02 Flaws - Level 2 - Seize The Shell

# FLAWS: Level 2 ![[Pasted image 20230630174229.png]] [Level 2](http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/) ### IMPORTANT NOTE: You need an AWS account to get through Level 2. --- #### Let's Run `nslookup` again on The Site: ![[Pasted image 20230630175158.png]] Let's modify the script we used in [[01 Flaws - Level 1#Script| Level 1 Script]]. We will remove the current IP addresses replace it with the addresses we just received. #### Script (Lvl.2) ```bash #!/bin/bash # Define an array of IP addresses ip_addresses=( "52.92.132.227" "52.218.181.50" "52.218.213.130" "52.92.163.3" "52.218.234.162" "52.218.238.58" "52.218.216.75" "52.92.227.99" ) # Iterate through each IP address for ip in "${ip_addresses[@]}"; do # Perform nslookup result=$(nslookup "$ip") echo "IP Address: $ip" echo "$result" echo "-------------------" done ``` #### Results: ![[Pasted image 20230630175726.png]] This confirms, yet again, we are working an S3 environment (i.e., `name = s3-website-us-west-2.amazonaws.com.`). Now, let's see if you can list the bucket contents. #### Access Attempt (Lvl.2) ![[Pasted image 20230630180325.png]] Ouch! Access denied! This suggests that the bucket has specific permissions in place and is not publicly accessible for listing or retrieval. But hey, don't panic just yet, fearless hacker! Permissions can be improperly configured. We've stumbled upon a bucket that's playing hard to get. It's like the elusive VIP section of an AWS hacking club, reserved only for the slickest and most authenticated AWS players. And guess what? If you're rocking an AWS account, you're automatically in! #### Step 1: Login To Your AWS Account & Access The IAM Service ![[Pasted image 20230630182041.png]] #### Step 2: Create a User ![[Screenshot 2023-06-30 at 6.25.48 PM.png]] ![[Screenshot 2023-06-30 at 6.54.29 PM.png]] ![[Screenshot 2023-06-30 at 6.56.09 PM.png]] ![[Screenshot 2023-06-30 at 6.57.49 PM.png]] #### Step 3: Create Access Keys: **Click on User Name** ![[Screenshot 2023-06-30 at 6.59.23 PM.png]] ![[Pasted image 20230822140405.png]] ![[Screenshot 2023-06-30 at 7.01.57 PM.png]] **Annotate The Access & Secret Keys or Download the `.csv` file** ![[Screenshot 2023-06-30 at 7.02.41 PM.png]] #### Step 4: Access Your Terminal & Make an AWS Profile Using `AWSCLI` ##### Type The Following Command: ```bash aws configure ``` ![[Pasted image 20230630191110.png]] >**NOTE**: >If you do not have AWS CLI installed you can by running the command: >```bash >apt install awscli >``` #### Step 5: Access The S3 Bucket Yes! We're in! ![[Screenshot 2023-06-30 at 7.22.48 PM.png]] Look! Another secret file! Instead of copying the `.html` secrets file, let's add it to our Flaws 2 URL, like so: ![[Pasted image 20230630192638.png]] Alright! ![[Pasted image 20230630192719.png]]