Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page
  • Solve
  • TLDR
  • Reference

Was this helpful?

  1. 2025
  2. Thuderdome

Emerge through the breach

PreviousThuderdomeNextPulled from the sky

Last updated 3 months ago

Was this helpful?

Solve

We are given a entry point of 44.208.228.94

First, lets perform the standard enumeration on IP Address.

From the output, we can identify that

  1. It is running on AWS Ec2

  2. Its hosting an apache web server on port 80 and 443

It seems to be a default landing page for a pharmaceutical company.

Viewing the page source, everything seems to be a standard landing page, except for a bitbucket url.

We are able to retrieve the source code of the website via the bitbucket link.

Lets git clone the repository and run trufflehog on it to try and find any secrets.

Running git logwe manage to also retrieve 2 username, so lets add that to our loot.

As the repository is relatively small, we can manually enumerate the whole repository by doing code review. There is nothing suspicious that will allow us to escalate our privileges. Looking back at the bitbucket, I noticed that there is another repository called trial-data-management-poc within the same workspace.

Lets rinse and repeat the enumeration we have performed earlier.

The trufflehog output does not seem to give any useful infromation, maybe other than a SQLServer is running.

Looking at the git log output, there is two commits that seems interesting at first glance.

  1. Pushing local changes - 14129237ea34eeefbced772092c9264f60b2cefa

    1. The author is haru sato local account instead of the domain account

  2. Bucket name change - c167543e30628c5a76f79f519a0adb752b238106

So lets inspect each commits and see what are the changes.

The pushing lcoal commit gives us some juicy information

  1. Password - Treatment!

  2. Email - devmailer@massive-pharma.com

So lets add this two new credential to our loot.

Next, inspecting the Bucket name change commit also give us some information

  1. AWS Key - AKIATCKANV3QK3BT3CVG

  2. Bucket Name

    1. clinical-trial-data

    2. mp-clinical-trial-data

As we have 2 AWS bucket name, we can try and enumerate the bucket to see if theres any public bucket for low hanging fruits, which sadly there were none.

Looking at our current loot, we have

  • 1x account id

  • 2x username

  • 1x password

We have managed to sucesfully sprayed and get a set of valid credentials. Lets add this set of valid credential to our loot.

Upon authentication, we took a look at the Recently visitedapplication. This will allow us to identify what are some application that the user might have used recently.

Looking at AWS Secrets Manger, we have found the flag, as well as a secret name called haru.

We are able to then retrieve the key/value pair for both secrets.

TLDR

  • Enum IP Address

  • Identify bitbucket url, retrieve AWS Access Key and S3 Bucket Name

  • Utilize aws sts get-access-key-infoto get account id

  • Spray AWS Console

  • Flag from AWS Secrets Manager

Reference

Refering to and , we are able to get the Account ID for the access key. I will also add the account id to our loot. I also performed more manual enumeration on the bitbucket repository but there were nothing else interesting. The web app source code is OpenEMR, an open source health record solution.

Let's attempt to spray our credential to see if we can get an AWS Console Access. I will be using the tool to spray credentials.

Hacktricks
AWS documentation
GoAWSConsoleSpray
https://github.com/trufflesecurity/trufflehog
https://docs.aws.amazon.com/cli/latest/reference/sts/get-access-key-info.html
https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-services/aws-sts-enum.html#enumeration
https://github.com/WhiteOakSecurity/GoAWSConsoleSpray
nmap -A -T4 44.208.228.94
Added 2 email to our user.txt
git show 14129237ea34eeefbced772092c9264f60b2cefa
aws sts get-access-key-info --access-key-id AKIATCKANV3QK3BT3CVG --profile test
GoAWSConsoleSpray -a 211125382880 -u user.txt -p password.txt
Rcently visited tab
AWS Secrets Manager
Redacted access key id and secret access key
Redacted flag
http://bitbucket.org/massive-pharma/mp-website
https://bitbucket.org/massive-pharma/workspace/repositories/