Introduction#
This year's Holiday Hack Challenge was an interesting mix of challenges, including web app hacking, SQL injection, and VHDL programming. One challenge in particular involved abusing a field in a web form for a Server-Side Request Forgery (SSRF) that can be used to steal an access key to Amazon Web Services. My writeup will focus how the SSRF in the application can also be abused to download the application source, enumerate the container running the application, and reverse-engineer it to run a local copy. I'll also detail ways in which an attacker can leverage a Local File Inclusion (LFI) vulnerability to read more than just files: for example, running processes or open network connections can be determined as well.
My writeup doesn't include any of the other challenges. For the remaining ones I don't cover, I recommend reading these writeups, as they're much more complete than mine:
- @CraHan's writeup is always excellent, available here.
- @JeshuaErickson, available here
- @0xdf, excellent as usual, read it here
- Kyle_Parrish_ / Arnydo, go here to read it.