CTF-Writeups/AWS CTF/fLAWS2/fLAWS2.md
2022-09-09 10:55:47 +05:00

106 lines
3.9 KiB
Markdown

# flAWS 2 - Attacker Path
flAWS 2 is the continuation of fLAWS CTF which is focused for teaching about AWS (Amazon Web Services) pentesting, which introduces issues in Lambda and ECR and to exploit them, it's hosted on `http://flaws2.cloud/` so we don't need to setup anything for AWS. I'll be focusing on doing the Attacker path and this path includes 3 levels
<img src="https://i.imgur.com/CNct7Sh.png"/>
## Level 1
### Finding AWS Access and Session
The page asks us to enter a 100 digit pin code
<img src="https://i.imgur.com/oeAdAqV.png"/>
If we try to see what request is made at the backend in the network tab from developer tools
<img src="https://i.imgur.com/HxORZHB.png"/>
It's making a request to `https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1?code=1` with the value of the `code` so it must be evaluating from the backend whether the code is valid . As we learned from fLAWS (prequel to fLAWS2) that it's used to make API requests, where `2rfismmoo8` is `rest-api-id` , `level` is the stage/function . This resource in AWS is known as `AWS Lambda` which is baiscally used to run code or make API requests
On making an invalid request like putting characters instead of numbers we'll get an error which will reveal `AWS_SECRET_KEY`, `AWS_ACCESS_KEY_ID` and `AWS_SESSION_TOKEN`
<img src="https://i.imgur.com/IvTFywf.png"/>
We can use this to access the s3 bucket which it's only allowed through a valid AWS key as we can't access it without it
<img src="https://i.imgur.com/zCY2elO.png"/>
<img src="https://i.imgur.com/PIU4ang.png"/>
Adding AWS_SESSION_TOKEN in the credentials file
<img src="https://i.imgur.com/sgLeyQp.png"/>
WIth `awscli` we can access the s3 bucket
```bash
aws s3 ls s3://level1.flaws2.cloud
```
<img src="https://i.imgur.com/XCNSurC.png"/>
We can download the secret html file with `cp`
<img src="https://i.imgur.com/hoY9zym.png"/>
This will give us the link to level 2
<img src="https://i.imgur.com/mK3uQxO.png"/>
## Level 2
### Accessing ECR images
<img src="https://i.imgur.com/FKk0t17.png"/>
Checking for un-authorized access on s3 buckets
<img src="https://i.imgur.com/ydZ23sE.png"/>
This level talks about a container on http://container.target.flaws2.cloud/ which is being referenced `Elastic Container Registry (ECR)` , it's basically a container (docker) image registry service
So from awscli we can use `aws ecr` for interacting with elastic container registry (make sure to grab aws keys and session because they do get expired)
With `aws ecr get-login` we can get the username and password for ECR
<img src="https://i.imgur.com/Oa8auXn.png"/>
Also we get the endpoint for registory control, with `aws ecr describe-images --repository-name level2` we can list the images from repoistory `level2`
<img src="https://i.imgur.com/lveh26K.png"/>
All we have to do is login to registry control with docker
<img src="https://i.imgur.com/FzxJykn.png"/>
With `docker` we can pull the image `level2` with tag `latest`
```bash
docker pull 653711331788.dkr.ecr.us-east-1.amazonaws.com/level2:latest
```
<img src="https://i.imgur.com/spvu05a.png"/>
We can list the images with `docker images`
<img src="https://i.imgur.com/h6MFz97.png"/>
The container can be ran by executing `bash` in the container to get a shell
```
sudo docker run --rm -it --entrypoint bash 2d73de35b781
```
<img src="https://i.imgur.com/kimitwJ.png"/>
Going into `/var/www/html` we can find the link to level 3 in `index.htm` file
<img src="https://i.imgur.com/sGthtTz.png"/>
Now level 3 which is the last level of flaws2.cloud, wasn't working as
it requires us to accss http://container.target.flaws2.cloud which wasn't responding, I am not sure what's the reason but this concludes flaws2.cloud
## References
- http://flaws2.cloud/
- https://pentestbook.six2dez.com/enumeration/cloud/aws
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-pull-ecr-image.html