Bucket CTF Writeup

Ali Alaa
4 min readMay 24


Hello dudes,
I hope to find you well.

This is Ali Alaa and this is Bucket writeup for CyberDefenders platform’s challenge.

This is a AWS cloud forensics challenge and if you’re trying to find more about this topic you can try Bucket.

So, lets start….

First Question : What is the full AWS CLI command used to configure credentials?

Here you can use your best friend google (**Note never remember every command) so, you can use AWS docs.

Here we go, the answer is : aws configure.

Second Question : What is the ‘creation’ date of the bucket ‘flaws2-logs’?

Here you must use credentials they provided to login here.
After that you login go to Amazon S3 from recently visited then you can see Buckets and it hold flaws2-log.

Amazon S3

Now we get Creation date but get attention to time zone in question he need it in UTC and in Amazon S3 its UTC +02. So, you must decrease 2 hours.

Creation date will transform from 2018–11–19 22:54:31 UTC+2 to 2018–11–19 20:54:31 UTC.

Here we go, the answer is : 2018–11–19 20:54:31 UTC.

Third Question : What is the name of the first generated event -according to time?

We must open “flaws2-log” bucket and navigate till we reach folder called 28/ it holds all logs files for this day and their count are 8 files.

All logs files

Here we must see all logs files based on time and investigate them to see what’s records hold first event occurred. So, log files with oldest modification date it will be first log file to see and so on.

After you select file and downloaded it you can open json file as you want then I uploaded the json file to online json formater.

You can see key called “eventName” in first file.

First event data

Here we go, the answer is : AssumeRole.

Forth Question : What source IP address generated the event dated 2018–11–28 at 23:03:20 UTC?

I used to investigate from oldest to recent logs file so, with this date/time that gave to us to search we will found 2 events at same time one at 2nd old log file with eventName “Invoke” and the other at 3th old log file with eventName ”CreateLogStream”. Here I’ll take the data that founded in 2nd log file.

Source Ip

Here we go, the answer is :

Fifth Question : Which IP address does not belong to Amazon AWS infrastructure?

During investigate one of logs I noticed that there is an accountId called “ANONYMOUS_PRINCIPAL” and it has userAgent diffrent it seems came from browser otherwise userAgent belongs to AWS infrastructure’s ips.

Event data

I found this Ip with its userAgent a lot in logs also after this I tried to find which organization hold this Ip and finally I confirmed that Ip didn’t belong to Amzon Aws infrastructure.

Here we go, the answer is :

Sixth Question : Which user issued the ‘ListBuckets’ request?

At least I searched more than 80% of logs so, maybe I noticed this request with this eventName I return back and found it at 5th log file.
**Note Remember from oldest to recently**

ListBuckets request

Here we go, the answer is : level3.

Seventh Question : What was the first request issued by the user ‘level1’?

By tracing all userNames from first log file I saw there is no clue to confirm that this request send by user X then I moved to 2nd one here I noticed there are more requests initiated by “level1” user so, I got to first request with these data

level1’s request

Here we go, the answer is : CreateLogStream.

At the end ,
I hope you enjoyed this writeup ❤️.

Stay in touch