05 Flaws - Level 5 - Seize The Shell

# FLAWS: Level 5 ![[Screenshot 2023-08-03 at 6.09.41 PM.png]] [Level 5](http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/) --- Congratulations on reaching flAWS Level 5! The Level 5 webpage provides a valuable hint, indicating the use of a proxy. A proxy acts as an intermediary between you and the internet. Whenever you request a webpage or any online content, the request first goes through the proxy, which then forwards it to the website or server on your behalf. Similarly, when the server responds, the response goes through the proxy before reaching you. This suggests that we might be able to access the EC2 Instance metadata through the proxy. Let's explore this further to advance in the challenge. Before we proceed further, let's talk about AWS EC2's Instance Metadata, which holds valuable information about an EC2 instance. There are two versions of the Instance Metadata Service: IMDSv1 and IMDSv2. As of now, IMDSv2 is the latest and more secure option. IMDSv2 requires a token and operates on a session-based mechanism, while IMDSv1 doesn't require any authentication. To access instance metadata, we'll use the special IP address *169.254.169.254*, known as an [APIPA](https://www.professormesser.com/network-plus/n10-006/apipa-2/) address. We'll attempt to retrieve the metadata using this IP address. #### Select The First Link: ![[Pasted image 20230804174004.png]] #### Add `169.254.169.254` To The End: ![[Pasted image 20230804174150.png]] Nice, it worked! Now, let's start pilfering! We'll start with the `latest` #### Add `latest`: ![[Pasted image 20230804174542.png]] Alright! We're getting closer. Let's continue and proceed with `meta-data` #### Add `meta-data`: ![[Pasted image 20230804174914.png]] Immediately, IAM catches my eye. AWS IAM (Identity and Access Management) is a crucial service for managing users, groups, and permissions in the AWS environment. Gaining access to valid Access Keys through IAM could potentially lead to a takeover party. #### Got 'em: ![[Pasted image 20230804175650.png]] Remember to copy this information to your notes. Now, let's head back to the terminal and input the Access Key, Secret Key, and the token we obtained. #### Input Keys Into `aws configure` ![[Pasted image 20230804181841.png]] But wait! We can't forget about the token! #### Copy The Token: ![[Screenshot 2023-08-05 at 9.36.24 AM.png]] #### Run The Command: ```bash nano ~/.aws/credentials ``` #### Add The Token: ![[Pasted image 20230805095008.png]] Now, let's put our newly found credentials to use and try accessing the Level 6 bucket mentioned on the flAWS Level 5 webpage. Remember, there might be a hidden directory within that bucket waiting for us to explore! #### Run The Command: ```bash aws --profile flaws5 s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud ``` #### Results: ![[Pasted image 20230805095836.png]] Interesting! Let's take it up a notch and try appending `ddcc78ff/` to the end of our command. #### Results: ![[Pasted image 20230805100336.png]] Hmmm...ok. Let's try appending it to the Level 6 URL in the browser. #### Add Directory To Level 6 URL in Browser: ![[Pasted image 20230805100716.png]] Done! Great job!