DEV Community

Cover image for [STACK CTF 2020] Find the leaking bucket
cont3nted
cont3nted

Posted on • Edited on

[STACK CTF 2020] Find the leaking bucket

Introduction
This is the write-up(actually a reflection) for the Find the leaking bucket from the team Ov3rWr1t3.

I was excited to see that there was a cloud category when the admins release the categories that are available on discord as I have been doing some research on cloud during my internship and thought this will be a good time for me to test myself on what I know.

However, I did not managed to solve this challenge ๐Ÿ˜ž

Challenge Text
Find the leaking bucket is a 1000 points cloud challenge.
Alt Text

Find the leaking bucket - Challenge Text

Thought Process
After reading the challenge text, we know that the hidden s3 bucket name uses common words related to the company's business and has the word "s4fet3ch" attached at the back.
Alt Text

Safe Online Technologies

Feeling lucky, my first attempt I tried the combination cybersecurity-smartcity-s4fet3ch as these seems like the most likely combination for this challenge.

However, that's not the right combination which was kind of expected.
Alt Text

404 Bucket Not found

Still pumped with the early-stage CTF adrenaline rush, I continued trying out several different combinations manually like a gambling addict trying to figure out his next winning lottery numbers but in my case it was a 2 letter combination which supposed to have a higher rate of getting the right combinations but I guess I wasn't lucky that night and I knew that I spent too much time on manually keying on the combination this is where I decided to change my approach and get a python script to generate a wordlist for the possible combination.

I found a script and modify it and keyed in on the different words.



from itertools import permutations

for group in permutations(['safe-', 'online-', 'technologies-', 'digital-', 'data-','parking-','wireless-','data-','information-','architecture-','ai-','technology-','computer-','fintech-','efficiency-','smartcity-','payment-','applications-','cybersecurity-','communication-','systems-','knowledge-','iot-','innovation-','mobile-','analytics-'], 2):
        print(''.join(group)+'s4fet3ch')  



Enter fullscreen mode Exit fullscreen mode

I piped the output into a text file and used bucket_finder one of the s3 bucket enumeration tools that I found during my internship, but I did not managed to find anything
Alt Text

Where could the bucket be???

At this point, I took a break and when to try other challenges as I felt I spent too much time on this challenge.

I came back to the challenge the next day realizing that I did not the include words from the Steve Job and begin adding the missing words into the script and regenerate a new wordlist for me to enumerate.
Alt Text

Steve Jobs' quote

After generating a new wordlist, I tried using another s3 bucket enumeration tool called s3scanner, as this tool has a dump function which allows you to dump all files on any open s3 buckets you find. All you need to do is run the command, python s3scanner.py -d wordlist.txt.

At this point of time there were some shell buckets up that other participants created to divert other participants from the real bucket (including me).
Alt Text

Not cool man

I managed to find the bucket, however I did not continue as I thought it was one of the shell bucket as the zip file was not dump.
Alt Text

Even though I went to did a manual verification but at the time I think was blocked by AWS and could not access that bucket anymore.
Alt Text
I found out that was the actual bucket after the CTF and was only able to download it after the CTF was over. To find out how the challenge is solve you can read Matthea Loo's write up on Medium.

Conclusion
Even though I did not solve the challenge during CTF, I definitely picked up quite a lot of new things. Thank you for taking your time to read this post.

I would like to thank my team members from(Ov3rwr1t3) for participating the CTF. We will try harder๐Ÿ’ช๐Ÿ’ช for our next CTF!

Top comments (0)