flaws.cloud walkthrough | AWS penetration testing — Level-6

Examples of this problem

  • Nicolas Grégoire discovered that prezi allowed you point their servers at a URL to include as content in a slide, and this allowed you to point to 169.254.169.254 which provided the access key for the EC2 intance profile (link). He also found issues with access to that magic IP with Phabricator and Coinbase.

A similar problem to getting access to the IAM profile’s access keys is access to the EC2’s user-data, which people sometimes use to pass secrets to the EC2 such as API keys or credentials.

Avoiding this mistake

Ensure your applications do not allow access to 169.254.169.254 or any local and private IP ranges. Additionally, ensure that IAM roles are restricted as much as possible.

Let’s start with the Level 6

Level 6

For this final challenge, you’re getting a user access key that has the Security Audit policy attached to it. See what else it can do and what else you might find in this AWS account.

Access key ID: AKIAJFQ6E7BY57Q3OBGA
Secret: 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

Let’s create a new profile.

Now, Since we have created the profile let’s enumerate the user.

First use get-user command for the profile level6 to get the username.

User name is Level6 which we will use to list the attached policies with the user, using the list-attached-user command.

Here we can see 3 policies attached with the user.

Once you know the ARN for the policy you can get it’s version id:

Now that you have the ARN and the version id, you can see what the actual policy is:

Now, since the resource is API.

restapi- will probably use lamba function.

So, Now we can list lambda function.

We missed to configure the region. let’s reconfigure the profile.

lambda list-functions — profile level6

Now, get-policy.

From above we got the rest-api-id as s33ppypa75 function name is level6.

Now we need to enumerate api gateway.

Well nothing much on the above details.

We need to see for function get-stages.

From the above stage name we can get the stage.

Using the stage name we can create the URL.

so the URL will be.

https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod

Okay well it does need some auth token.

But since we already know the function name is level6 which will call the get request.

let’s try to access.

https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6/

--

--

--

Security researcher, Blogger, Bug Bounty hunter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

3 Best Practices for Using Named Arguments in Kotlin

Python String Concatenation and Formatting

The Evolution of Open Source — Standing on the Shoulders of Giants

A Beginner’s Guide to Spatial Processes Package of SBML Version 3 Core 2

Software Architecture

What’s a Gold Badge Worth in Development?

RAML-Based REST API with MuleSoft API Manager

3D Text in Lens Studio

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kapil Verma

Kapil Verma

Security researcher, Blogger, Bug Bounty hunter

More from Medium

Simplifying Network Security using SASE

Vulnerability Management: how leaders can be proactive and ahead of attackers

How contact forms can be exploited to conduct large scale phishing activity?

HTB Return Machine Walkthrough.