Hi Guys, Welcome to InfoSecSecure.

In this Blog, we are going to solve Flaws.cloud LEVEL4 challenge. Before solving this challenge you need to solve the previous challenge. we will not only solve the challenges other than will provide the impact & mitigation/solution for this vulnerability.

If you are reading this blog that means you are working on your cloud penetration testing journey.

Click here for LEVEL1 Challenge
Click here for LEVEL2 Challenge
Click here for LEVEL3 Challenge

These challenges provide us the knowledge of basic vulnerability. which we don’t think, That It can be a vulnerability. in this flaws.cloud LEVEL4 challenges there are AWS configuration-related vulnerabilities. which we are going to discover :


Before solving this challenge. you should be aware of the S3 bucket, Region, EC2 Instance, and EBS. If you don’t know. Don’t worry. We will provide a small Intro for the S3 bucket and Region.

Amazon S3 (Simple Storage Service):

  • Description: Amazon S3 is a scalable object storage service that allows you to store and retrieve any amount of data from anywhere on the web.
  • Key Concepts:
    • Bucket: A container for objects stored in Amazon S3. Every object is contained in a bucket.
    • Object: Basic unit of storage in S3. An object is composed of data, a key (unique within a bucket), and metadata.

AWS Regions:

  • Description: AWS has data centers located in different geographical regions worldwide. Each region is a separate geographic area, and AWS resources (like S3 buckets, and EC2 instances) can be launched in a specific region.
  • Key Concepts:
    • Region: A geographical area that consists of multiple data centers. AWS currently has multiple regions around the world.

Amazon EC2 (Elastic Compute Cloud):

  • Description: EC2 provides resizable compute capacity in the cloud. It allows users to run virtual servers, known as instances, in the AWS cloud.
  • Key Concepts:
    • Instance: A virtual server in the cloud. You can choose the instance type based on your application requirements.
    • AMI (Amazon Machine Image): A pre-configured virtual machine image, which is used to create EC2 instances.
    • Security Group: Acts as a virtual firewall for your instance to control inbound and outbound traffic.

EBS (Elastic Block Store):

  • Description: EBS provides block-level storage volumes for use with EC2 instances.
  • Key Concepts:
    • Volume: A block-level storage device that can be attached to an EC2 instance. Volumes can be used like raw, unformatted external hard drives.

Let’s solve this challenge:


Note:

  • To solve this challenge first we need the account ID, which we can get using the AWS key from the previous LEVEL3.
  • To solve this challenge second we need an AWS account.

Challenge: Victim created an EBS volume and in this volume stored username and password. there is one more interesting thing by mistake, he permitted everyone which means any AWS account user can access this EBS volume.

Solution: We have to take advantage of this vulnerability. Access the EBS volume and find the username and password which is stored in this volume. Which will help to unlock the NEXT Challenge.


We will follow some steps to solve this challenge:

  • Whenever you will click on this link ” 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud “. there would be a pop-up where you have to enter a username and password to unlock the next challenge.

We have to use previous LEVEL3 credentials to collect the information about the AWS Identity and Access Management (IAM) entity.

  • Open the terminal and run ” aws –profile flaws sts get-caller-idnetity “ this command. The output will include details such as the AWS account ID, IAM user or role name, and the type of entity making the request.
    • Here’s a breakdown of the command components:
      • aws: This is the AWS CLI command-line tool.
      • –profile flaws: This specifies the named AWS CLI profile to use. Profiles are configurations that store your AWS credentials and other settings. In this case, “flaws” is the profile name.
      • sts: This refers to the AWS Security Token Service (STS), which is responsible for issuing temporary security credentials.
      • get-caller-identity: This is the specific operation or command within STS that retrieves information about the entity making the request.

In response, we got some sensitive information like UserId, Account, and ARN. Note this sensitive information.

  • Now We have account ID ” 975426262029 ” that will help to retrieve the ec2 snapshot (volume) information. run ” aws –profile flaws ec2 describe-snashots –owner-id 975426262029 –region us-west-2 “ this command.
    • Here’s a breakdown of the command components:
      • ec2: This indicates the AWS service you are interacting with, in this case, Amazon Elastic Compute Cloud (EC2).
      • describe-snapshots: This is the specific command to retrieve information about Amazon Machine Image (AMI) snapshots.
      • –owner-id 975426262029: This is an optional parameter that filters the snapshots based on the specified AWS account ID (owner ID). In this example, it filters snapshots owned by the account with ID 975426262029.
      • –region us-west-2: This is another optional parameter that specifies the AWS region. In this case, it’s set to the US West (Oregon) region.

