mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 21:03:07 +00:00
Create fLAWS2.md
This commit is contained in:
parent
f9ca8c5173
commit
d74d63d7c5
1 changed files with 106 additions and 0 deletions
106
AWS CTF/fLAWS2/fLAWS2.md
Normal file
106
AWS CTF/fLAWS2/fLAWS2.md
Normal file
|
@ -0,0 +1,106 @@
|
|||
# flAWS 2 - Attacker Path
|
||||
flAWS 2 is the continuation of fLAWS CTF which is focused for teaching about AWS (Amazon Web Services) pentesting, which introduces issues in Lambda and ECR and to exploit them, it's hosted on `http://flaws2.cloud/` so we don't need to setup anything for AWS. I'll be focusing on doing the Attacker path and this path includes 3 levels
|
||||
|
||||
|
||||
<img src="https://i.imgur.com/CNct7Sh.png"/>
|
||||
|
||||
## Level 1
|
||||
|
||||
### Finding AWS Access and Session
|
||||
|
||||
The page asks us to enter a 100 digit pin code
|
||||
|
||||
<img src="https://i.imgur.com/oeAdAqV.png"/>
|
||||
|
||||
If we try to see what request is made at the backend in the network tab from developer tools
|
||||
|
||||
<img src="https://i.imgur.com/HxORZHB.png"/>
|
||||
|
||||
It's making a request to `https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1?code=1` with the value of the `code` so it must be evaluating from the backend whether the code is valid . As we learned from fLAWS (prequel to fLAWS2) that it's used to make API requests, where `2rfismmoo8` is `rest-api-id` , `level` is the stage/function . This resource in AWS is known as `AWS Lambda` which is baiscally used to run code or make API requests
|
||||
|
||||
On making an invalid request like putting characters instead of numbers we'll get an error which will reveal `AWS_SECRET_KEY`, `AWS_ACCESS_KEY_ID` and `AWS_SESSION_TOKEN`
|
||||
|
||||
<img src="https://i.imgur.com/IvTFywf.png"/>
|
||||
|
||||
We can use this to access the s3 bucket which it's only allowed through a valid AWS key as we can't access it without it
|
||||
|
||||
<img src="https://i.imgur.com/zCY2elO.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/PIU4ang.png"/>
|
||||
|
||||
Adding AWS_SESSION_TOKEN in the credentials file
|
||||
|
||||
<img src="https://i.imgur.com/sgLeyQp.png"/>
|
||||
|
||||
WIth `awscli` we can access the s3 bucket
|
||||
|
||||
```bash
|
||||
aws s3 ls s3://level1.flaws2.cloud
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/XCNSurC.png"/>
|
||||
|
||||
We can download the secret html file with `cp`
|
||||
|
||||
|
||||
<img src="https://i.imgur.com/hoY9zym.png"/>
|
||||
|
||||
This will give us the link to level 2
|
||||
|
||||
<img src="https://i.imgur.com/mK3uQxO.png"/>
|
||||
|
||||
## Level 2
|
||||
|
||||
### Accessing ECR images
|
||||
|
||||
<img src="https://i.imgur.com/FKk0t17.png"/>
|
||||
|
||||
Checking for un-authorized access on s3 buckets
|
||||
|
||||
<img src="https://i.imgur.com/ydZ23sE.png"/>
|
||||
|
||||
This level talks about a container on http://container.target.flaws2.cloud/ which is being referenced `Elastic Container Registry (ECR)` , it's basically a container (docker) image registry service
|
||||
|
||||
So from awscli we can use `aws ecr` for interacting with elastic container registry (make sure to grab aws keys and session because they do get expired)
|
||||
|
||||
With `aws ecr get-login` we can get the username and password for ECR
|
||||
|
||||
<img src="https://i.imgur.com/Oa8auXn.png"/>
|
||||
Also we get the endpoint for registory control, with `aws ecr describe-images --repository-name level2` we can list the images from repoistory `level2`
|
||||
|
||||
<img src="https://i.imgur.com/lveh26K.png"/>
|
||||
|
||||
All we have to do is login to registry control with docker
|
||||
|
||||
<img src="https://i.imgur.com/FzxJykn.png"/>
|
||||
|
||||
With `docker` we can pull the image `level2` with tag `latest`
|
||||
|
||||
```bash
|
||||
docker pull 653711331788.dkr.ecr.us-east-1.amazonaws.com/level2:latest
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/spvu05a.png"/>
|
||||
|
||||
We can list the images with `docker images`
|
||||
|
||||
<img src="https://i.imgur.com/h6MFz97.png"/>
|
||||
|
||||
The container can be ran by executing `bash` in the container to get a shell
|
||||
|
||||
```
|
||||
sudo docker run --rm -it --entrypoint bash 2d73de35b781
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/kimitwJ.png"/>
|
||||
|
||||
Going into `/var/www/html` we can find the link to level 3 in `index.htm` file
|
||||
|
||||
<img src="https://i.imgur.com/sGthtTz.png"/>
|
||||
|
||||
Now level 3 which is the last level of flaws2.cloud, wasn't working as
|
||||
it requires us to accss http://container.target.flaws2.cloud which wasn't responding, I am not sure what's the reason but this concludes flaws2.cloud
|
||||
## References
|
||||
- http://flaws2.cloud/
|
||||
- https://pentestbook.six2dez.com/enumeration/cloud/aws
|
||||
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-pull-ecr-image.html
|
Loading…
Reference in a new issue