Month: November 2019

cloud, hacking

flAWS Level 3 #aws #flaws #flAWS

thefluffy007

Another day, another challenge.

Today’s blog post we will solve the third level of the flAWS CTF challenge.

To read the post for the second level click HERE.

Let’s get started.

Going to the URL: http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/, we see:

flaws_level3_landing_page

flaws_level3_landing_page_2

OK, we need to find an AWS key. Let’s see if we can find it.

First, we’re going to run the aws sync command. The sync command synchronize directories in a S3 buckets.

We’re going to enter the following: aws sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ .

Let’s break it down.

  1. We’re calling aws and specifying we want to sync a bucket
  2. We’re specifying the s3 bucket
  3. We’re specifying we want to have the synced files to be in our current folder (.)

After entering the command we get the following:

flaws_level3_aws_sync

We see the bucket is using GitHub. Let’s get the logs.

We’re going to run the git log command, which shows the following:

flaws_level3_aws_git_log

Hmm… we have a commit hash, let’s see if we can get more information.

Executing the command git checkout f52ec03b227ea6094b04e43f475fb0126edb5a61, we see the following:

flaws_level3_aws_git_checkout

Next, we’re going to list the contents of the folder, and see what we find.

flaws_level3_aws_listing

Hmm… there’s an access_key.txt file, let’s see what’s in the file.

Opening the file (type ./access_keys.txt). We see an access_key and secret_access_key!

Let’s try to log into the AWS account.

We’re going to enter the command aws –profile level3 configure.

Let’s break this down

  1. Were stating we want to use aws with a named profile (of a specific user)
  2. We’re specifying the profile (user level3)
  3. We’re specifying configuration variables (from the config file)

Entering the access key, secret access key, region name (we found this in level 1), and pressing enter, we get the command prompt.

flaws_level3_aws_profile

Let’s see if we have access to the bucket.

Entering the command aws –profile level3 s3 ls we see:

flaws_level3_aws_profile_2

The contents are displayed, which means we have successfully gained access to the bucket.

Takeaways from the challenge:

Be careful what you store in git – logs are publicly accessible!

For this challenge, we were able to find access, secret access keys, and log into a AWS bucket all from a git commit message.

cloud, hacking

flAWS Level 2 #aws #flAWS #flaws

thefluffy007

Another day, another challenge.

Today’s blog post we will solve the second level of the flAWS CTF challenge.

To read the post for the first level click HERE.

Let’s get started.

Going to the URL: http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/, we see:

flAWS_level_2_1flAWS_level_2_2

This challenge is similar to the level 1 except we need the free tier AWS account.

To complete that part of the challenge, click HERE.

Let’s list the bucket from level 2 and see if we can find anything.

We’re going to run the command we did in level 1:

aws s3 ls <s3 domain>

We will enter the command: aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/

Doing this we have:

flaws_level2_listing_directory

We have a secret file titled, secret-e4443fc.

Let’s see if we can access this file.

Appending this file to the URL, we get:

flAWS_level2_solved

Yay!! We have solved the challenge.

 

cloud, hacking

flAWS Level 1 #aws #flAWS #flaws

thefluffy007

Another day, another challenge.

In today’s post, we will solve the first challenge of the flAWS CTF.

flAWS CTF explores misconfigurations, and gotchas in AWS.

Let’s get started.

NOTE: I will be using the AWS command line. Which you can download HERE.

Going to the URL, http://flaws.cloud/, we’re presented with:

flAWS_landing_page

Scrolling down we see:

flAWS_level1

From the little bit of information we have this level contains buckets, and we possibly need to view the contents.

In AWS, there is a service called S3 or Simple Storage Service which is used for storing items for the Internet. To store an item you will need to create a bucket (see how everything is starting to come together…). Once the bucket is created, you can add your items to it.

Opening a command prompt we can type the following command

aws s3 ls <s3 domain>

Let’s break down this command.

  1. We’re using the AWS command line (by typing aws)
  2. We’re specifying we want to access the s3 service
  3. We want to list the contents of said bucket (ls = listing)
  4. We’re specify the s3 domain we want to access

In this case we will type aws s3 ls s3://flaws.cloud

Below is the output:

flaws_level1_listing_directory

Hmm… there’s a secret-dd02c7c.html file. Let’s see if we can access it.

Opening a web browser (I’m using Chrome) and entering the following URL: http://flaws.cloud/secret-dd02c7c.html,&nbsp;you should see:

flAWS_level1_solved

Yay! We have solved the challenge, along with getting the URL for level 2.

Look out for another blog post where we solve that challenge.

Takeaway from the challenge –

For this level the bucket was public which means it’s accessible for EVERYONE. If there’s sensitive information that the world should not see, AWS allows for buckets to be private.