper
http://s3.amazonaws.com/santa
Bucket santa redirects to: santa.s3.amazonaws.com
http://santa.s3.amazonaws.com/
Bucket found but access denied: santa
http://s3.amazonaws.com/wrapper3000
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
<Downloaded> http://s3.amazonaws.com/wrapper3000/package
Looks like "wrapper3000" was a valid bucket, and the file package
was downloaded into the wrapper3000
directory. If we change to the directory, let's start figuring out how to unwrap this file:
elf@e22915676357:~/bucket_finder$ cd wrapper3000/
elf@e22915676357:~/bucket_finder/wrapper3000$ ls
package
elf@e22915676357:~/bucket_finder/wrapper3000$ file package
package: ASCII text, with very long lines
elf@e22915676357:~/bucket_finder/wrapper3000$ cat package
UEsDBAoAAAAAAIAwhFEbRT8anwEAAJ8BAAAcABwAcGFja2FnZS50eHQuWi54ei54eGQudGFyLmJ6MlVUCQADoBfKX6AXyl91eAsAAQT2AQAABBQAAABCWmg5MUFZJlNZ2ktivwABHv+Q3hASgGSn//AvBxDwf/xe0gQAAAgwAVmkYRTKe1PVM9U0ekMg2poAAAGgPUPUGqehhCMSgaBoAD1NNAAAAyEmJpR5QGg0bSPU/VA0eo9IaHqBkxw2YZK2NUASOegDIzwMXMHBCFACgIEvQ2Jrg8V50tDjh61Pt3Q8CmgpFFunc1Ipui+SqsYB04M/gWKKc0Vs2DXkzeJmiktINqjo3JjKAA4dLgLtPN15oADLe80tnfLGXhIWaJMiEeSX992uxodRJ6EAzIFzqSbWtnNqCTEDML9AK7HHSzyyBYKwCFBVJh17T636a6YgyjX0eE0IsCbjcBkRPgkKz6q0okb1sWicMaky2Mgsqw2nUm5ayPHUeIktnBIvkiUWxYEiRs5nFOM8MTk8SitV7lcxOKst2QedSxZ851ceDQexsLsJ3C89Z/gQ6Xn6KBKqFsKyTkaqO+1FgmImtHKoJkMctd2B9JkcwvMr+hWIEcIQjAZGhSKYNPxHJFqJ3t32Vjgn/OGdQJiIHv4u5IpwoSG0lsV+UEsBAh4DCgAAAAAAgDCEURtFPxqfAQAAnwEAABwAGAAAAAAAAAAAAKSBAAAAAHBhY2thZ2UudHh0LloueHoueHhkLnRhci5iejJVVAUAA6AXyl91eAsAAQT2AQAABBQAAABQSwUGAAAAAAEAAQBiAAAA9QEAAAAA
The contents of package
looks like Base64. Let's decode it and see what comes out:
elf@e22915676357:~/bucket_finder/wrapper3000$ base64 -d package > package_decoded
elf@e22915676357:~/bucket_finder/wrapper3000$ file package_decoded
package_decoded: Zip archive data, at least v1.0 to extract
The next layer appears to be a zip. Let's look inside the zip:
elf@e22915676357:~/bucket_finder/wrapper3000$ unzip -l package_decoded
Archive: package_decoded
Length Date Time Name
--------- ---------- ----- ----
415 2020-12-04 11:04 package.txt.Z.xz.xxd.tar.bz2
--------- -------
415 1 file
If the naming of the inside file is correct, package.txt
was compressed with compress
, compressed with xz
, hex dumped through xxd
, packaged with tar
, then compressed again with bzip2
. Let's unpack this with one long piped command then view the contents of package.txt
:
elf@e22915676357:~/bucket_finder/wrapper3000$ unzip -p package_decoded | bunzip2 | tar -xO | xxd -r - | xz -cd | uncompress -c > package.txt
elf@e22915676357:~/bucket_finder/wrapper3000$ cat package.txt
North Pole: The Frostiest Place on Earth
Answer
North Pole: The Frostiest Place on Earth