Level 2 of flaws.cloud is located at http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/. The author provides us with a hint that we're going to need a free AWS account to complete this level. I'm not going to show you how to sign up for AWS, create a user with API keys or download and configure the AWS CLI because all of that has been done else where and my re-iterations won't provide you or I any value.
Instead I'm going to assume you've got the AWS CLI running and are ready to go. Just to refresh we're on an AWS hosted website and we need to find a flag. We know that the author likes to host websites on s3, so we'll try some of the techniques from the last tutorial.
A lot of offensive security is trial and error, which is a fancy way of saying guessing. In a traditional environment we'd take guesses at some of the malicous characters that would dump SQL errors or the types of encodings that can bypass filtering on XSS or SQL injection. For this level we'll take a guess that the site is hosted on s3, and using the rules I discussed in the last post we'll assume that the bucket name is the same as the domain, which would mean our buckets name is level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud.
We can head on over to the AWS s3 access point over at https://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud.s3.us-west-2.amazonaws.com . Which will provide us with this XML tree:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>YXQXTJMXFJD1H6JY</RequestId>
<HostId>
5x4NfnQht5RocFNtbPIA2KDbSj9b4cLm61GU4A80nGsLqBwcf5R8/qMES1v1Mu7z839C9QlFpIw=
</HostId>
</Error>
This shows us that our bucket does indeed exist, if it didn't the access point would have provided this error:
<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket does not exist</Message>
<BucketName>MADEUPBUCKETNAME</BucketName>
<RequestId>DN4KZM9ZHQC1DQQM</RequestId>
<HostId>
npQ+aV7p0CMJ1tqMXz9kWeCEPy8xEVLFniXRv26IvoBWmyKf93LwB6gE6ZFl80gyCFraolDp1CQ=
</HostId>
</Error>
Notice how even things like errors and access denial can still provide us with a map of the infrastructure. In more complex offensive scenarios things like timing and even sound can provide valuable clues.
So we know our buckets name, it's region and that it's owner wisened up to lock out public access. Where do we go from here? Well the author did say that we needed AWS credentials lets put them to use. Note the entirety of the AWS CLI documentation can be found here https://docs.aws.amazon.com/cli/latest/index.html .
Let's see if we can list all of the objects in this bucket by using the ls command like so:
17:32:28 ~ $ aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/
2017-02-26 21:02:15 80751 everyone.png
2017-03-02 22:47:17 1433 hint1.html
2017-02-26 21:04:39 1035 hint2.html
2017-02-26 21:02:14 2786 index.html
2017-02-26 21:02:14 26 robots.txt
2017-02-26 21:02:15 1051 secret-e4443fc.html
Bingo, we now can see all of the objects in this bucket. Let's checkout the secret page by heading on over to http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html
Once again we have a misconfigured bucket that allows the GetObject and ListBucket result permissions. Although these permissions are slightly better than the last levels they really are basically the same as public permissions because everyone can make an AWS account in less than 15 minutes.
To remediate this situation the developer would have to permit the ListBucketResult action to that of the individual(s) within their organization. In order to hide the secret page the developer could use the Deny clause on the Effect key to explicitly block the public from accessing the bucket like so. An example of this statement is shown below:
"Statement": [
"Sid": "AllowListAndGetToPublic",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject",
],
"Resource": "arn:aws:s3:::level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html"
]
Top comments (1)
Nice article. Don't forget to mention that AWS announced that all new buckets will not be public by default anymore. Therefore this misconfiguration is pretty much over. With that in mind, million of existing buckets are still misconfigured. I always find interesting results in grayhatwarfare bucket search engine.