Objective 2: Investigate S3 Bucket
When you unwrap the over-wrapped file, what text string is inside the package? Talk to Shinny Upatree in front of the castle for hints on this challenge.
This objective was similar to a kiosk, though it had external access. I opened it up and was presented with:
Can you help me? Santa has been experimenting with new wrapping technology, and
we've run into a ribbon-curling nightmare!
We store our essential data assets in the cloud, and what a joy it's been!
Except I don't remember where, and the Wrapper3000 is on the fritz!
Can you find the missing package, and unwrap it all the way?
Hints: Use the file command to identify a file type. You can also examine
tool help using the man command. Search all man pages for a string such as
a file extension using the apropos command.
To see this help again, run cat /etc/motd.
elf@7cd45a25a6ee:~$
Perhaps the big hint is that the MOTD mentions that everything I need to solve the puzzle is right here in this terminal. I took this fairly literally and ran the following to generate a wordlist:
cat /etc/motd | tr ' ' '\n' | grep . | sort | uniq | tr [:upper:] [:lower:] | sed 's/\x1b\[[0-9;]*m//g' > ./bucket_finder/wordlist
Which simply takes the contents of the MOTD, removes spaces and replaces with newlines, removes blank lines, sorts the list and removes duplicates, changes all uppercase characters to lowercase, removes any ANSI color code characters, then dumps the results into a file called "./bucket_finder/wordlist".
Once I created the wordlist, I ran it using:
./bucket_finder.rb wordlist
...only to be met with:
elf@7cd45a25a6ee:~/bucket_finder$ ./bucket_finder.rb wordlist
_
' `
,`-' __
( ,-" "---, _ ,'
`--"| ,' ,-" ' )--' /
| / //",-",-._,'."-- . _
`/ .--="_.' / `.
; /`""" `-' `
\( , `
``-\ '
," ( ,'
,' `.._ __,-"\-,
' `-.-._,._,'__... `,-.
,' . __ \ ,-. \-: \
, __ _/-" \,--""\ \_\ \_\_/
, ,-" / ' _.--\_..." \
, { _,-" -" |
` ` `-" __..`-.
\ \ ,-" __..-"" .
`-._ "" __,--" __...'
\ _,--" __..--"" /
: _..-"" __.,-'" _.-'
,-"" _.,-"" ,'
; _.-"" ,'
| _.-" ,"
`'..._ /
` _ /
`.___...-; `"-./
| ' | '
| ' | I__
,= .-._| |_|`.__.' KaK
`--"
HO HO HO
The people at AWS are on the nice list this year! You shouldn't use such a long
wordlist. Use the hints in the description for this challenge to help choose a
small wordlist to find the missing bucket! Run 'cat /etc/motd' to see it again.
Whoops. I swear this worked before. I guess they patched it because Amazon was complaining. Can't say I blame them.
