cloud, hacking

flAWS Level 3 #aws #flaws #flAWS

Another day, another challenge.

Today’s blog post we will solve the third level of the flAWS CTF challenge.

To read the post for the second level click HERE.

Let’s get started.

Going to the URL: http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/, we see:

flaws_level3_landing_page

flaws_level3_landing_page_2

OK, we need to find an AWS key. Let’s see if we can find it.

First, we’re going to run the aws sync command. The sync command synchronize directories in a S3 buckets.

We’re going to enter the following: aws sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ .

Let’s break it down.

  1. We’re calling aws and specifying we want to sync a bucket
  2. We’re specifying the s3 bucket
  3. We’re specifying we want to have the synced files to be in our current folder (.)

After entering the command we get the following:

flaws_level3_aws_sync

We see the bucket is using GitHub. Let’s get the logs.

We’re going to run the git log command, which shows the following:

flaws_level3_aws_git_log

Hmm… we have a commit hash, let’s see if we can get more information.

Executing the command git checkout f52ec03b227ea6094b04e43f475fb0126edb5a61, we see the following:

flaws_level3_aws_git_checkout

Next, we’re going to list the contents of the folder, and see what we find.

flaws_level3_aws_listing

Hmm… there’s an access_key.txt file, let’s see what’s in the file.

Opening the file (type ./access_keys.txt). We see an access_key and secret_access_key!

Let’s try to log into the AWS account.

We’re going to enter the command aws –profile level3 configure.

Let’s break this down

  1. Were stating we want to use aws with a named profile (of a specific user)
  2. We’re specifying the profile (user level3)
  3. We’re specifying configuration variables (from the config file)

Entering the access key, secret access key, region name (we found this in level 1), and pressing enter, we get the command prompt.

flaws_level3_aws_profile

Let’s see if we have access to the bucket.

Entering the command aws –profile level3 s3 ls we see:

flaws_level3_aws_profile_2

The contents are displayed, which means we have successfully gained access to the bucket.

Takeaways from the challenge:

Be careful what you store in git – logs are publicly accessible!

For this challenge, we were able to find access, secret access keys, and log into a AWS bucket all from a git commit message.

Leave a Reply