2023 Business CTF: Unveiled

#htb #ctf #cloud #aws #s3 #bucket-enumeration

Challenge Information

AttributeDetails
Event2023 Business CTF
CategoryCloud
ChallengeUnveiled
DifficultyEasy

Summary

The challenge involves a web application running on port 80 that references an S3 bucket at s3.unveiled.htb. The application loads external JavaScript from http://s3.unveiled.htb/unveiled-backups/main.js. Your goal is to enumerate the S3 bucket and discover confidential information stored within.

Analysis

Initial reconnaissance shows:

  • HTTP service on port 80 (Apache httpd 2.4.41)
  • Reference to S3 endpoint: s3.unveiled.htb
  • Bucket name: unveiled-backups
  • Script tag: <script src="http://s3.unveiled.htb/unveiled-backups/main.js"/>

The application suggests the presence of misconfigured S3 buckets with public or weakly protected access.

Solution

S3 enumeration steps:

  1. Identify the S3 endpoint: The script references s3.unveiled.htb hosting the unveiled-backups bucket

  2. Check bucket accessibility:

    Terminal window
    # Use aws-cli with endpoint URL
    aws s3api list-buckets --endpoint-url=http://s3.unveiled.htb --region eu-south-1
    aws s3api get-bucket-versioning --bucket unveiled-backups --endpoint-url=http://s3.unveiled.htb --region eu-south-1

  3. Enumerate bucket contents:

    Terminal window
    aws s3 ls s3://unveiled-backups/ --endpoint-url=http://s3.unveiled.htb --recursive

  4. Download exposed files: Extract any credentials, configuration files, or sensitive data from the bucket

Common AWS S3 security issues to look for:

  • Public read access (ACL misconfiguration)
  • Missing block public access settings
  • Unencrypted sensitive data
  • Exposed credentials or API keys
  • Backup files with version history

Key Takeaways

  • S3 bucket misconfiguration is a common source of data breaches
  • Always check HTTP responses for cloud service references
  • AWS CLI can interact with S3-compatible endpoints beyond AWS
  • Bucket versioning can expose multiple versions of sensitive data
  • Proper ACL and bucket policies are essential for security
  • Regular audits of cloud storage permissions are critical