flaws.cloud walkthrough | AWS penetration testing — Level-6

Examples of this problem

A similar problem to getting access to the IAM profile’s access keys is access to the EC2’s user-data, which people sometimes use to pass secrets to the EC2 such as API keys or credentials.

Avoiding this mistake

Ensure your applications do not allow access to 169.254.169.254 or any local and private IP ranges. Additionally, ensure that IAM roles are restricted as much as possible.

Let’s start with the Level 6

Level 6

For this final challenge, you’re getting a user access key that has the Security Audit policy attached to it. See what else it can do and what else you might find in this AWS account.

Access key ID: AKIAJFQ6E7BY57Q3OBGA
Secret: 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

Let’s create a new profile.

Now, Since we have created the profile let’s enumerate the user.

First use get-user command for the profile level6 to get the username.

User name is Level6 which we will use to list the attached policies with the user, using the list-attached-user command.

Here we can see 3 policies attached with the user.

Once you know the ARN for the policy you can get it’s version id:

Now that you have the ARN and the version id, you can see what the actual policy is:

Now, since the resource is API.

restapi- will probably use lamba function.

So, Now we can list lambda function.

We missed to configure the region. let’s reconfigure the profile.

lambda list-functions — profile level6

Now, get-policy.

From above we got the rest-api-id as s33ppypa75 function name is level6.

Now we need to enumerate api gateway.

Well nothing much on the above details.

We need to see for function get-stages.

From the above stage name we can get the stage.

Using the stage name we can create the URL.

so the URL will be.

https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod

Okay well it does need some auth token.

But since we already know the function name is level6 which will call the get request.

let’s try to access.

https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store