Cloud Hacking: flAWS2 — Lv. 1
In the first level of flAWS2, we’re faced with the challenge of entering a 100-digit PIN. However, from a practical standpoint, it doesn’t make much sense to go through that ordeal. So, I decided to dig deeper and understand how the code works when it’s submitted.
Upon inspecting the webpage, I noticed that when we type anything into the “code” field and hit “submit,” the data gets sent to an AWS Lambda function through the Amazon API Gateway at this address: [https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1].
However, before sending the data to the Lambda function, a check is performed to see if it’s a number or not. If it’s not a number, a pop-up appears in the client’s browser, and the data doesn’t reach the Lambda function.
In such cases, we don’t observe any new requests being made.
On the other hand, when we input numbers, a request is indeed sent: [https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1?code=1234].
AND, if we follow that URL, it redirects permanently (with a status code of 301) to [http://level1.flaws2.cloud/index.htm?incorrect].
However, when I attempted to remove the numbers from the URL, something intriguing happened. Lo and behold, I stumbled upon access_key, secret_key, and session_token.
If you don’t have a “~/.aws/credentials” file yet, you can create one by using the ‘aws configure’ command.
Now, it’s time to delve into what lies within the bucket.
— profile flaws_1
In this context specifies the AWS CLI profile to use.
aws s3 ls
Signifies that it will list the objects (files) in the specified S3 bucket or directory.
s3://level1.flaws2.cloud
Indicates the S3 bucket or directory path we want to list.
Upon inspection, there’s a secret HTML file hidden there. Let’s take a look!
And voilà, we’ve uncovered the link to the next level (level 2).
So, what lessons have we learned from this adventure?
- Lambda’s IAM roles should strictly adhere to the “least privilege” principle.
- Avoid any exposure of Lambda’s IAM credentials through environment variables, even during debugging.
- Make it a practice to consistently validate user input on the client side.
- Approach Lambda’s handling of user input with the same care and scrutiny as you would for any other website or web API; validate input and exercise caution.