I can trim it down a bit to a more pointed list:
elf@7cd45a25a6ee:~/bucket_finder$ ./bucket_finder.rb wordlist
http://s3.amazonaws.com/wrapper3000
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 ) <==
<Public> http://s3.amazonaws.com/wrapper3000/package <==
http://s3.amazonaws.com/santa
Bucket santa redirects to: santa.s3.amazonaws.com
http://santa.s3.amazonaws.com/
Bucket found but access denied: santa
http://s3.amazonaws.com/command
Bucket found but access denied: command
http://s3.amazonaws.com/identify
Bucket found but access denied: identify
http://s3.amazonaws.com/joy
Bucket found but access denied: joy
http://s3.amazonaws.com/ribbon-curling
Bucket does not exist: ribbon-curling
http://s3.amazonaws.com/unwrap
Bucket does not exist: unwrap
http://s3.amazonaws.com/wrapping
Bucket wrapping redirects to: wrapping.s3.amazonaws.com
http://wrapping.s3.amazonaws.com/
Bucket found but access denied: wrapping
elf@7cd45a25a6ee:~/bucket_finder$
I see that wrapper3000 is an official S3 bucket! I can download it by adding the --download option:
./bucket_finder.rb wordlist --download
It adds a new directory named "wrapper3000", and inside that is a file named "package." Not knowing what it was, I ran a file against it:
elf@7cd45a25a6ee:~/bucket_finder/wrapper3000$ file ./package
./package: ASCII text, with very long lines
The contents:
elf@7cd45a25a6ee:~/bucket_finder/wrapper3000$ cat ./package
UEsDBAoAAAAAAIAwhFEbRT8anwEAAJ8BAAAcABwAcGFja2FnZS50eHQuWi54ei54eGQudGFyLmJ6MlV
UCQADoBfKX6AXyl91eAsAAQT2AQAABBQAAABCWmg5MUFZJlNZ2ktivwABHv+Q3hASgGSn//AvBxDwf/
xe0gQAAAgwAVmkYRTKe1PVM9U0ekMg2poAAAGgPUPUGqehhCMSgaBoAD1NNAAAAyEmJpR5QGg0bSPU/
VA0eo9IaHqBkxw2YZK2NUASOegDIzwMXMHBCFACgIEvQ2Jrg8V50tDjh61Pt3Q8CmgpFFunc1Ipui+S
qsYB04M/gWKKc0Vs2DXkzeJmiktINqjo3JjKAA4dLgLtPN15oADLe80tnfLGXhIWaJMiEeSX992uxod
RJ6EAzIFzqSbWtnNqCTEDML9AK7HHSzyyBYKwCFBVJh17T636a6YgyjX0eE0IsCbjcBkRPgkKz6q0ok
b1sWicMaky2Mgsqw2nUm5ayPHUeIktnBIvkiUWxYEiRs5nFOM8MTk8SitV7lcxOKst2QedSxZ851ceD
QexsLsJ3C89Z/
gQ6Xn6KBKqFsKyTkaqO+1FgmImtHKoJkMctd2B9JkcwvMr+hWIEcIQjAZGhSKYNPxHJFqJ3t32Vjgn/
OGdQJiIHv4u5IpwoSG0lsV+UEsBAh4DCgAAAAAAgDCEURtFPxqfAQAAnwEAABwAGAAAAAAAAAAAAKSB
AAAAAHBhY2thZ2UudHh0LloueHoueHhkLnRhci5iejJVVAUAA6AXyl91eAsAAQT2AQAABBQAAABQSwU
GAAAAAAEAAQBiAAAA9QEAAAAA
That sure looks like base64 to me.
base64 -d ./package > package.bin
The contents of the file:
elf@7cd45a25a6ee:~/bucket_finder/wrapper3000$ file ./package.bin
./package.bin: Zip archive data, at least v1.0 to extract
Correcting the extension (because the unzip executable doesn't like unzipping a file unless the extension is .zip) and unzipping:
elf@7cd45a25a6ee:~/bucket_finder/wrapper3000$ mv package.bin package.zip
elf@7cd45a25a6ee:~/bucket_finder/wrapper3000$ unzip ./package.zip
Archive: ./package.zip
extracting: package.txt.Z.xz.xxd.tar.bz2
A lot of layers to this one!
elf@7cd45a25a6ee:~/bucket_finder/wrapper3000$ tar -jxvf ./package.txt.Z.xz.xxd.tar.bz2
package.txt.Z.xz.xxd
elf@7cd45a25a6ee:~/bucket_finder/wrapper3000$ xxd -r ./package.txt.Z.xz.xxd > package.txt.Z.xz
elf@7cd45a25a6ee:~/bucket_finder/wrapper3000$ xz -d -v ./package.txt.Z.xz
./package.txt.Z.xz (1/1)
100 % 104 B / 45 B = 2.311
elf@7cd45a25a6ee:~/bucket_finder/wrapper3000$ uncompress ./package.txt.Z
Ta da!
elf@7cd45a25a6ee:~/bucket_finder/wrapper3000$ cat package.txt
North Pole: The Frostiest Place on Earth