Skip to content

Objective #2 - Investigate S3 Bucket

Objective

When you unwrap the over-wrapped file, what text string is inside the package? Talk to Shinny Upatree in front of the castle for hints on this challenge.

Tip

For a map of the castle, and the location of each elf, select option 3 in the Kringle Kiosk terminal next to this challenge.

Analysis

Objective 2

When you click on the terminal, you're asked to help locate a missing package. Find a file in an unknown AWS S3 container, then unwrap multiple layers of encoding and compression to reveal its contents.

Solution

Step 1: Use the bucket_finder tool to find the location of the AWS S3 bucket that contains the package file. Since the objective states the Wrapper3000 is on the fritz, put wrapper3000 (just a guess!) into the wordlist and run the tool.

$ echo "wrapper3000" > wordlist

$ ./bucket_finder/bucket_finder.rb --download wordlist
http://s3.amazonaws.com/wrapper3000
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
        <Downloaded> http://s3.amazonaws.com/wrapper3000/package

Step 2: With the contents of the S3 bucket downloaded, inspect the file and find that it's base64 encoded.

$ file wrapper3000/package 
wrapper3000/package: ASCII text, with very long lines

$ cat wrapper3000/package 
UEsDBAoAAAAAAIAwhFEbRT8anwEAAJ8BAAAcABwAcGFja2FnZS50eHQuWi54ei54eGQudGFyLmJ6MlVUCQADoBfKX6AXyl91eAsAAQT2AQAABBQAAABCWmg5MUFZJlNZ2ktivwABHv+Q3hASgGSn//AvBxDwf/xe0gQAAAgwAVmkYRTKe1PVM9U0ekMg2poAAAGgPUPUGqehhCMSgaBoAD1NNAAAAyEmJpR5QGg0bSPU/VA0eo9IaHqBkxw2YZK2NUASOegDIzwMXMHBCFACgIEvQ2Jrg8V50tDjh61Pt3Q8CmgpFFunc1Ipui+SqsYB04M/gWKKc0Vs2DXkzeJmiktINqjo3JjKAA4dLgLtPN15oADLe80tnfLGXhIWaJMiEeSX992uxodRJ6EAzIFzqSbWtnNqCTEDML9AK7HHSzyyBYKwCFBVJh17T636a6YgyjX0eE0IsCbjcBkRPgkKz6q0okb1sWicMaky2Mgsqw2nUm5ayPHUeIktnBIvkiUWxYEiRs5nFOM8MTk8SitV7lcxOKst2QedSxZ851ceDQexsLsJ3C89Z/gQ6Xn6KBKqFsKyTkaqO+1FgmImtHKoJkMctd2B9JkcwvMr+hWIEcIQjAZGhSKYNPxHJFqJ3t32Vjgn/OGdQJiIHv4u5IpwoSG0lsV+UEsBAh4DCgAAAAAAgDCEURtFPxqfAQAAnwEAABwAGAAAAAAAAAAAAKSBAAAAAHBhY2thZ2UudHh0LloueHoueHhkLnRhci5iejJVVAUAA6AXyl91eAsAAQT2AQAABBQAAABQSwUGAAAAAAEAAQBiAAAA9QEAAAAA

Step 3: Convert the encoded text back into its original form using base64 command. Since you don't know what the original filename was, simply use "package2". Next with the file command, determine that package2 is a zip archive and use unzip to extract its contents. 

$ cat wrapper3000/package | base64 -d > package2

$ file package2 
package2: Zip archive data, at least v1.0 to extract

$ unzip package2
Archive:  package2
 extracting: package.txt.Z.xz.xxd.tar.bz2

The unzip command tells you that you now have a file named package.txt.Z.xz.xxd.tar.bz2. You may recognize the extensions as various file compression types used on *nix systems. However, you could use the file command or search Google to determine what they are.

  • .bz2 = bzip2 compressed file (use bunzip2)
  • .tar = Tape Archive file (use tar)
  • .xxd = hexdump encoded file (use xxd)
  • .xz = xz compressed file (use unxz)
  • .Z = compressed file (use uncompress)

Step 4: Use the appropriate tool to uncompress or decode each file in turn.

$ bunzip2 package.txt.Z.xz.xxd.tar.bz2

$ tar xf package.txt.Z.xz.xxd.tar

$ cat package.txt.Z.xz.xxd | xxd -r > package.txt.Z.xz

$ unxz package.txt.Z.xz

$ uncompress package.txt.Z

Step 5: Look at the contents of the package.txt file and get the answer to this objective.

$ cat package.txt
North Pole: The Frostiest Place on Earth

Answer: North Pole: The Frostiest Place on Earth