03 Flaws - Level 3 - Seize The Shell

# FLAWS: Level 3 ![[Pasted image 20230701121412.png]] [Level 3](http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/) --- As a penetration tester, leveraging past successful techniques and tasks can be valuable in conducting effective assessments. By drawing from your experience and knowledge, you can optimize your approach and improve your chances of identifying vulnerabilities and weaknesses in target systems. However, it's also crucial to maintain a flexible mindset and adapt your approach based on the specific characteristics of each engagement. #### Let's Run `nslookup` on The Site: ![[Pasted image 20230701122115.png]] Let's modify the script we used in [[02 Flaws - Level 2#Script (Lvl.2) | Level 2 Script]]. We will remove the current IP addresses replace it with the addresses we just received. #### Script (Lvl.3): ```bash #!/bin/bash # Define an array of IP addresses ip_addresses=( "52.92.210.203" "52.92.130.251" "52.92.179.43" "52.218.153.2" "52.92.163.171" "52.92.164.123" "52.218.133.51" "52.92.176.203" ) # Iterate through each IP address for ip in "${ip_addresses[@]}"; do # Perform nslookup result=$(nslookup "$ip") echo "IP Address: $ip" echo "$result" echo "-------------------" done ``` #### Results: ![[Pasted image 20230701122708.png]] Cool. Confirmation we are working with an S3 environment (i.e., `name = s3-website-us-west-2.amazonaws.com.`). Now, let's see if you can list the bucket contents. #### Access Attempt (Lvl.3): ![[Pasted image 20230701124929.png]] >**NOTE**: >I used the same cloud user we created from [[02 Flaws - Level 2#Step 1 Login To Your AWS Account & Access The IAM Service | Level 2]]. You can receive the same results using the `--no-sign-request` option to access the bucket. #### Access Attempt w/`--no-sign-request` (Lvl.3): ![[Screenshot 2023-07-01 at 12.54.34 PM.png]] One file stands out like a beacon, demanding our attention: the elusive `.git` directory. Its presence often goes unnoticed, but seasoned penetration testers know that beneath its unassuming exterior lies a treasure trove of valuable information waiting to be discovered. To kickstart our exploration, the next step is to establish a dedicated directory (e.g., `flaws_lv3`) on our local machine and synchronize the contents of the S3 bucket to this newly created directory. #### Make Directory: ```bash mkdir flaws_lv3 ``` #### AWS S3 Sync: ![[Screenshot 2023-07-03 at 6.57.21 PM.png]] ![[Screenshot 2023-07-03 at 6.58.02 PM.png]] Now that we have successfully synchronized the data to our local directory and confirmed that the `.git` directory has been downloaded, it's time to utilize various Git commands to effectively enumerate the directory. #### Git Diff: When you run `git diff`, Git analyzes the changes made to the files in your working directory and displays a summary of the differences. It shows added lines, removed lines, and modified lines, providing a line-by-line comparison of the changes made. ![[Pasted image 20230703190231.png]] #### Git Log: When you run `git log`, Git presents you with information about each commit, including the commit hash, author, date, and commit message. It provides a comprehensive overview of the project's history, allowing you to track changes, understand the development timeline, and review the commit details. ![[Pasted image 20230703190333.png]] Interesting, look at the statement: `Oops, accidentally added something I shouldn't have` Let's try a tool called, `tig`. Tig is a text-based interface and tool for browsing and interacting with Git repositories. It provides a command-line interface (CLI) that allows you to navigate and explore the commit history, branches, tags, and changes in a Git repository. If it's not installed on your system, run the command: ```bash sudo apt install tig ``` #### Tig: Input the command `tig` and press enter. ![[Pasted image 20230703191731.png]] You should see: ![[Pasted image 20230703191749.png]] Now, let's start browsing! To get started, simply press the `Enter` key, and a new pane will magically appear. To navigate through the interface, feel free to use the arrow keys on your keyboard to move up and down effortlessly. ![[Screenshot 2023-07-03 at 7.19.42 PM.png]] Whoa! ![[Screenshot 2023-07-03 at 7.23.22 PM.png]] There it is again! ![[Screenshot 2023-07-03 at 7.25.05 PM.png]] Let's go ahead and copy the access and secret keys. ![[Screenshot 2023-07-03 at 7.27.11 PM.png]] To exit `tig`, press `q` twice. #### Create a File & Paste The Credentials: ![[Pasted image 20230703192943.png]] #### AWS Configure: To incorporate these credentials into AWS Credentials, we'll utilize `aws configure` and the `--profile` option to keep them separate from any existing credentials. ![[Screenshot 2023-07-03 at 7.34.35 PM.png]] >**NOTE:** >If you encounter any difficulties while running the `aws configure` command, you can try installing the `awscli` package. Let's attempt to list all the buckets associated with the credentials we just discovered. #### Flaws Level 3 Bucket Listing: ![[Pasted image 20230703194052.png]] Boom! There it is, the Level 4 bucket! Simply copy and paste the name of the Level 4 bucket into your browser. Congratulations! ![[Pasted image 20230703194724.png]]