Sharing is Caring + Sequel

Description

Using Code Sharing Platform, you found the access to the AWS temporary credentials. Now you need to get into the cloud infrastructure and start with the enumeration part, and during this process you will find the flag.

Solution

From the description, I assumed the code sharing platform is refering to the Tony Tony Tony challenge from before.

var codeEditor = CodeMirror.fromTextArea(document.getElementById("code"), {
    lineNumbers: true,
    mode: "javascript",
    theme: "default"
});

var myHeaders = new Headers();
myHeaders.append("authorizationToken", "flag-{gtkO4f4NOrJsRRNZWxiTbL6LLUs5Ir8g}");
myHeaders.append("Content-Type", "application/json");

var raw = JSON.stringify({
    "codeFile": code
});

var requestOptions = {
    method: 'POST',
    headers: myHeaders,
    body: raw,
    redirect: 'follow'
};

fetch("https://jg0rh6th8e.execute-api.ap-south-1.amazonaws.com/test/share", requestOptions)
    .then(response => response.text())
    .then(result => {
        var resultDiv = document.getElementById("result");
        resultDiv.innerHTML = "";

        var pre = document.createElement("pre");
        pre.innerText = result;
        resultDiv.appendChild(pre);
    })
    .catch(error => console.log('error', error));

However, the code from Tony Tony Tony code sharing platform is incomplete and I cant send any request. Using Postman followed the instructions from the code to send a Post request.

I sent a POST request with random value for the "codeFile" and received a stacktrace error.

After fuzzing around with the "codeFile" variable for a abit, my teammate identified a local file inclusion vulnerability where we can retrieve the /etc/passwd as a proof of concept.

Viewing the /proc/self/environ file, we are able to retrieve a set of AWS credentials.

Next, I login using aws configure, and manually append the session token into the ~/.aws/credentials file

Running aws iam list-roles returns a bunch of roles

The role ShareCodeFile-role-sbutfhkq seems interesting as the name is same as our user.

Running aws iam list-role-policies --role-name role-name to list out the names of the inline policies embedded in the specified IAM role

Decoding the base64 strings return the flag

Flag: flag-{GaW6NW8vzwIhh8qU643AV3ohh4gwDByw}

Sharing is Caring Sequel

From the policy name, i make a guess that I have permission to list and read parameters in SSM

LogoWhat is AWS Systems Manager? - AWS Systems ManagerAWS Systems Manager

Running aws ssm describe-parameters shows the flag location

I am then able to use aws ssm get-parameter --name "/envcodeshare/test/flag" to retrieve the flag value

Flag: flag-{fUg3jZueA4J1u7nEVNqLFVASEZcyYjR0}

PreviousA Suit of Armor Around The WorldNextPhoto Drive

Last updated

Was this helpful?