Damjan Cvetko

Developer, System Architect, Hacker.

Xmas CTF 2020 - Day 6

December 6, 2020

1 minute read

Challenge: Santa is always keeping up with the times. He asked his elves to build him a web page that will help with the ordering and distributing of presents. Being crunch time, the elves took some shortcuts to get the page up and running. Would you be willing to check if the elves made any mistakes that could leak possibly sensitive information?

URL: x.owasp.si

The page does not show more than an image of “Under Construction/Santa”, but the headers reveal it’s an S3 page.

I initially tried to get some info by requesting various apis, but eventually gave up and simply installed awscli. The issue was that the S3 bucket was not protected and we could simply list and download it.

$ aws s3 ls s3://x.owasp.si --no-sign-request
2020-12-01 20:55:03         22 6470e394cbf6dab6a91682cc8585059b.txt
2020-12-01 20:31:08        246 index.html
2020-12-01 20:31:09     123824 santa.png

Flag: xmas{naugh7y_and_n1c3}

What did I learn: Don’t try to talk to AWS directly, use a tool.

Xmas CTF 2020 - Day 5

Xmas CTF 2020 - Day 7

Damjan Cvetko

Xmas CTF 2020 - Day 6

Recent posts

VSCode PHP Debug Update November 2023

VSCode PHP Debug Release April 2022

VSCode PHP Debug Release January 2022

VSCode PHP Debug Release September 2021

Interactive debugging PHP with VS Code and Xdebug

Categories

About