flAWS.cloud Walkthrough — Level 4 — EBS Snapshot Snarfing

5 min readJun 26, 2020

The second instalment in a multi-part series I’m doing on the AWS CTF flaws.cloud by Scott Piper.
Part 1 is here.

Level 4

Visiting that instance’s URL in a browser yields a basic auth challenge: http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/

So we’re hunting for that snapshot. First, we need to find which region it’s in.
We can do so by checking the EC2 DNS entry:

I’ll just add to the end of my ~/.aws/credentials AWS_REGION=us-west-2

Just for fun, we can also nmap that host:

And find FTP, SSH, and 554(?) open — this may come in handy.

Note SSH is most likely using this one key:

I then ran

aws --profile flaws ec2 describe-images

which took a VERY long time to execute. Because it lists ALL images, not just those owned by my account.

Huh, that’s weird, no images

Then I noticed, perhaps I’m not looking for an AMI, but an EBS snapshot:

So, in our own account, launch an EC2 instance, and when it comes to Volumes, add a volume, and specify that SnapshotId.

Then we launch the instance and connect to it.
I did this via SSH, TBH but the best way thesedays is SSM.
Mount the volume, and have a poke around:

You can see I got tripped up with the broken symlink from “sites-enabled”, but got there in the end

So we do have the hashed password.
Which we could try cracking. It would take a while. Especially since the password, as we find later, is “nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M” :)
If you’re curious, in python you can generate these hashes like so:

import passlib.hash
salt="4ed/7TEL"
passwd="nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M"
print(passlib.hash.apr_md5_crypt.hash(passwd, salt=salt))

That’s how we get the line flaws:$apr1$4ed/7TEL$cJnixIRA6P4H8JDvKVMku0
in .htaccess

Checking /home/ubuntu in the snapshot is interesting:

[root@ip-172-31-32-134 ubuntu]# more .bash_history
sudo apt-get install nginx
sudo apt-get install apache2-utils
htpasswd -c /etc/nginx/.htpasswd flaws
sudo htpasswd -c /etc/nginx/.htpasswd flaws
sudo vim /etc/nginx/sites-enabled/default
vim  /var/www/html/index.html
sudo vim  /var/www/html/index.html
sudo service nginx restart
cat ~/.bash_history
man htpasswd
sudo htpasswd -p /etc/nginx/.htpasswd flaws
sudo /etc/nginx/.htpasswd
sudo su -
pwd
ls -al
sudo chown ubuntu:ubuntu setupNginx.sh
ls -al
find . -mtime -1
find / -mtime -1
find / -mtime -1 | grep -v var
find / -mtime -1 | grep -v var | grep -v proc | less
find / -mtime -1 | grep -v var | grep -v proc | grep -v dev
find / -mtime -1 | grep -v var | grep -v proc | grep -v dev | less
find / -mtime -1 | grep -v var | grep -v proc | grep -v dev | grep -v sys | less
find / -mtime -1 | grep -v var | grep -v proc | grep -v dev | grep -v sys | grep -v run | less
find / -mtime -1 2&>/dev/null | grep -v var | grep -v proc | grep -v dev | grep -v sys | grep -v run | less
find / -mtime -1 2&>/dev/null
find / -mtime -1
find / -mtime -1 2>/dev/null
find / -mtime -1 2>/dev/null | grep -v var | grep -v proc | grep -v dev | grep -v sys | grep -v run | less
find / -mtime -1 2>/dev/null | grep -v "^/var" | grep -v proc | grep -v dev | grep -v sys | grep -v run | less
find / -mtime -1 2>/dev/null | grep -v "/var/" | grep -v "/proc/" | grep -v "/dev/" | grep -v "/sys/" | grep -v "/run/"
find / -mtime -1 2>/dev/null | grep -v "/var/" | grep -v "/proc/" | grep -v "/dev/" | grep -v "/sys/" | grep -v "/run/" | wc
find / -type f -mtime -1 2>/dev/null | grep -v "/var/" | grep -v "/proc/" | grep -v "/dev/" | grep -v "/sys/" | grep -v "/run/" | wc
find / -type f -mtime -1 2>/dev/null | grep -v "/var/" | grep -v "/proc/" | grep -v "/dev/" | grep -v "/sys/" | grep -v "/run/" | less
pwd
cat setupNginx.sh
curl 169.254.169.254
curl  http://169.254.169.254/latest/meta-data
wget  http://169.254.169.254/latest/meta-data
cat meta-data
curl -XGET http://169.254.169.254/latest/meta-data
wget  http://169.254.169.254/latest/meta-data/iam
cat iam
wget  http://169.254.169.254/latest/meta-data/iam/info
cat info
rm info iam
ls
cat meta-data
curl  http://169.254.169.254/latest/meta-data/iam/info
curl  http://169.254.169.254/latest/meta-data/
curl  http://169.254.169.254/latest/meta-data/profile/
curl  http://169.254.169.254/latest/meta-data/profile
curl  http://169.254.169.254/latest/user-data
curl  http://169.254.169.254/iam/security-credentials/flaws
curl  http://169.254.169.254/iam/security-credentials
curl  http://169.254.169.254/iam/security-credentials/flaws/
curl  http://169.254.169.254/iam/
wget http://169.254.169.254/iam/security-credentials/flaws
curl  http://169.254.169.254/meta-data/iam/security-credentials/flaws
curl  http://169.254.169.254/latest/meta-data/iam/security-credentials/flaws
curl  http://169.254.169.254/latest/meta-data/iam/security-credentials
sudo su -
su -
sudo su-
sudo su -
sudo su -
cd /var/www/html/
ls
vim index.html
cat index.html
vim index.html
sudo vim index.html
cd /var/www/html/
ls
cat index.html
cat hint.txt
cat hint2.txt
cat hint3.txt
ls
rm hint*
sudo rm hint* -f
ls

