0%

CSAWCTF2024Quals-BucketWars(Web)

Omar Mohamed
Thanks for sharing!

بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيمِ

CSAW CTF 2024 Quals - BucketWars (Web)

BucketWars - CSAW CTF 2024 Quals

Welcome to my first write-up on this new blog! In this post, we'll dive into the BucketWars challenge from the CSAW CTF 2024 Quals. This challenge involves exploring S3 bucket versioning and object retrieval.
For those interested, you can find the challenge repository on GitHub here.
Hope you enjoy this deep dive into BucketWars. Let’s get started!

Getting Started

The challenge was titled BucketWars, so the immediate assumption was that it involved S3 Buckets.
Main page
Naturally, my first move was to check the image src in hopes of getting the S3 bucket URL right away. Unfortunately, no luck—the image was hosted externally here.
However, the challenge description on the main page provided an important clue:
"Looking deeper into the stolen bucket only reveals past versions of our own selves one might muse."
Clearly, the key was in versioning. I headed to the Versions tab.

Exploring Versions

Upon checking the Versions tab, I found several versions labeled V1, V2, V3, V4, and V5.
Versions page
Exploring V1, I found nothing useful—neither on the page nor in the source code.
V1 page
I continued investigating the other versions, but they all contained just images with no apparent clues.
V3 page

Digging Deeper

While browsing the versions, I noticed a consistent URL pattern: index_v1.html, index_v2.html, etc. I decided to push the boundaries and try index_v6.html.
Not found page
Bingo! Although it returned a 404 Not Found, the response revealed something more valuable—the S3 bucket URL: https://s3.us-east-2.amazonaws.com/bucketwars.ctf.csaw.io/.
Intrigued, I also spotted a file named 404.jpg. Thinking it might hide something, I tried using steghide to extract any hidden files:
bash
steghide extract -sf 404.jpg
Unfortunately, no data was found. But I wasn't done yet.

Hitting a Wall: Access Denied

Next, I visited the S3 URL to see if it was publicly accessible.
S3 access denied
Denied! The bucket was private.
With the challenge’s focus on versioning still in mind, I started researching S3 versioning and found this AWS documentation.
It turns out that versioning-enabled buckets store multiple versions of objects. I also discovered a method for listing objects in a versioned bucket using the S3 REST API.

Breakthrough: Listing Versions

By appending /?versions to the S3 bucket URL, I could list the objects along with their VersionIds.
Listing bucket versions
Success! I now had the file names (AWS calls them "objects") and their associated versions. This opened the door to retrieving earlier versions of the files on the main website.

Retrieving Objects from a Versioned Bucket

Following the instructions from the AWS docs, I constructed URLs to retrieve the objects using the VersionId parameters.
Rather than manually constructing these URLs, I used ChatGPT to generate them for me.
ChatGPT-generated links
Visiting the generated URLs, I finally uncovered some interesting content in the older versions of index_v1.html.
Past version of index_v1.html
Inspecting the source code revealed...
Source code from past version
An image hosted in the S3 bucket! I downloaded the image and again attempted to extract hidden data with steghide, but still, no luck.
Continuing my investigation through the various versions, I stumbled across another version of index_v1.html.
Another past version
The source code of this page revealed something even better—a password:
Password found
versions_leaks_buckets_oh_my

Extracting the Flag

Using this password, I revisited the image I had downloaded earlier and tried extracting hidden data once more:
bash
steghide extract -sf sand-pit-1345726_640.jpg
This time, it worked! I successfully extracted the flag:
Extracting the flag
csawctf{lEaKY_Bu4K3tz_oH_m3_04_mY!}

Conclusion

That wraps up the BucketWars challenge! It was an enjoyable dive into S3 bucket versioning and object retrieval. I hope you found this write-up helpful.
Don’t forget to check out my X (formerly Twitter) for more updates. See you next time!
Peace.
Tags:

You might also like