Challenge Overview

This CTF challenge involves exploiting an AWS SQS (Simple Queue Service) implementation to manipulate a shopping website. The goal is to bypass the normal cash charging mechanism to purchase an expensive flag.

Reconnaissance

Initial Access

We begin with AWS credentials for a user called "cg-sqs-user" and a web application IP:

# AWS Credentials
Access Key ID: AKIAZEHEIOHNLVP7DLUZ
Secret Key: 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

# Web Application
URL: <http://54.234.95.245:5000>

User Enumeration

After configuring the AWS CLI with the provided credentials, we enumerated the user's permissions:

• Username: cg-sqs-user-cgidt7d3b7gxdc
• Account ID: XXXXXXXXXXXX
• Attached policy: cg-sqs-scenario-assumed-role

The most significant permission discovered is:

"sts:AssumeRole": {
  "Resources": [
    "arn:aws:iam::XXXXXXXXXXXX:role/cg-sqs-send-message-cgidt7d3b7gxdc"
  ]
}

Role Investigation

We examined the role that our user can assume:

aws iam get-role --role-name cg-sqs-send-message-cgidt7d3b7gxdc --profile sq

And listed its attached policies:

aws iam list-role-policies --role-name cg-sqs-send-message-cgidt7d3b7gxdc --profile sq
aws iam get-role-policy --role-name cg-sqs-send-message-cgidt7d3b7gxdc --policy-name cg-sqs --profile sq

The role has the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:GetQueueUrl",
                "sqs:SendMessage"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:sqs:us-east-1:XXXXXXXXXXXX:cash_charging_queue"
        }
    ]
}