flAWS.cloud Walkthrough — Level 6 — Read-Only Recon of API Gateway and Lambda — Finale
3 min readJun 26, 2020
I’ll try to find out more about these creds I’ve been given:
~/w/3/flaws.cloud > aws --profile flaws6 sts get-caller-identity 2.1m Fri 26 Jun 16:33:22 2020
{
"UserId": "AIDAIRMDOSCWGLCDWOG6A",
"Account": "975426262029",
"Arn": "arn:aws:iam::975426262029:user/Level6"
}! > ~/w/3/flaws.cloud > aws --profile flaws6 iam list-user-policies --user-name Level6
{
"PolicyNames": []
}~/w/3/flaws.cloud > aws --profile flaws6 iam list-attached-user-policies --user-name Level6
{
"AttachedPolicies": [
{
"PolicyName": "list_apigateways",
"PolicyArn": "arn:aws:iam::975426262029:policy/list_apigateways"
},
{
"PolicyName": "MySecurityAudit",
"PolicyArn": "arn:aws:iam::975426262029:policy/MySecurityAudit"
}
]
}~/w/3/flaws.cloud > aws --profile flaws6 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
{
"Policy": {
"PolicyName": "list_apigateways",
"PolicyId": "ANPAIRLWTQMGKCSPGTAIO",
"Arn": "arn:aws:iam::975426262029:policy/list_apigateways",
"Path": "/",
"DefaultVersionId": "v4",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "List apigateways",
"CreateDate": "2017-02-20T01:45:17+00:00",
"UpdateDate": "2017-02-20T01:48:17+00:00"
}
}~/w/3/flaws.cloud > aws --profile flaws6 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/MySecurityAudit
{
"Policy": {
"PolicyName": "MySecurityAudit",
"PolicyId": "ANPAJCK5AS3ZZEILYYVC6",
"Arn": "arn:aws:iam::975426262029:policy/MySecurityAudit",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "Most of the security audit capabilities",
"CreateDate": "2019-03-03T16:42:45+00:00",
"UpdateDate": "2019-03-03T16:42:45+00:00"
}
}
So it’s an IAM user with no inline policies, but 2 attached policies.
We can get the details of the policies with
~/w/3/flaws.cloud > aws --profile flaws6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"apigateway:GET"
],
"Effect": "Allow",
"Resource": "arn:aws:apigateway:us-west-2::/restapis/*"
}
]
},
"VersionId": "v4",
"IsDefaultVersion": true,
"CreateDate": "2017-02-20T01:48:17+00:00"
}
}I have to admit — it’s at this point I needed to resort to the hints to continue :)
To summarize — the next steps are:
- List lambdas in the account:
aws lambda list-functions - Get the policy for the one lambda:
aws lambda get-policy
This reveals the API Gateway ID is s33ppypa75 - Get stages of the API Gateway
aws apigateway get-stages — rest-api-id s33ppypa75
With these details, we can construct a URL of the form
https://<stage-id>.execute-api.<region>.amazonaws.com/<stage-name>/<resource>Which becomes:
https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6
Visiting this URL returns
"Go to http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/"
And success!
I hope you enjoyed following along. flAWS.cloud is pretty old now, but it’s quite fun and still highly recommended it. Stay tuned, as I plan on soon doing the sequel, http://flaws2.cloud/
Until next time!
This was the final part, of my 4-part Walkthrough of flaws.cloud:
- Levels 1–3 — S3 Shenanigans
- Level 4 — EBS Snapshot Snarfing
- Level 5 — Instance Profile Metadata Attack
- Level 6 — Read-Only Recon of API Gateway and Lambda — Finale
