Investigate S3 Bucket⚓︎
When you unwrap the over-wrapped file, what text string is inside the package? Talk to Shinny Upatree in front of the castle for hints on this challenge.
Say, we've been having an issue with an Amazon S3 bucket.
Do you think you could help find Santa's package file?
Jeepers, it seems there's always a leaky bucket in the news. You'd think we could find our own files!
Digininja has a great guide, if you're new to S3 searching.
He even released a tool for the task - what a guy!
The package wrapper Santa used is reversible, but it may take you some trying.
Good luck, and thanks for pitching in!
Find Santa's Package
Find Santa's package file from the cloud storage provider. Check Josh Wright's talk for more tips!
Santa's Wrapper3000 is pretty buggy. It uses several compression tools, binary to ASCII conversion, and other tools to wrap packages.
Finding S3 Buckets
Robin Wood wrote up a guide about finding these open S3 buckets.
Leaky AWS S3 Buckets
It seems like there's a new story every week about data exposed through unprotected Amazon S3 buckets.
He even wrote a tool to search for unprotected buckets!
Updated welcome message
During the event the welcome message displayed when opening the terminal was updated with some additional hints.
Hints: Use the file command to identify a file type. You can also examine tool help using the man command. Search all man pages for a string such as a file extension using the apropos command. To see this help again, run cat /etc/motd.
First we need to find the S3 bucket that contains Santa's package file. Navigate to the
bucket_finder folder which contains a
bucket_finder.rb script and a sample
wordlist with some sample bucket names. Running
bucket_finder.rb wordlist will find some buckets, but none will be publicly accessible.
The welcome message displayed when you connect to the terminal highlights the Wrapper3000 string, so add a couple of variations of the word to the
wordlist file and execute the command
bucket_finder.rb wordlist --download. This not only checks for publicly accessible S3 buckets matching the strings specified in the
wordlist file, but also downloads the data.
During the event the
bucket_finder.rb script was updated to limit the number of entries in the wordlist to 50.
HO HO HO The people at AWS are on the nice list this year! You shouldn't use such a long wordlist. Use the hints in the description for this challenge to help choose a small wordlist to find the missing bucket! Run 'cat /etc/motd' to see it again. SANTA
Now that the
package file has been downloaded to
/home/elf/bucket_finder/wrapper3000/package, we can start the process of unpacking it. We first need to determine the file type though. Run
file package which will tell you the contents of the file is ASCII text, with very long lines.
cat package will show you the contents.
UEsDBAoAAAAAAIAwhFEbRT8anwEAAJ8BAAAcABwAcGFja2FnZS50eHQuWi54ei54eGQudGFyLmJ6MlVUCQADoBfKX6AXyl91eAsAAQT2AQAABBQAAA BCWmg5MUFZJlNZ2ktivwABHv+Q3hASgGSn//AvBxDwf/xe0gQAAAgwAVmkYRTKe1PVM9U0ekMg2poAAAGgPUPUGqehhCMSgaBoAD1NNAAAAyEmJpR5 QGg0bSPU/VA0eo9IaHqBkxw2YZK2NUASOegDIzwMXMHBCFACgIEvQ2Jrg8V50tDjh61Pt3Q8CmgpFFunc1Ipui+SqsYB04M/gWKKc0Vs2DXkzeJmik tINqjo3JjKAA4dLgLtPN15oADLe80tnfLGXhIWaJMiEeSX992uxodRJ6EAzIFzqSbWtnNqCTEDML9AK7HHSzyyBYKwCFBVJh17T636a6YgyjX0eE0I sCbjcBkRPgkKz6q0okb1sWicMaky2Mgsqw2nUm5ayPHUeIktnBIvkiUWxYEiRs5nFOM8MTk8SitV7lcxOKst2QedSxZ851ceDQexsLsJ3C89Z/gQ6X n6KBKqFsKyTkaqO+1FgmImtHKoJkMctd2B9JkcwvMr+hWIEcIQjAZGhSKYNPxHJFqJ3t32Vjgn/OGdQJiIHv4u5IpwoSG0lsV+UEsBAh4DCgAAAAAA gDCEURtFPxqfAQAAnwEAABwAGAAAAAAAAAAAAKSBAAAAAHBhY2thZ2UudHh0LloueHoueHhkLnRhci5iejJVVAUAA6AXyl91eAsAAQT2AQAABBQAAA BQSwUGAAAAAAEAAQBiAAAA9QEAAAAA
Looks like we're dealing with BASE64-encoded data which gives us our starting point. Since we can't be sure what the output of the decoded data will be, we will redirect the output to a file instead of the console using
cat package | base64 -d > package2. From this point forward we repeat the process of identifying the file format and unpacking.
|#||Input file||File type||Unpack command|
Finally, after 7 steps,
cat package.txt gives us the answer.
North Pole: The Frostiest Place on Earth