06 Flaws - Level 6 - Seize The Shell

# FLAWS: Level 6 ![[Pasted image 20230821150809.png]] [Level 6](http://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/) --- Congratulations on reaching the final challenge! As you can see, we've been given access keys. Now, it's time to see what we can uncover! Open that terminal! #### AWSCLI Configuration: ```bash aws configure --profile flaws6 ``` >**NOTE**: >If you do not have AWS CLI installed you can by running the command: >```bash >apt install awscli >``` #### Results ![[Pasted image 20230821152840.png]] Let's attempt a `whoami` command to gather user information. There are two methods to achieve this, and I'll walk you through both. #### First Method: ```bash aws --profile flaws6 sts get-caller-identity ``` #### Results: ![[Pasted image 20230821153434.png]] #### Second Method: ```bash aws --profile flaws6 iam get-user ``` #### Results: ![[Pasted image 20230821153550.png]] Whichever method you opt for, please remember to save the output as we might need it later. Now, let's consider what we can do with this information. We have access keys and the username, so what's next? Begin by listing the available "list" options under IAM for the user. #### List The List: ```bash aws --profile flaws6 iam list- #tab twice ``` #### Results: ![[Screenshot 2023-08-21 at 3.54.59 PM.png]] Now, you could spend time going through all of these options. However, to keep this blog post concise and engaging, let's select a couple for now. #### List Attached User Policies: ```bash aws --profile flaws6 iam list-attached-user-policies --user-name Level6 ``` #### Results: ![[Pasted image 20230821155818.png]] #### List Attached Role Policies: ```bash aws --profile flaws6 iam list-attached-role-policies --role-name Level6 ``` #### Results: ![[Pasted image 20230821161110.png]] Alright, we've located a couple of policies linked to the user and a role. The next step is to understand the specifics of these policies. If you're not familiar with what an AWS Policy is, let me break it down for you. An AWS Policy is essentially a rulebook that instructs AWS on which actions are permitted or prohibited for various AWS resources. These policies are pivotal for controlling who can perform what tasks within an AWS account. In essence, they are the key to managing security and access control within your AWS environment. Here's what we'll do: we'll extract the `PolicyArn`'s from all three sets of outputs and utilize the `get-policy` option to retrieve detailed information about these policies. #### View Policies: ```bash aws --profile flaws6 iam get-policy --policy-arn arn:aws:iam::[ADD ARN HERE] ``` #### Results: ![[Pasted image 20230821163821.png]] After reviewing some of the data, it seems like the Lambda role is the next item we should investigate. #### Lambda: ```bash aws --profile flaws6 lambda list-functions ``` #### Results: ![[Pasted image 20230821164237.png]] Okay, we've gathered some valuable information here. Let's continue with our enumeration. #### Get The Policy Info: ```bash aws --profile flaws6 lambda get-policy --function-name Level6 ``` #### Results: ![[Pasted image 20230821171303.png]] Not a very pretty output. Try this command: ```bash aws --profile flaws6 lambda get-policy --function-name Level6 | sed 's,\\,,g' | sed 's/,/\n/g' ``` That should improve readability. Okay. As we go through this policy, we can see an "Allow" statement. The "Principal" is the API Gateway, which we know there's a policy attached to the user regarding an API Gateway. The "Action" specified is "InvokeFunction," and we also need to satisfy certain "Conditions" in order to make an API request. Let's take a closer look at the "Condition" in the policy to gain a better understanding. #### API Details: ```bash aws --profile flaws6 apigateway get-stages --rest-api-id s33ppypa75 ``` #### Results: ![[Pasted image 20230822120424.png]] Great! Now that we have the `StageName`, let's proceed by attempting to make a GET request. Also, if you're interested in the specifics of Amazon Resource Names (ARNs) for API Gateway resources, you can find more details in the following documentation: [AWS Gateway ARNs](https://docs.aws.amazon.com/apigateway/latest/developerguide/arn-format-reference.html) Open your browser and input: ```bash https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6 ``` ![[Pasted image 20230822121430.png]] ![[Screenshot 2023-08-22 at 12.14.46 PM.png]] [Flaws - The End](http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/) ## 🎉 You did it! 🎉