Tip of the Iceberg

Process:

This level gives a page with a form to submit some code and an image.
Viewing source of the page reveals a PGP Public key.

Also the odd thing is the image is hosted on Scaleway Object Storage, S3 storage by the same provider where the CTF portal is hosted.
Remove the image path from the URL, just keeping the bucket name (c37r-j9f) shows all the files in the bucket. Yes! Object listing on this bucket is enabled. Download the files.

creds
creds.txt.gpg
secret_key.asc
new_secret_key.asc
masterkey.cryptomator
vault.cryptomator

So we have a plain text file creds (useless), some cryptomator files (also useless), secret_key.asc (which couldn’t be downloaded), an encrypted file and a PGP private key.

Decrypt the creds.txt.gpg file using new_secret_key.asc (the PGP private key).

gpg --import new_secret_key.asc
gpg --decrypt creds.txt.gpg

It reveals AWS Key credentials.

Solution:

After spending a good time using trying these credentials to try downloading the secret_key.acs file, I tried to check if these credentials are even valid, and it gave this output with some code with characters @@.
Submitted this code on challenge page and it gave the flag.

Also realised these are just tokens by canarytokens.com, which just notifies the admin when used and are of no other use.