04 Flaws - Level 4 - Seize The Shell

# FLAWS: Level 4 ![[Pasted image 20230705185257.png]] [Level 4](http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/) --- Remember, leverage your past successful techniques and tasks to enhance your approach as a penetration tester. Make the most of your expertise to uncover vulnerabilities and weaknesses in target systems. We'll begin with an `nslookup`. #### Run `nslookup` on The Site:![[Screenshot 2023-07-10 at 5.42.57 PM.png]] Ah ha! Take a look at `ec2-35-165-182-7...`. This is an EC2 instance with the IP address `35.165.182.7`. Now, let's revisit the credentials we discovered in [[03 Flaws - Level 3#AWS Configure | FLAWS: Level 3]]. We will leverage those credentials to perform an enumeration process and gather additional information about the target. #### EC2 Enumeration: ![[Screenshot 2023-07-10 at 6.24.07 PM.png]] The `SnapshotId` denoted in the screenshot has me curious. Let's dive deeper and explore its details. #### SnapshotId: ![[Screenshot 2023-07-10 at 6.31.46 PM.png]] Alright. It's possible that the specific snapshot we were looking for has been deleted. However, there might be other snapshots available to our `flaws_lv3` profile. Let's explore further to see if we can find any relevant snapshots that we can work with. Let's gather more information about the user we are currently using, which is `flaws_lv3`. To do this, we can utilize the `get-caller-identity` command in AWS CLI. This command allows us to retrieve essential details about the IAM user or role associated with the credentials used for the API request. It provides three important fields: - `UserId`: This field represents the unique identifier of the calling entity, which in this case is the `flaws_lv3` user. - `Account`: Here, we can find the AWS Account ID number of the account that owns or contains the `flaws_lv3` user. - `Arn`: The Amazon Resource Name (ARN) associated with the calling identity, which provides additional context about the user or role. By running the `get-caller-identity` command, we'll gain a better understanding of the identity and permissions associated with our AWS CLI session, similar to how the `whoami` command works in Linux. #### AWS CLI Get-Caller-Identity: ![[Screenshot 2023-07-11 at 4.52.41 PM.png]] Great! Let's copy the account number to our notes. Now, let's find out and filter the snapshots that are owned by our AWS account. #### Snapshot Results: ![[Screenshot 2023-07-11 at 5.16.49 PM.png]] If we run the command `aws --profile flaws_lv3 ec2 describe-snapshots`, we will retrieve all available snapshots associated with the AWS account specified in the profile. Let's copy the output and paste it into a text editor for safekeeping. We might need it at a later time. Next, you'll need to log in to your AWS account. Ensure that you have a user account with administrative privileges for this step. ![[Screenshot 2023-07-21 at 2.51.36 PM.png]] In addition, make sure to activate or create new access keys and add them to your machine. We covered this process in [[02 Flaws - Level 2 | Flaws - Level 2]] , and you can review the access keys information there: [[02 Flaws - Level 2#Step 3 Create Access Keys | Create Access Keys]] & [[02 Flaws - Level 2#Step 4 Access Your Terminal & Make an AWS Profile Using `AWSCLI` | AWSCLI Setup]] Now, let's create a new Amazon Elastic Block Store (EBS) volume using the following command. This will create the volume in the "us-west-2a" availability zone of the "us-west-2" region, and it will be based on the data from the snapshot with ID "snap-0b49342abd1bdcb89": ```bash aws --profile hck.flaws ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89 ``` ![[Screenshot 2023-07-21 at 3.10.20 PM.png]] You should be able to see the newly created volume in your AWS Console > EC2: ![[Screenshot 2023-07-24 at 4.44.18 PM.png]] Before proceeding, we'll need to create an EC2 instance to which we can attach the volume. #### Create EC2 Instance ![[Screenshot 2023-07-24 at 4.54.59 PM.png]] ![[Screenshot 2023-07-24 at 4.56.12 PM.png]] ![[Screenshot 2023-07-24 at 4.57.37 PM.png]] >**NOTE** >The network default settings are fine. Wait for the **2/2 Checks Passed** ![[Screenshot 2023-07-24 at 5.05.51 PM.png]] #### Attach The Volume Back to the terminal, let's run this command: ```bash aws --profile hck.flaws ec2 attach-volume --volume-id vol-01fff3ecc60f1cddd --instance-id i-0071cc0ed05a26f82 --device /dev/sdf --region us-west-2 ``` ![[Screenshot 2023-07-24 at 5.16.59 PM.png]] Now that we've successfully created our EC2 instance and attached the volume to it, the next step is to access the instance. #### Access The Instance ![[Screenshot 2023-07-24 at 5.27.41 PM.png]] Great! Let's locate the volume. ```bash lsblk ``` ![[Screenshot 2023-07-24 at 5.29.03 PM.png]] There it is! Now, we're going to mount the volume to the mount directory (i.e., `mnt`). ```bash sudo mount /dev/xvdf1 /mnt ``` ![[Screenshot 2023-07-24 at 5.31.20 PM.png]] Whew...almost there! Change directories to `mnt`. ```bash cd /mnt/ ``` ![[Screenshot 2023-07-24 at 5.33.59 PM.png]] Whoa! A lot to enumerate! Let's start with the `home` directory. ![[Screenshot 2023-07-24 at 5.39.01 PM.png]] Oh, we found something good! `.htpasswd` is a file used in Apache web servers to store username-password pairs for HTTP basic authentication. When Apache web server is configured to use HTTP basic authentication, it requires users to provide valid credentials (username and password) before accessing protected areas of a website or web application. Copy and paste the credentials into a notepad. Navigate to the [flaws - Level 4 Site](http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/) and click the link at the bottom to open the webpage. ![[Screenshot 2023-07-24 at 5.47.07 PM.png]] Nice! Here we go! ![[Pasted image 20230724174814.png]] Yes! ![[Pasted image 20230724174848.png]]