2024 Business CTF - Vault of Hope: Protrude

#htb #ctf #cloud #aws #iam #credential

Challenge Information

AttributeDetails
Event2024 Business CTF - Vault of Hope
CategoryCloud
ChallengeProtrude
DifficultyEasy

Summary

The Protrude challenge involves AWS credential enumeration and IAM analysis. Participants receive AWS credentials and must use the AWS CLI to gather information about the AWS environment, including directory services (AWS Directory Service/Simple AD), DynamoDB endpoints, and other cloud infrastructure details. The challenge demonstrates how cloud credentials can be used to gather reconnaissance information about AWS environments.

Analysis

The challenge provides AWS credentials and access to an AWS account. Key information that can be enumerated includes:

  1. Caller Identity: Using aws sts get-caller-identity reveals:

    • UserId: AIDAXYAFLIG2E6UQ3YIVB
    • Account: 532587168180
    • ARN: arn:aws:iam::532587168180:user/aalmodovar

  2. Directory Services: Using aws ds describe-directories reveals:

    • Directory Name: vault101.wasteland.local
    • DirectoryId: d-9067e0513b
    • Access URL: vault101.awsapps.com (WorkDocs service)
    • Type: SimpleAD

  3. DynamoDB Endpoints: Using aws dynamodb describe-endpoints provides endpoint information

  4. Session Tokens: Using aws sts get-session-token generates temporary credentials

Solution

Step-by-step exploitation approach:

  1. Configure AWS CLI:

    Terminal window
    aws configure

    Enter the provided access key, secret key, and region.

  2. Enumerate Caller Identity:

    Terminal window
    aws sts get-caller-identity --output json

    Extract account ID and user information.

  3. Enumerate Directory Services:

    Terminal window
    aws ds describe-directories --output json

    Identify AWS Directory Service instances and their DNS settings.

  4. Enumerate DynamoDB:

    Terminal window
    aws dynamodb describe-endpoints --output json

    Locate DynamoDB endpoints in the account.

  5. Enumerate IAM Roles and Users:

    Terminal window
    aws iam list-roles
    aws iam list-users

  6. Run IAM Enumeration Tools: The challenge notes reference enumerate-iam.py, a tool for comprehensive IAM permission enumeration:

    Terminal window
    python3 enumerate-iam.py --access-key <KEY> --secret-key <SECRET>

The flag format appears to be based on the discovered account information and AWS resources.

Key Takeaways

  • AWS credentials can be used to enumerate extensive infrastructure information
  • The AWS CLI is a powerful reconnaissance tool for cloud infrastructure
  • Directory services, DynamoDB, and IAM information can reveal account structure
  • Understanding AWS service enumeration is critical for cloud security assessments
  • Session tokens enable temporary access with time-limited credentials
  • IAM enumeration tools can discover all permissions within an AWS account