This series of posts captures the footprints of my journey to Capture The Flag on The Big IAM Challenge – Round 3
Challenge 3
Upon examining the IAM policy, it’s evident that subscribing to the specified SNS topic is necessary. However, lacking access to email addresses within the “tbic.wiz.io” domain presents a challenge in capturing communications between the SNS topic and my designated endpoint. My initial strategy involves developing a Lambda function to intercept this traffic.
Upon several attempts to run my Lambda function invoked by HTTP API, I failed to achieve what I want. Here is a lesson that I need to improve my programming skills. Interestingly, I found existing web tools that can do the same. I use Beeceptor to listen to HTTP and API requests. Β Beeceptor gives you a subdomain to test your application against. Keep the endpoint page open and instantly see all incoming requests to the subdomain via WebSockets.
I enter a custom endpoint to send HTTP request: hinson.free.beeceptor.com
Next, I move forward with subscribing to the SNS topic through this endpoint end with “@tbic.wiz.io” at The Big IAM Challenge.
Note: the reason why Beeceptor is still able to intercept HTTP response without the suffix that subscribed to the sns topic:
Wildcard: The domain name system (DNS) configuration or SSL/TLS certificates might use wildcards or be set up in a way that doesn’t restrict subdomains correctly. As a result, the Beeceptor endpoint that shouldn’t receive data could intercept it if they’re part of the broader domain but don’t match the exact suffix.
Webhook Forwarding or Proxying: In some architectures, webhooks or notifications are first received by a central service, which then forwards them to the final destination. If this service doesn’t correctly filter based on the endpoint’s suffix, it might inadvertently forward messages to unintended recipients.
Opening my tailored endpoint, I am able to intercept the HTTP response where the flag is presented in the Message attribute.
As I’ve navigated through the intricacies of leveraging Beeceptor to intercept HTTP responses from an SNS topic, it’s clear that this method offers a powerful tool for developers and security professionals alike. By routing SNS notifications through Beeceptor, we’ve demonstrated a streamlined approach to monitoring and debugging real-time data flows, enabling a more efficient way to capture the flag in various security and development scenarios.