flaws.cloud
Level 1
Flaw: Permission Misconfiguration: Anyone could list the bucket content.
List the bucket contents for
flaws.cloud
Get the
html
file
Level 2
Configure AWS CLI with Access Key ID and Secret Access Key
Flaw: Any authenticated AWS user could list the bucket contents
List the bucket contents for the url using AWS account
Get the secret html file
Level 3
Flaw: Bucket listing permissions for everyone and leaked access keys in git commits
List the bucket contents for the url using AWS profile
Download the
.git
folderCheck the git logs
Check the first commit
Check the commit contents
Create a profile using the credentials
Enter
AKIA
andSecret access Key
from the git commit
List all the buckets for the newly created profile
Level 4
Flaw: Snapshot of EC2 instance made public
Use
nslookup
and get the region of the snapshotnslookup 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud
Region:
us-west-2
Using the flaws-l3 profile look for ec2 snapshots
Get account id for the flaws-l3 keys
List the ec2 snapshots for the particular owner
Mount the volume using the
snapshot id
to your accCreate an ec2 instance in the
us-west-2
regionAttach the snapshot as an extra volume
Connect to the ec2 instance using
ssh
with the keypair while setting up the ec2Mount the volume
sudo file -s /dev/xvdf1
sudo mount /dev/xvdf1 /mnt
Look around in the snapshot
We get credentials in
/home/ubuntu/setupNginx.sh
flaws:nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M
Enter the credentials here
Terminate the EC2 instance
Level 5
Flaw: exposed proxy which doesn't restrict access to instance's meta-data server and private IP range
The IP address 169.254.169.254
is a magic IP in the cloud world. AWS, Azure, Google, DigitalOcean and others use this to allow cloud resources to find out metadata about themselves.
Each EC2 instance has metadata available on a magic private (only itself can access) IP address 169.254.169.254
. The juiciest part of this metadata, are the credentials for the Instance Profile (if one is set), which can be retrieved through a web request to http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance/.
Get the meta-data listing
We get credentials at this url
Configure using the keys
Add the Access Key ID, Secret Access key and Session token to
/.aws/credentials
List the contents of the level6 bucket
Level 6
**Flaw: Extra permissions given to policies **
Create a profile using the provided credentials
Get other info about the profile
List the IAM policies attached to the user
Get more info on the policy
list_apigateways
Get the version of the policy
The policy tells us we can
GET
on the resourcearn:aws:apigateway:us-west-2::/restapis/*
Enumerating the other policy
MySecurityAudit
, it lets us see some things about lambdas.List the lambda functions
Get policy for the function
Use the API ID:
s33ppypa75
and get the stageThat tells you the stage name is "Prod". Lambda functions are called using that rest-api-id, stage name, region, and resource as
Format:
https://<API-id>.execute-api.<region>.amazonaws.com/<stage-name>/<resource>
API-id:
s33ppypa75
Region:
us-west-2
Stage:
Prod
Resource:
level6
URL : https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6
On visting the url it displays another URL which is the final URL
Last updated