flaws.cloud walkthrough | AWS penetration testing — Level-6
Examples of this problem
- Nicolas GrÃ©goire discovered that prezi allowed you point their servers at a URL to include as content in a slide, and this allowed you to point to 169.254.169.254 which provided the access key for the EC2 intance profile (link). He also found issues with access to that magic IP with Phabricator and Coinbase.
A similar problem to getting access to the IAM profile’s access keys is access to the EC2’s user-data, which people sometimes use to pass secrets to the EC2 such as API keys or credentials.
Avoiding this mistake
Ensure your applications do not allow access to 169.254.169.254 or any local and private IP ranges. Additionally, ensure that IAM roles are restricted as much as possible.
Let’s start with the Level 6
For this final challenge, you’re getting a user access key that has the Security Audit policy attached to it. See what else it can do and what else you might find in this AWS account.
Access key ID: AKIAJFQ6E7BY57Q3OBGA
Let’s create a new profile.
Now, Since we have created the profile let’s enumerate the user.
First use get-user command for the profile level6 to get the username.
User name is Level6 which we will use to list the attached policies with the user, using the list-attached-user command.
Here we can see 3 policies attached with the user.
Once you know the ARN for the policy you can get it’s version id:
Now that you have the ARN and the version id, you can see what the actual policy is:
Now, since the resource is API.
restapi- will probably use lamba function.
So, Now we can list lambda function.
We missed to configure the region. let’s reconfigure the profile.
lambda list-functions — profile level6
From above we got the rest-api-id as s33ppypa75 function name is level6.
Now we need to enumerate api gateway.
Well nothing much on the above details.
We need to see for function get-stages.
From the above stage name we can get the stage.
Using the stage name we can create the URL.
so the URL will be.
Okay well it does need some auth token.
But since we already know the function name is level6 which will call the get request.
let’s try to access.