|
| 1 | +--- |
| 2 | +title: Penetration Testing on AWS - Part Two - Flaws.Cloud Walkthrough |
| 3 | +date: 2024-12-15 20:00:00 +0000 |
| 4 | +categories: [Cloud, AWS] |
| 5 | +tags: [Cloud, AWS, Vuln, CTF, Penetration test] |
| 6 | +--- |
| 7 | + |
| 8 | +## Introduction |
| 9 | + |
| 10 | +Flaws.cloud is an interactive platform created by Scott Piper of Summit Route, serving as an educational tool for Amazon Web Services (AWS) security concepts. Designed as a Capture The Flag (CTF) challenge, it offers an engaging and fun way to learn the basics of AWS security. The platform includes challenges and tutorials to enhance participants’ understanding of AWS security, covering topics like misconfigurations and defensive analysis. |
| 11 | + |
| 12 | +## Challenge Overview |
| 13 | +This challenge comprises a series of levels, six levels to be exact, designed to teach some common mistakes made when using Amazon Web Services (AWS) including IAM, EC2, S3, and more, and how to exploit them. A series of hints are provided to assist in teaching how to discover the information needed to pass each challenge. |
| 14 | + |
| 15 | +### Disclaimer: |
| 16 | +I recommend everyone attempt this challenge themselves before reading through this article to test their own skills and capabilities. |
| 17 | + |
| 18 | +## The Setup |
| 19 | +For this challenge we will need to be able to interact with AWS resources. To do this we will use AWS CLI (Command Line Interface). I will install this on my kali instance, but installation should be the same for any 64-bit Linux distro. |
| 20 | +``` |
| 21 | +sudo apt install aws |
| 22 | +``` |
| 23 | +Check that it’s installed: |
| 24 | +``` |
| 25 | +aws --version |
| 26 | +``` |
| 27 | + |
| 28 | +Once it is installed, we will need to configure it. |
| 29 | +To do this you need to sign up for an AWS account (free tier is fine, we don’t need to pay anything). You can do this at their website here. |
| 30 | + |
| 31 | +Once you have signed up for an account you will need to get your keys to use with the CLI. |
| 32 | + |
| 33 | +Sign in to the Amazon AWS portal, click on your name in the top right and select My Security Credentials. Now click on the Access Keys (access key ID and secret access key) option. You should be prompted with creating new ones (or if you have set them up already you will see them there). When you create you will see a pop-up box, copy this info out for the next command. |
| 34 | + |
| 35 | +Now we can input the keys with: |
| 36 | +``` |
| 37 | +aws configure |
| 38 | +``` |
| 39 | +Now follow the prompts and put the keys. |
| 40 | +You should be ready to go! |
| 41 | +**Note:** For better experience use `US-WEST-2` as region as that is what is used for the flaws challenge and it will save you some hassle if you forget to specify the region within a command. |
| 42 | + |
| 43 | +Note that the above will set the default profile with those keys. You can run |
| 44 | +`aws configure --profile PROFILENAME` to configure a new profile. With a new profile you can use any command and specify the profile with `--profile PROFILENAME`. |
| 45 | +This is important for managing lots of accounts and preventing you from having to reset your defaults all the time during tests. |
| 46 | + |
| 47 | +## Level 1 |
| 48 | + |
| 49 | +There is a hint saying that this level is buckets of fun and that we need to find the first sub-domain. |
| 50 | +Lets get the IP address (A Record) of flaws.cloud |
| 51 | +``` |
| 52 | + nslookup flaws.cloud |
| 53 | +
|
