python3 thunder.py destroy
Your virtual environment must be active to use thunder.py:
source ../env-tctf/bin/activate
python3 thunder.py create thunder/a1openbucket
For each level of this ctf, you will be tasked with exploiting various vulnerable cloud infrastructure in order to find the "secret" of each level, which is a large integer stored somewhere in the infrastructure
The secret for this level is in a file in a Google Cloud Storage bucket. On level creation, you are given the bucket name, and it is written to start/a1openbucket.txt
Each level of this ctf has a set of detailed hints that can guide you through the level, but we strongly encourage you to try as hard as you can to figure out the challenges using the least number of hints possible, as this is how you will learn the most. The hints can be accessed by clicking the "next" button next to "Intro"
List the bucket's contents
The command to do so is:
gsutil ls gs://[bucket-name]
Download the secret file
The command to do so is:
gsutil cp gs://[bucket-name]/secret.txt .
Open storage buckets are the cause of a significant number of data breaches. With the move to the cloud comes a move to a different security model, one that many developers and administrators find difficult to secure. Many data breaches have occured when sensitive information has been placed into storage buckets in the cloud that are effectively public including breaches impacting the Republican National Committee, Verizon, Dow Jones, and GoDaddy. Automated tools such as Bucket Stream and search engines such as BuckHacker can be used to find such buckets easily. Many cloud services proactively scrape the Internet for potential exposed keys in order to notify project owners.