Skip to content writeup | Complete walkthrough writeup provides a perfect and easy platform for sharpening your cloud pentesting skills. This post is going to be complete write up that will explain all six challenges on the platform one by one. covers challenges with respect to IAM, ec2 and s3 services of was and provides a first hand insight into how to do penetration testing for cloud services. Task-1 Writeup

Vulnerability – Bucket’s listing has it’s listing permission set to “Everyone”

Description – allows anyone to perform action “s3:ListBucket” on the bucket. This was what allowed to list all files and find the secret page. Only allow everyone “s3:GetObject” privileges, which is fine if you plan to publicly host the bucket as a web page.

Exploiting vulnerability task-1

First of all list all buckets of the domain with the cloud_enum script. you can download the script from this GitHub repo. you can also install it in kali with apt-get install cloud_enum command.

cloud_enum -k --disable-azure --disable-gcp
clou_enum to find s3 buckets

The found s3 buckets will be listed by the script.

cloud_enum found s3 buckets

Now, we can list the contents of the bucket with the following command. Remember, we do not have credentials for the account yet.

aws s3 ls s3:// --no-sign-request
list the contents of s3 bucket

There is a secret file as we can see. We can now download the file with cp(copy) command.

aws s3 cp s3:// . --no-sign-request
s3 download files from aws

Now we can check the contents of the file with cat command.

cat secret-dd02c7c.html level 1 solved

Now we got the address for the second challenge. Task-2 Writeup

Vulnerability – Open permissions to S3 bucket for all authenticated AWS users.

Description – opened permissions to “Any Authenticated AWS User”. They might mistakenly think this will only be users of their account, when in fact it means anyone that has an AWS account.

Exploiting vulnerability task-2

First of all make an account on AWS with programmatic access and note down the keys. AWS is free to sign up for but requires a credit card. You can go to IAM and make a new user.

make account on aws

Now configure the profile on aws cli with the keys from the account.

aws user configuration in cli

Ensure that the user that you have created on aws has s3 full access or administrative access.

s3 privileges setup

List the content of the S3 bucket with your profile.

aws s3 --profile ammar ls s3://
list s3 bucket with a profile

Now similarly as in task 1, download the secret file and get the link for the next task. task 2 solution Task-3 Writeup

Vulnerability – Leaked AWS keys by accidentally committing them to git repo.

Description – The creator of the homepage pushed the git repository into the bucket hosting the page. In combination with careless handling of AWS credentials, attackers can now get valid credentials.

Exploiting vulnerability task-3

List the contents of S3 bucket which lists a .git repo folder.

aws s3 ls s3:// --profile ammar git repo

Now download the git repo with the sync command.

aws s3 sync s3:// . --profile ammar
 download a s3 bucket with the sync command

Get the details of commits with git log command. It gives a log message that the previous commit has access keys.

git log
Get the details of commits with git log command.

Shift to the previous commit which has the access keys file.

git checkout 
shift to a github commit

Now cat out the access keys file.

leaked aws keys

Configure a new profile with the leaked credentials.

aws configure profile

List down all S3 buckets associated with the account. we get the address of level 4 bucket.

2017-02-23 20:54:13
2017-02-26 13:15:44
2017-02-26 13:16:06
2017-02-26 14:44:51
2017-02-26 14:47:58
2017-02-26 15:06:32 Task-4 Writeup

Vulnerability – Publicly accessible EC2 snapshots.

Description – The Sensitive information was made publicly accessible due to a public snapshot. Snapshot ID (long random string) is required to actually use the snapshot. With credentials found in a different way we were able to find out the ID and could enumerate the sharing permissions.

Exploiting vulnerability task-4

Find the details of the user that we found in task 3.

aws --profile cloud sts get-caller-identity
aws profile parameters check

List down all snapshots of the user credentials found earlier.

aws --profile cloud ec2 describe-snapshots --owner-id 975426262029 --region us-west-2
aws cli listing all snapshots

Create a new instance in EC2 from your console. Attach an extra volume and search for the snapshot with its ID. Attach that to volume.

creating instance with snapshot

SSH into the machine and then mount the volume with lsblk and mnt command.

mount volume within aws

Cat the contents of HTML document in var/www/html folder to get the next level URL. solution level 4

Check the config folder of nginx to find the password file location. level 6

Cat the content of the file and you will find the hashed password. But instead of trying to crack the hash let’s explore further in the machine.

In the home/ubuntu folder there is setupNginx file which stores the password in plain.

level 4 password

Use the credentials to log in, you will find the next-level link.

level 4 solved Task-5 Writeup

Vulnerability – SSRF Allows EC-2 metadata to be accessed leaking secret information.

Description – The main problem in this level is the proxy not blocking requests to the metadata service. From the application development point of view, server-side request forgery (SSRF) vulnerability may be exploitable to gain access to secret data.

Exploiting vulnerability task-5

Use the proxy to access the metadata of EC2 instance. The metadata URL is well known.
aws ec2 metadata exploitation

Setup a new user profile as in the previous tasks. Open the aws credetials file and add the token manually to the profile.

nano ~./aws/credentials
Add this
aws_session_token = your token
aws cli token configuration

List the contents of S3 Bucket and download all files with cp command.

aws s3 cp s3:// . --recursive --profile cloud2
s3 bucket download folders

Now we can see ddcc78dd folder and there is HTML file in it which contains the credentials and link for the next level.

level write up Task-6 Writeup

Vulnerability – The security audit policy allows to list all policies which can be used to map the environment

Description – Security Audit policy is in place which enables to map the infrastructure. The ability to read your own and other’s IAM policies can really help an attacker figure out what exists in your environment and look for weaknesses and mistakes.

Exploiting vulnerability task-6

Configure a new profile with credentials got from the previous task.

configuring aws profile

Get the user ID and name of the newly created profile.

getting aws user details

Check all available policies for the user.

aws --profile cloud3 iam list-attached-user-policies --user-name Level6
listing attached user profiles

We can see two different policies attached. Now, check the details of the api-gateways policy.

aws --profile cloud3 iam get-policy  --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
listing policy in aws cli

Now try to list the available lambda functions.

aws --region us-west-2 --profile cloud3 lambda list-functions
listing lambda functions in aws cli

Get the policy of the required lambda function which will list its name.

aws --region us-west-2 --profile cloud3 lambda get-policy --function-name Level6
getting lambda function name

Now get the stage name of the function.

aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
gettting lambda function staging name

The stage name is “Prod” which are lambda functions using the rest-api-id, stage name, region and resource: Check the link of the lambda function which gives the link of ending link

So, that the end, we have successfully completed all challenges. complete walkthrough

Leave a Reply

Your email address will not be published. Required fields are marked *