CyberKavach QuestCon Series: Hawkins National Lab

-

 


Hawkins National Lab

Welcome to another installment in the CyberKavach QuestCon write-up series! This time, we’re delving into "Hawkins Lab SSRF", a hands-on web security challenge inspired by Stranger Things, exploring server-side request forgery, cloud abuse, and chained exploitation.

Author: Madhura Barve

Challenge Details

  • Category: Web Exploitation / Cloud Security

  • Core Focus: Server-Side Request Forgery (SSRF), AWS Credential Extraction, S3 Bucket Access

  • Flag Format: questcon{...}


Story & Purpose

A mysterious breach rocked the Hawkins National Laboratory, exposing classified data to the Upside Down. Participants must use cybersecurity and web exploitation skills to retrieve a secret flag deep within the digital labs.

This challenge is crafted to teach SSRF concepts, chained web/cloud attacks, and S3 bucket exploitation using an emulated (containerized) cloud stack.


Challenge Infrastructure

Core components included:

  • webapp: Node.js/Express frontend for user interaction.

  • meta, redirector: Microservices simulating metadata and redirection.

  • localstack: AWS emulator for S3/credentials.

  • flag.txt: Hidden file containing the flag within the S3 bucket.

Image Placement #1:
Screenshot of the webapp interface in a browser, showing the initial challenge prompt or submission box.


Step-by-Step Solution

1. Access the Webapp

Open the interface (usually at http://localhost:8080) to submit URLs for fetching.

2. Test SSRF Functionality

Submit a non-malicious URL such as http://example.com to see normal behavior.

3. Probe for Metadata

Attempt to access the cloud metadata endpoint:

http://169.254.169.254/latest/meta-data/iam/security-credentials/lab-role

This is blocked by server-side filters.

4. Discover the Redirector

Experimenting with internal URLs leads to the redirector service. This open redirect can be leveraged to reach internal metadata endpoints by chaining requests.

5. SSRF Exploit, Credential Extraction

Craft a payload such as:

http://redirector/meta/169.254.169.254/latest/meta-data/iam/security-credentials/lab-role

This triggers the redirector to fetch cloud metadata, returning AWS temporary credentials.

6. Set Up AWS CLI Access

Configure your terminal session using the credentials:

text

export AWS_ACCESS_KEY_ID=CTFTESTAKIAEXAMPLE

export AWS_SECRET_ACCESS_KEY=CTFTESTSECRETEXAMPLE

export AWS_SESSION_TOKEN=CTFTESTTOKENEXAMPLE


(For PowerShell: $env:VAR="value")

7. Retrieve the Flag from S3

Use the AWS CLI with a custom endpoint to talk to the localstack S3 emulator:

aws --endpoint-url=http://localhost:4566 s3 cp s3://hawkins-upside-down/flag.txt -


The flag prints to your terminal upon success.


The Flag

questcon{upside_down_bucket_DEADBEEF}


Lessons Learned

  • SSRF, when chained with internal redirects, can lead to high-severity cloud credential leaks.

  • Cloud meta-data services represent a significant attack surface in modern web apps.

  • Mitigate by validating user-supplied URLs, using strict allowlists, and restricting server outbound permissions.

Image Placement #4:
Diagram or flowchart illustrating the SSRF chain from web app → redirector → metadata service → S3.


Stay vigilant! Even "small" web flaws can have major Upside Down consequences.

Comments

Post a Comment

Popular posts from this blog

CyberKavach QuestCon Series: Upside-Down Vault

-
Image
  🧩 CTF Write-Up: Upside-Down Vault Author: Sai Veer Flag Format: QUESTCON{...} Challenge Type: Multi-Layer Crypto + Stego + Web Service Difficulty: Medium–Hard 🗃️ Files Provided encrypted_flag.bin layer1_puzzle.json layer2_blob.json layer2.enc privkey.enc vault.py vault_pub.pem vault_secret.png 🧠 Challenge Overview The challenge consists of: 3 cryptographic layers 1 steganographic HMAC extraction 1 server verification stage The flag is revealed only after: Extracting the hidden HMAC secret from vault_secret.png . Solving all cryptographic layers. Using the recovered secrets to correctly sign and “seal” a request to the local server ( vault.py ). Finally, retrieving the decrypted flag from /sealed . 🧩 Step-by-Step Walkthrough Step 1 — Extract HMAC Secret from PNG The image vault_secret.png hides an HMAC key in its LSBs. Why The server expects this secret in ctf_secret/secret_mac . It’s later used to generate HMAC signatures for ...
Read more

From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway

-
Image
From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway   In the digital world, every message, photo, and online payment travels through an invisible web of connections called computer networks. Think of it as a massive postal system where billions of tiny data packets constantly move between devices, routers, and servers, each carrying a specific destination address. Just as houses have numbered addresses, every device on a network has an IP address. But instead of physical doors, computers have virtual ones called ports. These are entry and exit points that decide what kind of data can pass through. Some of these digital doors, like those used for websites or emails, need to stay open. Others, if left unlocked, can become invitations for attackers. That is where firewalls come in. A firewall acts as a vigilant security guard at your network’s gate. It checks who is knocking, what they are carrying, and whether they are allowed inside. Home routers do this qui...
Read more

CyberKavach QuestCon Series: VecNet

-
Image
  VecNet Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is here to analyze one of the most fascinating challenges in our event — VecNet, an LLM Jailbreaking and Prompt Injection challenge inspired by Stranger Things. Category: LLM Jailbreaking / Prompt Injection Author: Chirag Ferwani VecNet is an interactive LLM jailbreak challenge inspired by Stranger Things. Players interact with Eleven’s neural assistant deployed in the Upside Down, attempting to extract a hidden flag through creative prompt engineering. The system looks like a Stranger Things knowledge assistant but secretly hides a flag that challengers must extract. Challenge URL: ( https://vecnet.onrender.com ) When you open the challenge, you see a minimal chat interface with a terminal-style monospace font, real-time messaging without chat history, a dark Stranger Things aesthetic, and an input field with a send button. Testing the basic functionality shows that the ...
Read more