Cloud Security Championships 1: Perimeter Leak

Disclaimer

The Wiz Ultimate Cloud Security Championship is published by Wiz Cloud and consists in monthly CTF challenges starting from June.

In this series of posts my plan is to describe my solutions, the mistakes and the difficulties I experienced during the challenge - and of course all the learning points.

Perimeter Leak

The CTF is introduced with a short backstory that highlights our goal, get data from an S3 Bucket.

After weeks of exploits and privilege escalation you've gained access to what you hope is the final server that you can then use to extract out the secret flag from an S3 bucket. It won't be easy though. The target uses an AWS data perimeter to restrict access to the bucket contents.

The text I get in the terminal points to the start of the challenge: "You've discovered a Spring Boot Actuator application running on AWS" followed by a cURL command.

{
    "timestamp":"2025-10-29T15:28:59.099+00:00",
    "status":400,
    "error":"Bad Request",
    "message":"Something is wrong.  Please contact the folks that run the CTF. Unable to read the S3 bucket.",
    "path":"/"
}

Since I know that it is a Spring Boot Actuator I look up online some common endpoints, for example /actuator/health, or /actuator/env.

both of them return some data, so this makes my hopes raise. Reading the documentation further an interesting endpoint is /actuator/mappings.

In the response of /actuator/mappings the endpoint proxy.

curl https://ctf:88sPXXXP3p@challenge01.cloud-champions.com/actuator/mappings | jq | grep "proxy"

I am sure that the proxy endpoint will be helpful to get some juicy information about the underlying EC2 instance. Let's try to get its metadata.