Shellcon 2018
Hey all, I don't normally do posts on infosec cons, so this is going to be part CTF writeup, and part highlight of all the amazing things at Shellcon this year. Shellcon is a small community based conference in San Pedro, in the greater Los Angels California area. The conference organizers, the volunteers, and the community really bring this small event to life. To start, it was in a new venue, no longer the Youth Center from the old BSides LA days, Shellcon now had it's own hotel and much larger floor plan. The organizers and volunteers also felt extra epic in that they went out of their way to be inclusive and respectful to all community members. Below you can see a badge made by the community member notsosecure, which just goes to show how much individual love goes into this conference.
The CTF this year was also excellent, thrown by the legendary DC562, a local defcon group in the West LA area. My team was small, consisting of Tahkion, Servo, and myself, but "The Incidentals" took 2nd place. I really liked all of the different and creative challenges they had. This CTF was really neat because they would spin infrastructure up on the fly, as new teams registered. That said, some of my favorite challenges were when they would host a challenge on the open Internet, forcing players to use shodan results, analyze opensource code in github, access tor hidden services, and even scan AWS s3 bucket names. We are going to cover one of the AWS examples, so you can play along on some of their infrastructure, which is hopefully still up. I really like these challenges because they represent a very common vulnerability in s3 buckets, where they are set to anonymous, or pseudo-anonymous access permissions.
Web 100, "Study Harder":
In this challenge you are given some enigmatic sentence about a hidden shellconbeach, and must begin searching the web for such. The hint is even stranger, and really dosn't give you much of a good starting point. The next challenge mentioned a pail and bucket, which made me think of AWS buckets. So I grabbed a copy of bucket finder, made a short text list of potential bucket names, and started scanning AWS s3 buckets for all of the words in the challenge description. This worked and yielded a flag for s3://shellconbeach/flag.txt
Web 200, "Hidden Beach":
As you can see above, there is another bucket called shellconbeachball, but this one returns access denied. In AWS, you can have two types of anonymous buckets, one where it is totally anonymous, the first challenge was an example of that, and another that is pseudo-anonymous, and takes any valid AWS api key. The later is the case in this challenge, and we need to make a valid AWS api key to be able to download this flag. First we need to get valid credentials from an aws management console. After that we can set the credentials via the command line tool with aws configure or through setting the credentials at ~/.aws/credentials . Once we have our AWS keys set we can simply download the flag:
There were other villages as well, such as a locking picking village and an IoT exploitation village, but I didn't have enough time to really explore these. I was able to catch several of the talks, some of my favorites being based on the cellular technologies, such as GitGiant on the LTE networks, or CellPhoneDude on a cellular pentest drop box. I was also able to sit in on an epic process hollowing workshop w/ MalwareTechBlog, where we did a deep dive with windbg. I really like that he handed out cheat-sheets, with some helpful commands, along with the vms and presentation slides, which made following along to a difficult topic a little easier. He will be releasing the workshop soon as a stream and I recommend it if you find yourself using windbg heavily on Windows. Finally there is the bonfire and pizza party at the end. This is probably my favorite part because everyone just has a great time on the beach. If you haven't been before, I really encourage you to make it to the next Shellcon!
Web 100, "Study Harder":
In this challenge you are given some enigmatic sentence about a hidden shellconbeach, and must begin searching the web for such. The hint is even stranger, and really dosn't give you much of a good starting point. The next challenge mentioned a pail and bucket, which made me think of AWS buckets. So I grabbed a copy of bucket finder, made a short text list of potential bucket names, and started scanning AWS s3 buckets for all of the words in the challenge description. This worked and yielded a flag for s3://shellconbeach/flag.txt
As you can see above, there is another bucket called shellconbeachball, but this one returns access denied. In AWS, you can have two types of anonymous buckets, one where it is totally anonymous, the first challenge was an example of that, and another that is pseudo-anonymous, and takes any valid AWS api key. The later is the case in this challenge, and we need to make a valid AWS api key to be able to download this flag. First we need to get valid credentials from an aws management console. After that we can set the credentials via the command line tool with aws configure or through setting the credentials at ~/.aws/credentials . Once we have our AWS keys set we can simply download the flag:
