Level 2 – Hackoween II #ZomatoCTF

Tip of the Iceberg


This level gives a page with a form to submit some code and an image.
Viewing source of the page reveals a PGP Public key.

Also the odd thing is the image is hosted on Scaleway Object Storage, S3 storage by the same provider where the CTF portal is hosted.
Remove the image path from the URL, just keeping the bucket name (c37r-j9f) shows all the files in the bucket. Yes! Object listing on this bucket is enabled. Download the files.


So we have a plain text file creds (useless), some cryptomator files (also useless), secret_key.asc (which couldn’t be downloaded), an encrypted file and a PGP private key.

Decrypt the creds.txt.gpg file using new_secret_key.asc (the PGP private key).

gpg --import new_secret_key.asc
gpg --decrypt creds.txt.gpg

It reveals AWS Key credentials.


After spending a good time using trying these credentials to try downloading the secret_key.acs file, I tried to check if these credentials are even valid, and it gave this output with some code with characters @@.
Submitted this code on challenge page and it gave the flag.

Also realised these are just tokens by canarytokens.com, which just notifies the admin when used and are of no other use.

Leave a Reply

Your email address will not be published. Required fields are marked *