Continuing Cloud Pentesting the second version of flaws included tactics for engaging AWS cloud infrastructure. Identify AWS Services, Container Environment Variables and accessing Metadata Services.
Legal Notice && Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continuing, you acknowledge the aforementioned user risk/responsibilities.
Level 1 - Identify AWS Services
Identify AWS Service
1 |
|
IP: 52.216.27.155 identified
1 |
|
AWS S3 Bucket identified: s3-website-us-east-1.amazonaws.com
Bypass PIN Code
To bypass enter letters/words to confuse coding that is expecting integers.
Access S3 Version URL http://flaws2.cloud.s3-website-us-east-1.amazonaws.com/
Form Request Form is requesting https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1?code=1234
enter a non number into URI https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1?code=g
AWS Keys Discovered
1 |
|
Connnect to S3 Bucket with Credentials
Modify
/.aws/credentials
/.aws/config
List contents of S3 Bucket
1 |
|
secret discovered.
The next level is at http://level2-g9785tw8478k4awxtbox9kk3c5ka8iiz.flaws2.cloud
Level 2 - Containers Environmental Variables
This next level is running as a container at http://container.target.flaws2.cloud/.
ECR Instance
All flaw2 instances are located at us-east-1
discover account ID
1 |
|
account: 653711331788
list flaws2 image instances
1 |
|
List ECR Images
if ECR is public:
1 |
|
syntax:
1 |
|
Connect to Docker with AWS
1 |
|
Pipes the get-login-password from aws to docker login to be able to download image file.
Pull Docker of ECR
1 |
|
Docker Inspect
1 |
|
Launch Docker file
1 |
|
Level 3 Link
Link is found on the webserver of the docker image /var/www/html/index.htm
link: http://level3-oc6ou6dnkw8sszwvdrraxc5t5udrsw3s.flaws2.cloud
Level 3 - Metadata Services at 169.254.170.2
The container’s webserver you got access to includes a simple proxy that can be access with: http://container.target.flaws2.cloud/proxy/http://flaws.cloud or http://container.target.flaws2.cloud/proxy/http://neverssl.com
AWS Credentials on 169.254.170.2
EC2 instances contain credentials at 169.254.170.2/v2/GUID
and the GUID = found as an environmental variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
Linux Enviorment Variables
1 |
|
Call environment variables of container
http://container.target.flaws2.cloud/proxy/file:///proc/self/environ
Call via metadata service 169.254.170.2
using variables captured using the ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/efd02f49-194c-477b-9fa5-2b408352ac1e
1 |
|
Using the variables captured using the CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/f536c20a-9a31-4f65-8f4e-0a201a72f7b0
http://container.target.flaws2.cloud/proxy/http://169.254.170.2//v2/credentials/f536c20a-9a31-4f65-8f4e-0a201a72f7b0
1 |
|
1 |
|
Access S3 bucket with credentials
Add credentials to the ~/.aws/credentials
List contents of S3 Bucket
1 |
|
Navigate to “the-end” URL http://the-end-962b72bjahfm5b4wcktm8t9z4sapemjb.flaws2.cloud/