AWS Security(S3 buckets, ec2 snapshots, leaked AWS keys, permissions to read IAM policies)
Hi, Recently I was looking for resources for learning aws security. I came across flaws challenges. These challenges teach different misconfigurations/excessive permissions in different aws services like s3, ec2 snapshots, restapis etc.
We have been given an ec2 instance that is running a web server on port 80 configured with nginx reverse proxy.
- It asks for creds that we don’t have.
- A snapshot of this instance was created after deploying.
- Challenge is to access this ec2 instance.
Let’s try to solve this challenge-
- Snapshots- It is given that snapshot is created for this instance. Snapshots can be made public, which poses a huge risk.
a) I have created a snapshot.
b) By default snapshot will not be public, but we can modify permissions to make it public. I have no idea what is the use case for doing this :(
c) Now one can make the snapshot public.
c) And here comes the scariest screenshot!!. All these are public snapshots in my availability zone/region.
2. For finding the snapshot created for the given ec2 instance in the challenge we need to know the account id of the AWS account. We could have done this by filtering all the snapshots/checking each snapshot (really tedious).
a) Finding region of ec2 instance.
ec2 instance is in us-west-2 region
b) We can view all the public snapshots in this region with any valid aws profile. But there are thousands of them, so we can use filters but in this case, we don’t know anything about the specific snapshot we are looking for. Therefore we need to do something else to pinpoint the snapshot related to our challenge.
aws --profile terraform ec2 describe-snapshots --region us-west-2 --filters "Name=volume-size,Values=8" "Name=status,Values=completed" "Name=storage-tier,Values=standard" > us-west-2_8GiB_standardtier.txt
c) Using AWS creds we got in the previous challenge (http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/) to find account id of aws account used for deploying flaws.cloud challenges.
d) Using the below command also tells you the name of the account, which in this case is named “backup”. The backups this account makes are snapshots of EC2s.
aws --profile flaws sts get-caller-identity
e) Finding snapshot- Next, discover the snapshot using the account id.
aws --profile terraform ec2 describe-snapshots --owner-id 975426262029 --region us-west-2
3) Now we can create a volume using this information.
Note: personal/another aws account is required.
aws --profile terraform ec2 create-volume --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89 --availability-zone us-west-2c
4) Then we need to create a ec2 instance in same availiability zone(us-west-2c in our case).
5) Attaching volume to the ec2 instance:
6) Mounting the volume
a) Finding the name of device:
is the device which we need to mount.
b) Creating a directory and mounting the device:
Before you might need to know the type of filesystem.
mount -t ext4 /dev/xvdf1 /mnt/volume_ext
7) Finding creds in bash script:
8) Adding Authorization header in the http request:
Authorization: Basic Zmxhd3M6bkNQOHhpZ2RqcGp5aVhnSjduSnU3cnc1Um82OGlFOE0=
We are provided with a HTTP web proxy server that is running on an ec2 instance.
For more clarity, I just ran a simple http server on pswalia2u.ddns.net on port 1337.
We got the request from 188.8.131.52 . With a reverse lookup we got bit more info about the ec2 instance.
It is hosted in us-west-2 region.
Now one interesting thing I came to know about ec2 instance is that they have a metadata service running @ http://169.254.169.254/latest/meta-data/ and it is accessible from within the instances. As our ec2 has web proxy server up and running we can view the metadata.
According to official docs(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html) we can access metadata via
Upon enumerating we found leaked creds
"AccessKeyId" : "ASIA6GG7PSQGYRUEDGDO",
"SecretAccessKey" : "oqzfuYcxUnzlDPiIU/LLrlvOUYseSzZCShqgLHK3",
Using this profile
We found the hidden directory name by listing the s3 contents.
aws --profile flaws_lvl5 s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
We are provided with aws creds. It is specified SecurityAudit policy is attached to this account.
Getting info about account:
aws --profile flaws_lvl6 iam get-user
aws --profile flaws_lvl6 sts get-caller-identity
aws --profile flaws_lvl6 iam list-attached-user-policies --user-name Level6
Finding out the version number:
aws --profile flaws_lvl6 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
Fetching the policy details:
aws --profile flaws_lvl6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
Okay Now we need to find out what are the use cases of api gateways(Basically why they are used). The first google search result leads us to https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-overview-developer-experience.html:
Okay, so what are lambda functions?
Let’s check if this api gateway is being used for lambda functions or not.
aws --region us-west-2 --profile level6 lambda list-functions
Now we need learn how to call this function. I googled “aws api gateway api url format” :
We need to figure out these things..
- region(we already know)
aws --region us-west-2 --profile flaws_lvl6 lambda get-policy --function-name Level6
- restapi_id: s33ppypa75
aws --profile flaws_lvl6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
- stage_name: Prod
Time to create URL:
We need to add level6 too in the end, as it was specified in the output of get-policy