The SecOps Group Certified Network Security Practitioner CTF
Just woke up on a Saturday morning. While aimlessly browsing through social media (yeah not a good practice), I chanced upon this post from SecOps group in LinkedIn.
I have been studying for AWS-SAA-C03 the past week. I thought that another CTF (took KC7 Blue Team CTF just last Saturday) to break the monotony aint so bad. So with no better thing to do, I jumped right to my Vulnmachine and SecOps accounts.
(I then just realized that I have Certified Application Security Practitioner (CAP) and Certified Cloud Security Practitioner–AWS(CCSP-AWS) sitting for the past 6 months already.)
I did a quick review of what CNSP is from SecOps website.
The topics covered are all indeed basic and essentials.
I initially fired up my Windows command-line and my Kali VM.
Enumeration
In my Kali, did the usual dig, nmap and dirb procedure but nothing substantial.
At first, I did not think that this would be AWS-centric CTF since the certification name says “network security”. But a deeper browsing of Vulnmanchine points to that direction.
Oh and btw, the site would’nt give you much instruction on the CTF. Just a link named “Lab Access”…
going to this site.
Immediately, you can tell that this is an AWS/S3 hosted site. My train of thought is that I have to exploit some sort of S3 “vulnerabilities”. Well to AWS credit, I dont think there are any S3 vulnerabilities recently…its more of a misconfigurations on clients implementation. Shared responsibility stuff.
I tried playing around the URL paths, HTTP/S, known files, page source, inspect and focusing on the Network tab. All nada.
So I went to the AWS/S3 route ultimately.
S3 Explained
First off, what is Amazon Simple Storage Service aka Amazon S3?It is a service that allows you to store big amounts of data.
Amazon S3 provides multiple options to achieve the protection of data at REST. The options include Permission (Policy), Encryption (Client and Server Side), Bucket Versioning and MFA based delete. The user can enable any of these options to achieve data protection. Data replication is an internal facility by AWS where S3 automatically replicates each object across all the Availability Zones and the organization need not enable it in this case.
With resource-based permissions, you can define permissions for sub-directories of your bucket separately.
S3 ENUMERATION
Logged in to my AWS Terminal (instead of my local AWS CLI).
How to access resources from the S3 bucket?
S3 buckets can be accessed using path-style and virtual-hosted–style URLs or through programmatically(AWS-CLI):
https://bucket-name.s3.region-code.amazonaws.com/resource-namehttps://s3.region-code.amazonaws.com/bucket-name/resource-name
Example:
https://TestBucket.s3.ap-south-1.amazonaws.com/TestResourcehttps://s3.ap-south-1.amazonaws.com/TestBucket/TestResource
Access Control Lists
Access Control Lists (ACLs) allow you to manage access to S3 buckets and its objects. Each S3 bucket and its objects have ACL attached to it as a sub-resource. It defines which AWS accounts or groups are granted access and the type of access.
Amazon S3 has a set of predefined groups. AWS provide the following predefined groups:
Authenticated Users group
It is represented by http://acs.amazonaws.com/groups/global/AuthenticatedUsers. This group represents all AWS accounts. When you grant access to the Authenticated Users group, any AWS-authenticated user worldwide can access your resource.
All Users group
It is represented by http://acs.amazonaws.com/groups/global/AllUsers. Access permission to this group allows anyone worldwide to access the resources.
Log Delivery group
It is represented by http://acs.amazonaws.com/groups/s3/LogDelivery. This group allows WRITE permission on a bucket to write server access logs.
Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html
Public Buckets
Today, many websites use S3 buckets to store data and host static websites. Whenever you use an S3 bucket for website storage or as a static site hosting option, you have to make some resources or all the resources public so that the website can be accessed by anyone. This is an easy process, but if done incorrectly, it can potentially put all of your data at risk of a breach. If the S3 bucket is public then it will allow users to list and access all the available resources stored in that bucket.
Use aws s3api get-bucket-acl --bucket <Bucket_Name> to retrieve bucket ACL:
Pentester’s Approach:
- Retrieve and observe bucket ACL
- Look for sensitive information about web applications or AWS account
- Try to upload new files or remove existing ones based on the bucket ACL
The ACL query results show that the bucket is publicly accessible.
If a bucket like cnsp-vnm is public it will allow the listing of its objects. Now, modify the URL as shown in the below figure, to list all the objects available in the bucket:
However, in this case, since it says “AuthenticatedUsers” it will show the page below.
From here we can use “aws configure” to add any valid credentials as part of the Authenticatedusers.
We can then further enumerate the S3 asset by typing aws s3 ls s3://cnsp-vnm — recursive
On the bottom part of the list result is the interesting one.
Of course, you would be able to quickly view the text/flag. We need to “download” it first.
aws s3 cp s3://cnsp-vnm/flag/cnspvnm_exploit.txt .
(mind the “.” representing the local file system/directory to copy it to)
We can then view the flag.
And submit it.
And get the sweet 90% discount!
References: https://secops.group/the-anatomy-of-aws-misconfigurations-how-to-stay-safe/
