Cloud - Jimmy Builds a Kite

373 points | 94 solves

Description

Solution

Game

The game is quite straight forward, nothing much that we can do here.

Source code

Checking out the source code, it seems like this game is written in python and the main game logic is in /adventure.py. The game is simple and there are no signs of how to get a flag. At this point, I went back to read the challenge description and it mentioned "really cheap hosting provider". Looking at the challenge URL, the game appears to be hosted on Google cloud and instead of navigating to the given https://jimmys-big-adventure.storage.googleapis.com/index.html, I navigated to https://jimmys-big-adventure.storage.googleapis.com instead.

Root URL

We finally have a lead here. There is a flag.txt in the bucket but accessing it directly returns the code AccessDenied.

AccessDenied

But luckily, there is another file credentials.json that is not protected.

credentials.json

Now, all that is left to do is to figure out how to authenticate using the leaked credentials and call the cloud storage API to retrieve the flag. What I did was to first download the credentials file, run Powershell and set the credentials in the environment using the command: $env:GOOGLE_APPLICATION_CREDENTIALS="<path_to_credentials_json_file>". I then run the following script to get the flag.

# Imports the Google Cloud client library
from google.cloud import storage

# Instantiates a client
storage_client = storage.Client()
bucket = storage_client.get_bucket("jimmys-big-adventure")

blob = bucket.blob("flag.txt")
blob = blob.download_as_string()
blob = blob.decode('utf-8')

print(blob)

Flag: DUCTF{Th0se_cr3ds_w3r3nt_m34nt_2_b33_th3r3}