CTF-Writeups/AWS CTF/fLAWS2/fLAWS2.md

flAWS 2 - Attacker Path

flAWS 2 is the continuation of fLAWS CTF which is focused for teaching about AWS (Amazon Web Services) pentesting, which introduces issues in Lambda and ECR and to exploit them, it's hosted on http://flaws2.cloud/ so we don't need to setup anything for AWS. I'll be focusing on doing the Attacker path and this path includes 3 levels

Level 1

Finding AWS Access and Session

The page asks us to enter a 100 digit pin code

If we try to see what request is made at the backend in the network tab from developer tools

It's making a request to https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1?code=1 with the value of the code so it must be evaluating from the backend whether the code is valid . As we learned from fLAWS (prequel to fLAWS2) that it's used to make API requests, where 2rfismmoo8 is rest-api-id , level is the stage/function . This resource in AWS is known as AWS Lambda which is baiscally used to run code or make API requests

On making an invalid request like putting characters instead of numbers we'll get an error which will reveal AWS_SECRET_KEY, AWS_ACCESS_KEY_ID and AWS_SESSION_TOKEN

We can use this to access the s3 bucket which it's only allowed through a valid AWS key as we can't access it without it

Adding AWS_SESSION_TOKEN in the credentials file

WIth awscli we can access the s3 bucket

aws s3 ls s3://level1.flaws2.cloud

We can download the secret html file with cp

This will give us the link to level 2

Level 2

Accessing ECR images

Checking for un-authorized access on s3 buckets

This level talks about a container on http://container.target.flaws2.cloud/ which is being referenced Elastic Container Registry (ECR) , it's basically a container (docker) image registry service

So from awscli we can use aws ecr for interacting with elastic container registry (make sure to grab aws keys and session because they do get expired)

With aws ecr get-login we can get the username and password for ECR

Also we get the endpoint for registory control, with `aws ecr describe-images --repository-name level2` we can list the images from repoistory `level2`

All we have to do is login to registry control with docker

With docker we can pull the image level2 with tag latest

docker pull 653711331788.dkr.ecr.us-east-1.amazonaws.com/level2:latest

We can list the images with docker images

The container can be ran by executing bash in the container to get a shell

sudo docker run --rm -it --entrypoint bash 2d73de35b781

Going into /var/www/html we can find the link to level 3 in index.htm file

Now level 3 which is the last level of flaws2.cloud, wasn't working as it requires us to accss http://container.target.flaws2.cloud which wasn't responding, I am not sure what's the reason but this concludes flaws2.cloud

References

• http://flaws2.cloud/
• https://pentestbook.six2dez.com/enumeration/cloud/aws
• https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-pull-ecr-image.html