[HV22.11] Santa’s Screenshot Render Function

Santa has been screenshotting NFTs all year. Now that the price has dropped, he has resorted to screenshotting websites. It’s impossible that this may pose a security risk, is it?

You can find Santa’s website here: https://hackvent.deathspirate.com

Solution

So, we got a website, which is not running inside a docker container, which is suspicious. Looking at the website, it seems quite simple. I give it an URL, it takes a screenshot of it and returns it back to me.

I went down a few rabbit holes. First, I tried to find out which browser this is using and used websites which enumerate browser capabilities for that. Next, I tried to use some other URI prefixes like file:// or chrome:// to find out things, but none of them worked.

Since the website (not on the screenshot, sorry) says it’s proudly hosted on AWS, I thought that this might be a hint; usually, all the challenges are hosted on hacking labs docker infrastructure.

The basic question was, what can be reached by this VM in AWS, what can’t be reached from the web. After lots of research, I stumbled about the fact, that most cloud providers (AWS, Azure) offer link local IP addresses which only the resources can interact with.

Entering http://169.254.169.254/latest/meta-data/ and ta-daa, we got something! When we explore this a bit, we find an endpoint at http://169.254.169.254/latest/meta-data/iam/security-credentials/ which gives us a few sensitive information:

Using this token, I could use the aws cli to find a secrets manager which held the flag HV22{H0_h0_h0_H4v3_&_M3r2y-Xm45_Yarr222_<3_Pirate}