| 54 | + > flaws.cloud |
| 55 | +Server: 127.0.0.53 |
| 56 | +Address: 127.0.0.53#53 |
| 57 | +
|
| 58 | +Non-authoritative answer: |
| 59 | +Name: flaws.cloud |
| 60 | +Address: 52.92.237.43 |
| 61 | +Name: flaws.cloud |
| 62 | +Address: 52.92.189.107 |
| 63 | +Name: flaws.cloud |
| 64 | +Address: 52.92.136.99 |
| 65 | +Name: flaws.cloud |
| 66 | +Address: 52.92.229.235 |
| 67 | +Name: flaws.cloud |
| 68 | +Address: 52.92.177.115 |
| 69 | +Name: flaws.cloud |
| 70 | +Address: 52.92.139.19 |
| 71 | +Name: flaws.cloud |
| 72 | +Address: 52.92.146.11 |
| 73 | +Name: flaws.cloud |
| 74 | +Address: 52.218.219.50 |
| 75 | +``` |
| 76 | + |
| 77 | +Now, lets do an reverse look-up on 54.231.184.251 |
| 78 | + |
| 79 | +``` |
| 80 | + > 52.92.237.43 |
| 81 | +43.237.92.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com. |
| 82 | +
|
| 83 | +Authoritative answers can be found from: |
| 84 | +92.52.in-addr.arpa nameserver = x1.amazonaws.com. |
| 85 | +92.52.in-addr.arpa nameserver = x2.amazonaws.com. |
| 86 | +92.52.in-addr.arpa nameserver = x3.amazonaws.org. |
| 87 | +92.52.in-addr.arpa nameserver = x4.amazonaws.org. |
| 88 | +92.52.in-addr.arpa nameserver = pdns1.ultradns.net. |
| 89 | +``` |
| 90 | + |
| 91 | +It's an s3 static website in the `us-west-2` region. |
| 92 | + |
| 93 | +If you using a custom domain (e.g. flaws.cloud) for you S3 hosted static site, then the bucket name must match the domain name. |
| 94 | + |
| 95 | +This tells us the bucket name is _flaws.cloud_ |
| 96 | + |
| 97 | +The URL format for S3 HTTP end points are as follows: `s3-<region>.amazonaws.com/<bucketname>` |
| 98 | + |
| 99 | +So given the information we have, we can tell that the s3 end point for this bucket is: [http://s3-us-west-2.amazonaws.com/flaws.cloud](http://s3-us-west-2.amazonaws.com/flaws.cloud). Browse there, and you'll get an XML response referencing the following files within the bucket. |
| 100 | + |
| 101 | +Or we can use the `aws cli` to get more information: |
| 102 | + |
| 103 | +To start with, lets list the contents of the flaws.cloud bucket: `aws s3 ls s3://flaws.cloud --no-sign-request` |
| 104 | +>The `--no-sign-request` flag in the `aws s3 ls s3://flaws.cloud` command tells the AWS CLI to list the contents of the specified S3 bucket **without using any authentication** |
| 105 | +``` |
| 106 | +aws s3 ls s3://flaws.cloud/ --no-sign-request |
| 107 | +
|
| 108 | +2017-03-13 23:00:38 2575 hint1.html |
| 109 | +2017-03-02 23:05:17 1707 hint2.html |
| 110 | +2017-03-02 23:05:11 1101 hint3.html |
| 111 | +2024-02-21 21:32:41 2861 index.html |
| 112 | +2018-07-10 12:47:16 15979 logo.png |
| 113 | +2017-02-26 20:59:28 46 robots.txt |
| 114 | +2017-02-26 20:59:30 1051 secret-dd02c7c.html |
| 115 | +``` |
| 116 | + |
| 117 | +We can see that contents listed includes some hints and also a secret document which is a HTML page. |
| 118 | + |
| 119 | +Copy the html document name and append it to the flaws.cloud url like so `http://flaws.cloud/secret-dd02c7c.html` and browse there and you should see the following screen! |
| 120 | +``` |
| 121 | +| || | / || |__| |/ ___/ |
| 122 | +| __|| | | o || | | ( \_ |
| 123 | +| |_ | |___ | || | | |\__ | |
| 124 | +| _] | || _ || ` ' |/ \ | |
| 125 | +| | | || | | \ / \ | |
| 126 | +|__| |_____||__|__| \_/\_/ \___| |
| 127 | +
|
| 128 | +# Congrats! You found the secret file! |
| 129 | +
|
| 130 | +Level 2 is at [http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud](http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/) |
| 131 | +``` |
0 commit comments