Cloud Ring - Exploitation via AWS CLI Walkthrough

-

Flex some more advanced AWS CLI skills to escalate privileges after completing Trufflehog Search Challenge! Help Gerty Snowburrow in the Cloud Ring to get hints for this challenge.

After referencing the AWS command reference we were able to identify the following command that lists the iam attached user policies for user haug

>> aws iam list-attached-user-policies --user-name haug 

Next Question in Terminal 

>> aws iam get-policy --policy-arn arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY

This command allows us to view the TIE1_READONLY_POLICY in detail which was attached to the user identity we stole from the commit 

Next question in terminal 

Now we will have to view the default version of the TIER1_READONLY_POLICY by suing the –version-id switch and to support terminal navigation have pipped the command through more

>> aws iam get-policy-version --policy-arn arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY --version-id v1 | more

Next question in terminal:

Now we are being asked to list any inline policies attached to the user identiy or resource. Which can be listed by list-user-policies with switch specifying the username in question

>> aws iam list-user-policies --user-name haug

We can see a policy name S3Perms being attached to the user as an inline policy

Next question on terminal

To deepdive on a inline user policy via AWS CLI, we use the get-user-policy command and specifying the policy name

>> aws iam get-user-policy --user-name haug --policy-name S3Perms

Where we can see a access to S3 bucket name “smogmachine3” attached to this policy 

Next question on Terminal

To list S3api objects, we will have to use the list-objects command with switch –bucket pointing to the S3 resource

>> aws s3api list-objects --bucket smogmachines3 

Next question in terminal 

>> aws lamda list-functions


Next question in Terminal

Get-function-url-config command retrieves the configuration containing public url if any using the aws lamda function

>> aws lambda get-function-url-config --function-name smogmachine_lambda


Function URLfrom above screenshot: https://rxgnav37qmvqxtaksslw5vwwjm0suhwc.lambda-url.us-east-1.on.aws/

Full map


Cloud Ring Unlocked !



Comments

Post a Comment

Popular posts from this blog

SANS Kringlecon 2022 Introduction

-
Image
What Challenges Should You Expect?   This year, the infamously precious 5 Golden Rings have been stolen, and Santa needs your help to recover them. Each ring represents a different quest to defeat cybersecurity obstacles to change the course of the future and defeat holiday treachery:   1. Tolkien Ring (Network Security) - Analyse a PCAP to identify malware, and then analyse logs and create IDS rules to detect such attacks. 2. Elfen Ring (SecDevOps and Supply Chain Attacks) – Identify malicious packages and then attack CI/CD processes to escape a container. 3. Web Ring (Web Application Vulnerabilities and Exploitation) - Identify XML External Entity (XXE) attack and leverage such vulnerabilities to gain access. 4. Cloud Ring (Cloud Security) - Analyse cloud configurations via the command line, identifying possible vulnerabilities and information leakage. 5. Burning Ring of Fire (Cryptocurrency, NFT, and Smart Contract Attacks) - Acquire and spend cryptocurrency, then ...
Read more

Sans Kringlecon 2022 - Christmas CTF Finale

-
Image
Finale Upon Collection of all 5 rings, we are being asked to meet Santa exciting the tunnels and Santa asks us to get into the building where we are greeted with Santa’s congratulations and credits to all the fantastic effort of smart folks from SANS rolling. Hidden Chests & Tunnel Map Was able to identify a total of 5 hidden chests. To find these hidden chests any new location you enter within the tunnel or even while navigating to the tunnels. Zoom out by pressing (Ctrl or Command) + “-“, which should make the hidden chests easily visible and you should be able to identify the pathways by playing with the arrow keys and even by looking for cracks in the mine wall that tells you can enter through to get to the hidden chest Most of the chest provide you with hints and almost all of them with Kringlecoins    Overall chest locations: 1 in Tokien Ring area 1 in Cloud Ring are 3 in pathways in the tunnel to different challenge areas Below is the Full Navigation map within the Tunn...
Read more

Burning Ring of Fire - Exploit a Smart Contract Walkthrough

-
Image
Exploit a Smart Contract Exploit flaws in a smart contract after completing Blockchain Divination , to buy yourself a Bored Sporc NFT. Find hints for this objective hidden throughout the tunnels. Difficulty Level 5/5 Next we are being asked to exploit a smart contract and buy ourselves a Bored sporc NFT from boredsporc gallery. But to be able to make the purchase we will have to be part of the Pre-Sale list and we will have to add ourselves into it. "Earlier, I overheard that disgruntled customer in the office saying he wanted in on the “rug pull”. If our suspicions are correct, that’s why the sporcs want an invite to the presale so badly.  Once the “Bored Sporc Rowboat Society” NFTs officially go on sale, the sporcs will upsell them. After most of the NFTs are purchased by unwitting victims, the Sporcs are going to take the money and abandon the project.  Mission #1 is to find a way to get on that presale list to confirm our suspicions and thwart their dastardly scheme! ...
Read more