> For the complete documentation index, see [llms.txt](https://kabinet.gitbook.io/ctf-writeup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kabinet.gitbook.io/ctf-writeup/2025/defcon-cloud-village-2025/cipherspokes-netops.md).

# CipherSpokes NetOps

<figure><img src="/files/Blf7eRmKCXGdqxmYttSf" alt=""><figcaption></figcaption></figure>

Checking the DNS, we can see that the challenge is hosted on AWS S3.

<figure><img src="/files/CTvu1sL8cVL1s1y0Bbeg" alt=""><figcaption></figcaption></figure>

Since the challenge hint mentioned fuzzing, lets fuzz for other possible bucket name.

{% code overflow="wrap" %}

```bash
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://hexnova.quest -H "Host: FUZZ.hexnova.quest"
```

{% endcode %}

<figure><img src="/files/O0I5ZmL193WNfuxRPeRz" alt=""><figcaption></figcaption></figure>

We got a hit on gateway.hexnova.quest.

Vieweing the page source of gateway, we found a link to google cloud storage as well as a command to get the flag.

<figure><img src="/files/eTCoeYqTcQyTvGselzZd" alt=""><figcaption></figcaption></figure>

Viewing the index.html, we see multiple reference to a file called key.zip

<figure><img src="/files/zsMFNa7TqHrvYdvoLaTz" alt=""><figcaption></figcaption></figure>

We are able to then download the key.zip file.

<figure><img src="/files/R1R8v9V4YshoMzbmRVn9" alt=""><figcaption></figcaption></figure>

The zip file has a password which is trivial to crack.

<figure><img src="/files/0pARHXfSSXljtmv82VFp" alt=""><figcaption></figcaption></figure>

With that, we are able to activate the service account and get the flag.

```
gcloud auth activate-service-account --key-file=key.json
```

<figure><img src="/files/oGBArzPMJOJB4a3u3QRk" alt=""><figcaption></figcaption></figure>
