Now Hiring

Introduction

Location - Unknown

  1. Now Hiring!

Difficulty: 3/5

What is the secret access key for the Jack Frost Tower job applications server? Brave the perils of Jack's bathroom to get hints from Noxious O. D'or.

Conversations

Pasted image 20220909214322

aws link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

Solution

https://apply.jackfrosttower.com/

Loading the page shows it's an application portal. Pasted image 20220909214346 Checking out the application submittal page shows that one of the forms is for a URL to a Naughty List Background Investigation (NLBI) report. Pasted image 20220909214353 I had initially submitted the application with the NLBI URL as 127.0.0.1.I got redirected to a page that said submission accepted. Pasted image 20220909214401 I realized that I needed to use the Amazon-defined link local address 169.254.169.254. When I submitted this I got a completely different response back: Pasted image 20220909214410 When I looked at the HTTP request history in Burp, I saw that the image that wasn't rendering was actually text that contained the response of an HTTP request to the IMDS endpoint URL I had included. Pasted image 20220909214423 I also realized that the images in the Opportunities page I had looked at earlier that didn't render properly were also IMDS endpoints, with 1.jpg being latest, 2.jpg being jf-deploy-role, 3.jpg being latest, and 4.jpg being openssh-key. Pasted image 20220909214434 And what am I looking for here, the API Key? No, the "secret access key". Ah, ok, I need to append the top-level categories AFTER /latest/meta-data/. I submitted another application with /latest/meta-data/iam/, then requested the test.jpg image to see the results. Pasted image 20220909214444 /latest/meta-data/iam/security-credentials only contained the jf-deploy-role. Pasted image 20220909214451 /latest/meta-data/iam/security-credentials/jf-deploy-role held the SecretAccessKey I was looking for. Pasted image 20220909214500

{
  "Code": "Success",
  "LastUpdated": "2021-05-02T18:50:40Z",
  "Type": "AWS-HMAC",
  "AccessKeyId": "AKIA5HMBSK1SYXYTOXX6",
  "SecretAccessKey": "CGgQcSdERePvGgr058r3PObPq3+0CfraKcsLREpX",
  "Token": "NR9Sz/7fzxwIgv7URgHRAckJK0JKbXoNBcy032XeVPqP8/tWiR/KVSdK8FTPfZWbxQ==",
  "Expiration": "2026-05-02T18:50:40Z"
}

Submitting the Access Key above popped the objective and unlocked some additional story entries.

http://169.254.169.254/latest/meta-data/

Next: obj-11