[CyberDefenders write-up] Bucket
This week I will be working on some CyberDefenders challenges.
Let’s start with the ‘Bucket’.
Don’t forget that you will find more useful stuff on my landing page (link below).
There is also my LinkedIn profile URL, so if you want to stay in touch and build-up your network feel free to invite me and add in comment where did you find my content :)
Ok now we’re ready.
‘Bucket’ is an easy challenge where we will be dealing with Amazon AWS services a little bit. Here is our scenario:
And these are the credentials we will be using this time:
You can also download the challenge files, but there is only 1 TXT file including credentials. Let’s start out with a step-by-step process.
STEP 1
We need to log in to the AWS account by using the provided credentials.
Go to https://flaws2-security.signin.aws.amazon.com/console
and provide your login information.
Username: security
Password: password
The Account ID is already populated, and it’s slightly different, but no need to worry about it. Just sign in.
STEP 2
If you are new to using AWS console or any other cloud service, it can seem overwhelming at first. If the page is loading slowly, this can add to the difficulty. To make it easier, look for the "view all services"and click it.
This will get you to the listed services categories. Choose the ‘S3’ under ‘Storage’ category
This is our bucket where all logs are stored.
STEP 3
Let’s begin with the questions.
Q1
What is the full AWS CLI command used to configure credentials?
Here we just need to google it. I’ve just typed in Google a phrase ‘AWS CLI configure credentials command’ and one of the top results redirected me to Amazon AWS guidelines. I noticed the command from the screenshot below and this was the answer to Q1
Q2
What is the ‘creation’ date of the bucket ‘flaws2-logs’?
This one might be tricky for beginners, but notice that we must provide the time in UTC time while Amazon console shows UTC+1. Make a necessary adjustment in time and this is the answear :)
Q3
What is the name of the first generated event -according to time?
Now we will be dealing with logs, and it doesn’t matter if you use native text editors to dig in raw data or the toolset suggested by CyberDefenders (and similar) — both ways are fine.
Our suggested toolset mentions JQ — a simple terminal tool to read json files in a more friendly way than just digging in raw logs.
To install JQ on our machine, open your terminal and type:
sudo apt-get install jqConfirm with password and his ‘y’ and wait a little while.
Now download all logs from AWS.
There are two ways — you can just go back to your browser and download logs one by one from the S3 management console you should be still logged in
Or you can use this command in your terminal.
aws s3 sync s3://flaws2-logsI did the first way as sometimes there are some permission issues on AWS.
Ok if all logs are already on our machine, extract all json files and keep them in one place. We will be using JQ to read them.
The syntax for JQ is quite straightforward. Just go to the folder where all logs are located and use
jq . [json filename]
Now let’s find the answer to our Q3.
We could easily look up creation dates on S3 Management console, but we can also check this manually by reading json files.
The very first log file it this one — 653711331788_CloudTrail_us-east-1_20181128T2235Z_cR9ra7OH1rytWyXY.json, and when we open it with JQ we can see the ‘eventName’ value.
Q4
What source IP address generated the event dated 2018–11–28 at 23:03:20 UTC?
This time we need to check ‘eventTime’ objects to find the relevant date and time and then look for ‘sourceIPaddress’.
We will find this IP
Q5
Which IP address does not belong to Amazon AWS infrastructure?
Here we have to check ‘sourceIPaddress’ field in json files and note down everything you’ll find. When it’s done, we will use some OSINT tools to find the answer.
There were a total of 2 IP addresses:
Use any open source Whois tool you like. I just used one from the Google tops results which is https://who.is
The first one belongs to Amazon
The second one is Akamai Technologies, so this is our answer.
Q6
Which user issued the ‘ListBuckets’ request?
Hope you have left open our json files as we need to find a particular user.
From the question we only know that this user requested ‘ListBucket’ which means he created an ‘eventName’.
After a while I found the answer:
Q7
What was the first request issued by the user ‘level1’?
Now the other way — we need to find the username ‘level1’ and the first request of this guy, so first we look for all json files hoping we can quickly locate the relevant ones.
Got it.
Well, looks like our first CyberDefender challenge is now completed. Wasn’t very difficult, but still needed some research to be able to provide answers without using hints.
Hope you enjoyed it and see you soon!
Cheers!
Don’t forget that you will find more useful stuff on my landing page (link below).
There is also my LinkedIn profile URL, so if you want to stay in touch and build-up your network feel free to invite me and add in comment where did you find my content :)
