Participants’ reviews about the #stopkrkanalytica challenge

We are trying our hand at organising the CTF (capture-the-flag) challenge. Well, why not? As a part of this year’s CONFidence edition (Krakow 2018), we decided to prepare something new and unconventional for the event participants.

 

We set up the #stopkrkanalytica challenge in the cloud security area, due to the growing demand of companies for this type of service. The inspiration for creating the story background was current news regarding the Cambridge Analytica case.

 

The competition received a lot of attention, and this interest exceeded our expectations!

Here, you can find more details about the challenge.

 

We want to thank all participants and hope they had fun together. We collected some of their impressions below. Read on and compare them with yours!

 

stopkrkanalytica_post_join_the_game

 

Interesting thing here is the fact that anyone can name their bucket as they want. This may inducts some riskc, e.g. cyber criminals can use it to phishing attacks (if a company broadly uses buckets “example-media” and “example-doc”, then it would be quite easy to convince an empolyee to download a file from “example-policies”).

 

Which element of the challenge was the most difficult for you?

Backup analyzing – there were probably the most potential threads. WordPress, users.sql, private.zip, xlsexcele and e-mails. In e-mails, there were also a lot of potential attack vectors. If I had known that AWS snapshots could be public, it would have been easier. But it also was my first meeting with AWS.

The entire task seemed interesting to me from the very beginning. I have more experience with reversing or classic CTF tasks. Web security tasks are always a bigger problem for me, so I like practicing them. When it turned out that the task concerned mainly the AWS services, I thought it was a great opportunity to learn something new.

When I started to solve the challenge, there were no hints, so I tried to look for solutions. Maybe there is a domain and an info leak? Or maybe I just have to look for other buckets using brute force attack…? 😉

I have never used AWS, so I didn’t know its’ specifics. If I hadn’t got the clue with a link to S3 scanner, I probably wouldn’t have solved the problem. I didn’t have enough time to discover how S3 works and that it allows discovering buckets at all.

The beginning was definitely the most difficult part. I paid too much attention to S3 krkanalytica-confidential, forgetting that valuable information can also be found in other S3, which is why I wasted a lot of time. I also spent unnecessary time breaking the password for the private.zip file (you could easily guess it) and later browsing its contents.

 

stopkrkanalytica_more_aws_buckets

 

Which part surprised you the most?

Probably the end of the challenge. I was expecting some kind of a flag as a text but there was a QR code which led to Zuckerberg’s photo. I thought it was a fake clue and the last attempt to get the rider off the attacker. And I thought I had done something in a wrong way. However, after a moment of thinking it turned out that everything was ok. I put my initial hesitation down to the fact that I finished solving the task around 1AM. 🙂

The need of getting quickly acquainted with AWS and services which I have used occasionally so far – it was probably the most difficult element for me. I also had to learn typical security problems of these solutions.

The fact I had to fire instances on EC2!

The thing which surprised me the most was QR Code in a file with secret codes. I thought it was the next stage in the stegano category. I expected a flag similar to KrkA {…} or some text “Super secret code is: 000000000”.

 

stopkrkanalytica_mailbox_backup

 

Which part was the most time-consuming?

Probably the first stage – searching for the second S3 container (“-backup”). I had tried other tools (WaybackMachine) before I used lazys3 but without success.

The very beginning was difficult for me because I didn’t know where I should start. The only hint I had was to look for similar buckets and it helped me move it forward. The second element which took me a lot of time was the problem with mounting a snapshot from a different region than the one where I could run EC2 instances. Later, I discovered the possibility of copying snapshots between regions.

Browsing the eloquent PE, ‘WANNASEX.EXE’ and ‘STARFUCK.EXE’, which totally took over my VM for several minutes.

I solved the task in a few steps, so it’s a bit difficult to specify which element was the most time-consuming. For quite a long time, I was trying to crack passwords from the users.sql database assuming it’s a crypto task. Later, it turned out to be a dead end. It took me a while to create a disk from the snapshot, connect it to the machine, and create the machine itself in a super-clear AWS console (compared to Google Cloud).

 

stopkrkanalytica_shared_repositories

 

What did you like most?

The whole task was really cool despite the difficulties in some stages. Perhaps my favourite moment was after making a “git log” when I saw a message starting with: “Ooops forgot to remove access keys” – then I knew I was already close.

My favourite moments were when I was able to find some configuration errors, which I was reading about a moment earlier, such as bad management of file access levels in the bucket.

Getting the keys, of course. 😉

# git log –oneline
edd5e96 Ooops forgot to remove access keys
b15890b init commit

My favourite moment was after entering the command “git log” when I saw a commit with a comment about AWS keys removal. I knew the flag was mine.

 

stopkrkanalytica_the_sabotage_has_been_stopped

 

What made you decide to take part in the challenge?

I was hoping for a prize – it’s always nice to win something, but my main motivation was to try my hands.

The task was interesting for a number of reasons. The prize was very attractive, for sure. But the opportunity to learn new interesting techniques and acquire skills was even more important. In addition, the task had a storyline and it’s always nice and helps better empathize with the action. The imversion is higher 🙂

I saw the challenge and decided to give it a try. Especially because I didn’t have a broad experience with cloud security. And … I cannot deny that I’m waiting for T-shirts!

I decided to participate in the challenge because of the prize. An additional motivation was the fact that after 2 days only 4 people solved the task, so there was still time to take the task at the weekend and to

 

stopkrkanalytica_winners

 

 

Are you ready to try your hand and solve the challenge? You really should have a go: https://www.securing.pl/krkanalytica/index.html.

 

If you are stuck, please find some clues in our write-ups.

 

Do you want to share your opinion about the challenge? Let us know at krkanalytica@securing.pl. We will be glad to hear your opinion!

 

Follow us on Twitter and Facebook.

Other articles