Super Secure Static Website
The goal of the challenge is to list older versions of the static files to retrieve the flag.
Last updated
The goal of the challenge is to list older versions of the static files to retrieve the flag.
Last updated
We are given a link to admin-panel.pwndemanila.ph.
Checking its source code, we see that it loads a style.css and script.js. We also see that it does a call to the checkCreds() function.
Checking script.js, we find a hard coded password.
Submitting this in the panel, we get a 405 Method Not Allowed. This error relates to Amazon S3, a object store. This Stack Overflow forum covers this.
Enumerating via the awscli, when we do a Get-Object action to index.html, we see that there is a peculiar VersionId data on it. This can hint that Versioning may be enabled.
Amazon S3 Versioning allows users to keep multiple versions of the objects stored in S3.
Using this Amazon forum post, it is possible to retrieve an older version of the files stored in the bucket.
We can use the following command to get all the object versions, pipe it over to the objects.json file and manipulate it with jq.
aws s3api list-object-versions --bucket admin-panel.pwndemanila.ph > objects.json
cat objects.json | jq '.Versions | .[] | {"file": .Key, "VersionId": .VersionId, "IsLatest": .IsLatest, "LastModified": .LastModified}’Looking through the file, there is another version of script.js.
It is then possible to retrieve it via its version-id.
Reading the file, the flag is there in place of the old password.
