CSAWCTF2024Quals-BucketWars(Web)
Omar Mohamed
Thanks for sharing!
بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيمِ
BucketWars - CSAW CTF 2024 Quals
Welcome to my first write-up on this new blog! In this post, we'll dive into the BucketWars challenge from the CSAW CTF 2024 Quals. This challenge involves exploring S3 bucket versioning and object retrieval.
For those interested, you can find the challenge repository on GitHub here.
Hope you enjoy this deep dive into BucketWars. Let’s get started!
Getting Started
The challenge was titled
BucketWars, so the immediate assumption was that it involved S3 Buckets.
Naturally, my first move was to check the image
src in hopes of getting the S3 bucket URL right away. Unfortunately, no luck—the image was hosted externally here.However, the challenge description on the main page provided an important clue:
"Looking deeper into the stolen bucket only reveals past versions of our own selves one might muse."
Clearly, the key was in versioning. I headed to the
Versions tab.Exploring Versions
Upon checking the
Versions tab, I found several versions labeled V1, V2, V3, V4, and V5.
Exploring
V1, I found nothing useful—neither on the page nor in the source code.
I continued investigating the other versions, but they all contained just images with no apparent clues.
Digging Deeper
While browsing the versions, I noticed a consistent URL pattern:
index_v1.html, index_v2.html, etc. I decided to push the boundaries and try index_v6.html.
Bingo! Although it returned a
404 Not Found, the response revealed something more valuable—the S3 bucket URL: https://s3.us-east-2.amazonaws.com/bucketwars.ctf.csaw.io/.Intrigued, I also spotted a file named
404.jpg. Thinking it might hide something, I tried using steghide to extract any hidden files:bash
steghide extract -sf 404.jpg
Unfortunately, no data was found. But I wasn't done yet.
Hitting a Wall: Access Denied
Next, I visited the S3 URL to see if it was publicly accessible.
Denied! The bucket was private.
With the challenge’s focus on versioning still in mind, I started researching S3 versioning and found this AWS documentation.
It turns out that
versioning-enabled buckets store multiple versions of objects. I also discovered a method for listing objects in a versioned bucket using the S3 REST API.Breakthrough: Listing Versions
By appending
/?versions to the S3 bucket URL, I could list the objects along with their VersionIds.
Success! I now had the file names (AWS calls them "objects") and their associated versions. This opened the door to retrieving earlier versions of the files on the main website.
Retrieving Objects from a Versioned Bucket
Following the instructions from the AWS docs, I constructed URLs to retrieve the objects using the
VersionId parameters.Rather than manually constructing these URLs, I used ChatGPT to generate them for me.
Visiting the generated URLs, I finally uncovered some interesting content in the older versions of
index_v1.html.
Inspecting the source code revealed...
An image hosted in the S3 bucket! I downloaded the image and again attempted to extract hidden data with
steghide, but still, no luck.Continuing my investigation through the various versions, I stumbled across another version of
index_v1.html.
The source code of this page revealed something even better—a password:
versions_leaks_buckets_oh_my
Extracting the Flag
Using this password, I revisited the image I had downloaded earlier and tried extracting hidden data once more:
bash
steghide extract -sf sand-pit-1345726_640.jpg
This time, it worked! I successfully extracted the flag:
csawctf{lEaKY_Bu4K3tz_oH_m3_04_mY!}
Conclusion
That wraps up the
BucketWars challenge! It was an enjoyable dive into S3 bucket versioning and object retrieval. I hope you found this write-up helpful.Don’t forget to check out my X (formerly Twitter) for more updates. See you next time!
Peace.
Tags:
| CTF
