Official Bucket Discussion

Rooted.

Hint for root:
If your POSTman is afraid of the tunnel, ask someone locally.
Wasted a bunch of my time here.

Good box though. PM for nudges.

Managed to grab some creds and also know how to get stuff into “the cloud” (used the API instead of the CLI, though). Just not sure how that links to the main page or how to get it executed over there :confused:
Anyone willing to spare a hint on how to proceed?

@HomeSen said:

Managed to grab some creds and also know how to get stuff into “the cloud” (used the API instead of the CLI, though). Just not sure how that links to the main page or how to get it executed over there :confused:
Anyone willing to spare a hint on how to proceed?

The annoyingly vague hint is “more enum”.

You should be able to see where an image is hosted and you can see if you write to that location. Then you can call it from there.

The biggest issue I found was how quickly you need to work. Scripting is a winner.

@TazWake said:

@HomeSen said:

Managed to grab some creds and also know how to get stuff into “the cloud” (used the API instead of the CLI, though). Just not sure how that links to the main page or how to get it executed over there :confused:
Anyone willing to spare a hint on how to proceed?

The annoyingly vague hint is “more enum”.

D’oh. I was afraid someone came up with that :smiley:

You should be able to see where an image is hosted and you can see if you write to that location. Then you can call it from there.

I see what you mean, here. Will try that. Thanks.

The biggest issue I found was how quickly you need to work. Scripting is a winner.
Good to know. Because on the other location it remained for quite some time.

Type your comment> @TazWake said:

The annoyingly vague hint is “more enum”.

You should be able to see where an image is hosted and you can see if you write to that location. Then you can call it from there.

The biggest issue I found was how quickly you need to work. Scripting is a winner.

I understand what you mean here and I was trying to go down this route using the API - but I can’t get it to hit the “local” bucket instead of the amazonaws endpoint…can I DM?

EDIT: figured out how to write it to that location , now on to actually getting a foothold…

@r1cin said:

can I DM?

Yes - and I will always try to help if I can but I cant say how quickly I’ll reply. I try to be fast but circumstances vary.

@TazWake said:

The biggest issue I found was how quickly you need to work. Scripting is a winner.

It seems to me that the issue is of a different nature: There is enough time to do things manually, once the upload got deployed. But there seems to be quite a huge delay between upload and deployment.

I think I’ve managed to find some credentials on AWS s3 bucket but they look like dummy credentials? so far pretty confused on what to do? Can I DM someone about this? Thank you.

Been reading docs for ages now lol.

Type your comment> @PapyrusTheGuru said:

I think I’ve managed to find some credentials on AWS s3 bucket but they look like dummy credentials? so far pretty confused on what to do? Can I DM someone about this? Thank you.

Been reading docs for ages now lol.

Sometimes you can do lots of things without creds, e.g. exploring as you’ve done passively. But what active enum have you tried?

Type your comment> @beefsprocket said:

Type your comment> @PapyrusTheGuru said:

I think I’ve managed to find some credentials on AWS s3 bucket but they look like dummy credentials? so far pretty confused on what to do? Can I DM someone about this? Thank you.

Been reading docs for ages now lol.

Sometimes you can do lots of things without creds, e.g. exploring as you’ve done passively. But what active enum have you tried?

I’ve mostly been messing around with a*s-c*i and trying to check if it’s misconfigured, I’ve also done directory busting on it, I’ve so far found /s**ll (dyn*m**b) and, I also read a lot about the a*s SDK for dyn*m**b to see if i could do something with it - I could not, as far as I am aware. Although for some reason inst*nce meta-d**a returned IAM credentials/keys, as far I was concerned this is a s* bucket, NOT a ec* instance.
I’m pretty stuck right now, I’m fairly new to AWS but this machine has already made me learn plethora of things about the service!

I’ve read documentation on s*, a*s-c*i, seen CTF writeups which involve that particular service, and even some talks, blogs etc. Most of the stuff I’m able to enumerate is mostly regurgitated information that doesn’t seem to help. Maybe I’m going about wrong here?

Just rooted. It was very close to real life. I think it’s a hard box. You have to be master of database. You should use your knowledge to show bond creativity.
Good luck!

Type your comment> @PapyrusTheGuru said:

I’m pretty stuck right now, I’m fairly new to AWS but this machine has already made me learn plethora of things about the service!

You’re definitely on the right track. Maybe step back for a moment and consider how the s* service is used as a part of the overall architecture of the site. It isn’t just for the dyn*m**b UI.

I’ve read documentation on s*, a*s-c*i, seen CTF writeups which involve that particular service, and even some talks, blogs etc. Most of the stuff I’m able to enumerate is mostly regurgitated information that doesn’t seem to help. Maybe I’m going about wrong here?

It is quite a lot of work to learn it, and then in this environment to have to use some of the more obscure flags to override defaults makes it even tricker. But keep at it, it sounds like you’re starting to get the big picture which is what this box is all about.

Type your comment> @beefsprocket said:

Type your comment> @PapyrusTheGuru said:

I’m pretty stuck right now, I’m fairly new to AWS but this machine has already made me learn plethora of things about the service!

You’re definitely on the right track. Maybe step back for a moment and consider how the s* service is used as a part of the overall architecture of the site. It isn’t just for the dyn*m**b UI.

I’ve read documentation on s*, a*s-c*i, seen CTF writeups which involve that particular service, and even some talks, blogs etc. Most of the stuff I’m able to enumerate is mostly regurgitated information that doesn’t seem to help. Maybe I’m going about wrong here?

It is quite a lot of work to learn it, and then in this environment to have to use some of the more obscure flags to override defaults makes it even tricker. But keep at it, it sounds like you’re starting to get the big picture which is what this box is all about.

Thank you so much for the clarification! I was having some difficulties with wondering if I was in a rabbit hole or not! This box seems really neat with a well executed concept so far.

@HomeSen said:
@TazWake said:

The biggest issue I found was how quickly you need to work. Scripting is a winner.

It seems to me that the issue is of a different nature: There is enough time to do things manually, once the upload got deployed. But there seems to be quite a huge delay between upload and deployment.

Do you mean that it is accessible from the main domain once uploaded to the bucket?

Type your comment> @syn4ps said:

@HomeSen said:
@TazWake said:

The biggest issue I found was how quickly you need to work. Scripting is a winner.

It seems to me that the issue is of a different nature: There is enough time to do things manually, once the upload got deployed. But there seems to be quite a huge delay between upload and deployment.

Do you mean that it is accessible from the main domain once uploaded to the bucket?

OK, just have to wait a bit :slight_smile: Thanks @TazWake

Got initial foothold!
Onto User :slight_smile:

Can anyone help me with bucket

@zatch3301 said:

Can anyone help me with bucket

It depends on what the problem is.

I started the bucket box got second page also got the concept.
stuck on Buc***-name. PM me

Hey I’m stuck on foothold. I can change the main page but I don’t seem to understand how I can get a shell. Can someone PM me for help?