In response got snapshot ID ” snap-0b49342abd1bdcb89 “. note this snapshot ID in your notepad. this snapshot ( means volume ) has to be accessed in our ec2 machine.

  • For accessing snapshots we need our AWS account. Take the login on your AWS account and create an EC2 machine. observe the below screenshot we have already created an EC2 machine. in the screenshot observe the availability zone and note it.

Finally We have a snapshot ID, EC2 machine and own AWS account.

  • Here we will create a snapshot ( means volume ) in our AWS account. open terminal and run ” aws –profile Anonymous ec2 create-volume –availability-zone us-west-2b –region us-west-2 –snapshot-id snap-0b49342abd1bdcb89 “ command.
    • Here’s a breakdown of the command components:
      • ec2 create-volume: This part of the command indicates that you want to create an EBS volume in Amazon EC2, which is a web service that provides resizable compute capacity in the cloud.
      • –availability-zone us-west-2b: Specifies the availability zone where the EBS volume will be created. In this example, it’s set to “us-west-2b.”
      • –region us-west-2: Specifies the AWS region in which the resources will be created. Here, it’s set to “us-west-2.”
      • –snapshot-id snap-0b49342abd1bdcb89: Specifies the EBS snapshot ID from which the new volume will be created. EBS snapshots are point-in-time copies of EBS volumes.

In response Observe the snapshot ID and volume ID. Which has been created on our AWS account.

  • Open your AWS account and click on volume options. Here observe the snapshot ID and volume ID in the volume list. Now we will connect this volume from our EC2 machine. Click on attach volume.
  • Select your EC2 machine instance ID and click on Attach Volume. Finally created volume has been attached from our EC2 machine.
  • Click on the Instance option. Here we will access our EC2 machine. To access the EC2 machine select the EC2 machine and click on the connect option.
  • Here we have an EC2 terminal access. run ” lsblk ” command. The lsblk command is a Linux command-line utility used to list information about block devices, such as hard drives and their partitions, along with their corresponding attributes. The command stands for “list block devices.”

Observe the highlighted disk name. we have to mount this disk on our EC2 system without mount we can’t access any data that is present in the disk.

  • For mounting disk create a folder where we will mount our disk.
  • Now run the mount command and mount it in our created folder.
  • run the ” ls ” command in our created folder. Which will help to list the files and folders inside the directory. Here is a one-home directory.
  • Access the” /home/ubuntu ” folder and here run the ” ls “ command. Observe there is one setupNginx file. Run ” cat setupNginx.sh ” command. that will show the information inside this file.

Observe the response. In this file, we can see username and password.

  • Note the username and password in Notepad.
  • Enter the username and password then click on the ” Sign in ” button.
  • Finally we have cracked this challenge and can access the LEVEL5 URL.

In this challenge, we have seen that if you allow volume access to everyone. So anyone can access your volume and see the sensitive information. As we have mentioned above after solving this challenge we will discuss about impact & mitigation of this vulnerability.

Impact for the snapshot ( means volume ) allows access to everyone :

  • The attacker can view sensitive data stored in the snapshot, potentially exposing confidential information.
  • Unauthorized access could compromise data integrity and privacy, leading to potential legal and compliance issues.
  • The attacker might misuse the snapshot for malicious purposes, such as launching instances from compromised data.

Mitigation for snapshot ( means volume ) allows access to everyone :

  • Review and adjust permissions to ensure that only authorized users or roles have access to the snapshot.
  • Grant the minimum required permissions to users, adhering to the principle of least privilege to reduce the attack surface.
  • Set up AWS CloudTrail to monitor and log all API calls related to snapshot access. Regularly review these logs for any suspicious activities.
  • Enable encryption for snapshots to protect data even if unauthorized access occurs. This adds an extra layer of security.
  • Limit snapshot sharing to specific AWS accounts or IAM users/roles to prevent public access.

Here we have successfully solved the LEVEL4 challenge. In the Next Blog, We will solve the LEVEL5 challenge.