Hi Guys, Welcome to InfoSecSecure.

In this Blog, we are going to solve Flaws.cloud LEVEL5 challenge. Before solving this challenge you need to solve the previous challenge. we will not only solve the challenges other than will provide the impact & mitigation/solution for this vulnerability.

Click here for LEVEL1 Challenge
Click here for LEVEL2 Challenge
Click here for LEVEL3 Challenge
Click here for LEVEL4 Challenge

These challenges provide us the knowledge of basic vulnerability. which we don’t think, That It can be a vulnerability. in this flaws.cloud LEVEL5 challenges there are AWS configuration-related vulnerabilities. which we are going to discover :

Before solving this challenge. you should be aware of the S3 bucket, Region, EC2 Instance, and EBS. If you don’t know. Don’t worry. We will provide a small Intro for the S3 bucket and Region.

Amazon S3 (Simple Storage Service):

  • Description: Amazon S3 is a scalable object storage service that allows you to store and retrieve any amount of data from anywhere on the web.
  • Key Concepts:
    • Bucket: A container for objects stored in Amazon S3. Every object is contained in a bucket.
    • Object: Basic unit of storage in S3. An object is composed of data, a key (unique within a bucket), and metadata.

AWS Regions:

  • Description: AWS has data centers located in different geographical regions worldwide. Each region is a separate geographic area, and AWS resources (like S3 buckets, and EC2 instances) can be launched in a specific region.
  • Key Concepts:
    • Region: A geographical area that consists of multiple data centers. AWS currently has multiple regions around the world.

Amazon EC2 (Elastic Compute Cloud):

  • Description: EC2 provides resizable compute capacity in the cloud. It allows users to run virtual servers, known as instances, in the AWS cloud.
  • Key Concepts:
    • Instance: A virtual server in the cloud. You can choose the instance type based on your application requirements.
    • AMI (Amazon Machine Image): A pre-configured virtual machine image, which is used to create EC2 instances.
    • Security Group: Acts as a virtual firewall for your instance to control inbound and outbound traffic.

Amazon RDS (Relational Database Service):

  • Amazon RDS (Relational Database Service) is a managed database service provided by Amazon Web Services (AWS). It simplifies the process of setting up, operating, and scaling a relational database in the cloud. With Amazon RDS, you can focus on your application development while AWS takes care of routine database tasks such as backups, patch management, and database scaling.

Let’s solve this challenge:

Challenge: We have to find LEVEL6 URL. The victim has created an EC2 machine which is connected with with databases ( RDS ). Here victim has created a database, stored backups including AWS credentials, and accidentally exposed the backup directory to the internet. there is one more interesting thing by mistake, there is no restriction on backup files.

Solution: We have to take advantage of this vulnerability. Access the backup files, and folder and find the access key. have to configure aws profile using this access key. After configuration credentials find the URL of LEVEL6.

We will follow some steps to solve this challenge:

  • In Notepad write down the URL and modified it accordingly to the below screenshot.
    • Original URL: http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/flaws.cloud/
    • Modified URL: http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/
  • Hit the modified URL ” http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/ “ on a new tab. here we can see there are multiple files and folders stored.
  • After following step by step. will reach on this location ” http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/ “. Copy the access key and put it in a notepad.
  • Open the “/.aws/credentials “ file and here add the access key.
  • Open the terminal and run the ” aws –profile flaws s3 ls ” command. here we are using LEVEL3 aws credentials to list the files & folders in the S3 bucket.
  • Here we will use the latest credentials that have been configured in this challenge.
    • Command: aws –profile level5 s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud

In response, you will see a directory ” ddcc78ff/ “.

  • Now we have a directory ” ddcc78ff / “ Add it to the URL and try to access the LEVEL6 challenge.
    • Final URL: http://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/
  • Finally, we can access the LEVEL6 challenge.

As we have mentioned above after solving this challenge we will discuss about impact & mitigation of this vulnerability.

Impact for the backup directory allows access to everyone :

  • Unauthorized Access: The backup directory being accessible over the internet could lead to unauthorized access by malicious actors.
  • Data Exposure: If the backups contain sensitive information, there is a risk of data exposure and potential privacy violations.
  • Credential Compromise: AWS credentials stored in the backup could be exploited to gain unauthorized access to AWS resources, leading to data breaches or service disruptions.
  • Reputation Damage: A security incident can damage the reputation of the organization, eroding trust among users, clients, and stakeholders.

Mitigation for the backup directory allows access to everyone :

  • Disable public access to the backup directory.
  • Change permissions to restrict access only to authorized users.
  • Rotate the compromised AWS credentials immediately to prevent unauthorized access to AWS resources.
  • Conduct a thorough review of logs to identify any unauthorized access or suspicious activities.
  • Regularly audit permissions and access controls to prevent similar incidents.
  • Ensure that backups, especially those containing sensitive information, are stored in a secure and properly configured environment.

In next blog will solve the LEVEL6 challenge.