Cloud - Jimmy Builds a Kite

373 points | 94 solves

Description

Solution

The game is quite straight forward, nothing much that we can do here.

Checking out the source code, it seems like this game is written in python and the main game logic is in /adventure.py. The game is simple and there are no signs of how to get a flag. At this point, I went back to read the challenge description and it mentioned "really cheap hosting provider". Looking at the challenge URL, the game appears to be hosted on Google cloud and instead of navigating to the given https://jimmys-big-adventure.storage.googleapis.com/index.html, I navigated to https://jimmys-big-adventure.storage.googleapis.com instead.

We finally have a lead here. There is a flag.txt in the bucket but accessing it directly returns the code AccessDenied.

But luckily, there is another file credentials.json that is not protected.

Now, all that is left to do is to figure out how to authenticate using the leaked credentials and call the cloud storage API to retrieve the flag. What I did was to first download the credentials file, run Powershell and set the credentials in the environment using the command: $env:GOOGLE_APPLICATION_CREDENTIALS="<path_to_credentials_json_file>". I then run the following script to get the flag.

# Imports the Google Cloud client library
from google.cloud import storage

# Instantiates a client
storage_client = storage.Client()
bucket = storage_client.get_bucket("jimmys-big-adventure")

blob = bucket.blob("flag.txt")
blob = blob.download_as_string()
blob = blob.decode('utf-8')

print(blob)

Flag: DUCTF{Th0se_cr3ds_w3r3nt_m34nt_2_b33_th3r3}

Last updated 2 years ago