This was the third challenge I attempted in the great ctf run by @SEC_T_org. It dealt with an issue I’d been interested in for a while: Overly permissive S3 buckets on Amazon AWS.
An issue seen in a number of S3/AWS configs is the “Any Authenticated AWS User” permission. It allows access not just to AWS users authenticated to your account but to any authenticated AWS users period.
That means that any joe-schmoe with a free-tier account can now access your S3/AWS resources.
The challenge:
When visiting the challenge page, you are introduced to FileBulker: it reads a file for line separated filenames, and concatenates/outputs their contents to the page.
Navigating to the example.txt file directly in burp shows that the files subdomain points to an Amazon S3 bucket. Additionally, it shows the files from which the example text was read (files/loremipsum, hackers_subtitle).
Using awscli, I tried to determine what I had access to. Turns out I was able to write files directly to the s3 bucket, but could not list directories or download most files. Initially I thought I would have to upload some php and get RCE, but when we look at filer.sect.ctf.rocks/files we can already see what I need to read.
If we create a file called testspork.txt containing the line files/flag.php and add it to the s3 bucket using the command:
aws s3 mv testspork.txt s3://files.filer.sect.ctf.rocks --acl public-readNavigating to http://filer.sect.ctf.rocks/?bulkfile=http://files.filer.sect.ctf.rocks/testspork.txt gives us our flag:
This challenge was a lot of fun, especially since this issue had been in the back of my head for a while. Thanks again to @SEC_T_org, and Mathias Karlsson for putting it together.
Furthermore, anyone looking for more information on these kinds of vulnerabilities should checkout the links below, as well as Examples 5/6 in Section 9 of Peter Y’s awesome book Web Hacking 101, as well as his video below.
