flaws.cloud Walkthrough | AWS Penetration testing — Level-4

Kapil Verma
4 min readDec 20, 2021

--

Level 4:

URL for the Level 4 is as below:

http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/

Level 4:

Let’s go to level 4

We tried directly to access the URL (4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud)

but it needs credentials.

May be the lab3 profile we created has the access to it.

Let’s check from the CLI.

Moreover, As it says it is useful to know that an EC2 snapshot was made after nginx was setup.

So we will use EC2 commands to enumerate

You can search on google for the commands, it’s all documented well on aws docs.

But before describe snapshot we need to get the snapshot id so may be let’s try to ls EC2.

But before that we also need 1 thing that’s called owner id for the profile that we just created using the sts get-caller-identity command which was already shown above:

Account id is the owner id that we will require further:

Okay so, here I got an error saying that region must be defined while creating the profile.

Let’s get the region from the host command.

Now let’s list the snapshots made using the describe command.

Cool, We now have a little details about the snapshot.

Now, We need to create volume of the snapshot that we got.

Let’s check on the aws console.

Now we need to attach this volume to a EC2 instance.

For that first we need to launch an EC2 instance from your AWS console.

Then edit storage and add new and then search for the snapshot id you just created.

Create a new key pair to access this:

From here only you will get the public ip to accesss this instance

for user name we will try to use the default one first.

using ssh -i (pem file just downloaded above) ec2-user@Public IP of the instance, to get the shell.

Now we need to mount the volume which is attached to this EC2 instance

But first let’s what volumes are already mounted here using the df -h command.

As we can see xvda1 is already mounted, now let’s list down the other volumes using lsblk.

So we have the name of the volume as xvdb1.

I tried to mount the xvdb1 to the /mnt directory but it gave an error quoting that I need to be root to do that.

well we can try using the same command with sudo.

Let’s try:

Now let’s check if it’s mounted or not.

S

Cool, we have now got the xvdb1 mounted.

Let’s check in the /mnt/home/

Let’s look inside the ubuntu

Well e have got the user name as flaws and password as nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M

Let’s try to access that URL again now.

Bingo Let’s move to level 5.

--

--

Kapil Verma

Security researcher, Blogger, Bug Bounty hunter