Super Silly Security

Posted on Mon 20 March 2023 in ctf

This is a writeup of the Super Silly Security challenge which was part of the Cloud category during vikeCTF.

9f4ac08b112fed78f5ed6af4ec27881c.png

Following the provided URL presents us the following website:

d2a85d7ebaac1cdd89980651491fa147.png

After googling around a bit for therms like "S3 ERROR: Not in Authenticated AWS User group" and "Authenticated AWS User group" brings up the following Stack Overflow question.

From that it is clear that everybody with an AWS account can download files from an S3 bucket that allows members of the Authenticated Users group to access it.

So I did the following:

  1. Setup an AWS account
  2. Install aws cli
  3. Download the flag with aws s3 cp s3://super-silly-security.vikesec.ca/flag.png .

And there it is:

f657680bee78212bb529ddcb0f4da779.png

ctf cloud