ACECTF 2025 - web - Bucket List
misconfigured S3 buckets can expose flag
Initial Analysis
Challenge Description
1
2
3
You know what a bucket list is? It's a list of wishes people want to achieve before they leave this world. But isn't it ironic? How can you know when your time will come? Instead of waiting, it's better to enjoy every moment and seize every opportunity.
One of my wishes, though, is to pet a cat. Do you mind checking this one out? So cute.
Investigating the URL
The given URL:
1
https://opening-account-acectf.s3.ap-south-1.amazonaws.com/fun/can_we_get_some_dogs/026.jpeg
This clearly indicates that the challenge is hosted on Amazon S3.
The URL opened an image of a cute cat. To explore further, I attempted to navigate to:
1
https://opening-account-acectf.s3.ap-south-1.amazonaws.com/fun/can_we_get_some_dogs
But this returned an error:
1
2
3
4
5
<Error>
<Code>NoSuchKey</Code>
<Message>The specified key does not exist.</Message>
<Key>fun/can_we_get_some_dogs/</Key>
</Error>
Exploring the S3 Bucket
Next, I navigated to /fun, which triggered a file download. However, the file was empty (0 KB), providing no useful clues.
Then, I accessed the root directory and discovered a full list of the bucket’s contents. Among the directories, I found some interesting paths:
l33t-h4x0r/flag_here/041.pngl33t-h4x0r/flag_here/078.jpegl33t-h4x0r/flag_here/082.jpeg
These were just random images with no useful information. However, I kept looking and found something promising:
Finding the Secret File
One interesting directory stood out:
1
cry-for-me/acectf/secret.txt
When I accessed this file, it contained encoded data. It looked like Base64 encoding. Decoding it revealed the flag:
1
2
QUNFQ1RGezdoM180dzVfMTVfbTE1YzBuZjE2dXIzZH0=
Decoded: ACECTF{7h3_4w5_15_m15c0nf16ur3d}
Conclusion
This challenge demonstrated how misconfigured S3 buckets can expose sensitive data. By listing and accessing unrestricted files, we were able to retrieve the flag.