I bet setupNginx.sh is interesting …

[root@ip-172-31-32-134 ubuntu]# ll
total 8
-rw-rw-r-- 1 ec2-user ec2-user 268 Feb 12  2017 meta-data
-rw-r--r-- 1 ec2-user ec2-user  72 Feb 13  2017 setupNginx.sh
[root@ip-172-31-32-134 ubuntu]# cat setupNginx.sh
htpasswd -b /etc/nginx/.htpasswd flaws nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M
[root@ip-172-31-32-134 ubuntu]#

And there we have the pasword “nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M”. Sure enough, using this for the web auth works:

Additionally — without obtaining that password, we can just retrieve the URL for the next level from the index.html in the image:

[root@ip-172-31-32-134 ubuntu]# cat /mnt/xvdb1/var/www/html/index.html
<html>
    <head>
        <title>flAWS</title>
        <META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
        <style>
            body { font-family: Andale Mono, monospace; }
        </style>
    </head>
<body
  text="#00d000"
  bgcolor="#000000"
  style="max-width:800px; margin-left:auto ;margin-right:auto"
  vlink="#00ff00" link="#00ff00">
<center>
<pre>
 _____  _       ____  __    __  _____
|     || |     /    ||  |__|  |/ ___/
|   __|| |    |  o  ||  |  |  (   \_
|  |_  | |___ |     ||  |  |  |\__  |
|   _] |     ||  _  ||  `  '  |/  \ |
|  |   |     ||  |  | \      / \    |
|__|   |_____||__|__|  \_/\_/   \___|
</pre>
<h1>flAWS - Level 5</h1>
</center>Good work getting in.  This level is described at <a href="http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/">http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/</a>

Hoorah!

This is part of my 4-part Walkthrough of flaws.cloud:

Levels 1–3 — S3 Shenanigans
Level 4 — EBS Snapshot Snarfing
Level 5 — Instance Profile Metadata Attack
Level 6 — Read-Only Recon of API Gateway and Lambda — Finale

flAWS.cloud Walkthrough — Level 4 — EBS Snapshot Snarfing

Level 4

Written by Nick Doyle