Cloud Hacking: flAWS2 — Lv. 1

In the first level of flAWS2, we’re faced with the challenge of entering a 100-digit PIN. However, from a practical standpoint, it doesn’t make much sense to go through that ordeal. So, I decided to dig deeper and understand how the code works when it’s submitted.

img_1

Upon inspecting the webpage, I noticed that when we type anything into the “code” field and hit “submit,” the data gets sent to an AWS Lambda function through the Amazon API Gateway at this address: [https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1].

img_2

However, before sending the data to the Lambda function, a check is performed to see if it’s a number or not. If it’s not a number, a pop-up appears in the client’s browser, and the data doesn’t reach the Lambda function.

img_3

In such cases, we don’t observe any new requests being made.

img_4

On the other hand, when we input numbers, a request is indeed sent: [https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1?code=1234].

AND, if we follow that URL, it redirects permanently (with a status code of 301) to [http://level1.flaws2.cloud/index.htm?incorrect].

img_5

However, when I attempted to remove the numbers from the URL, something intriguing happened. Lo and behold, I stumbled upon access_key, secret_key, and session_token.

If you don’t have a “~/.aws/credentials” file yet, you can create one by using the ‘aws configure’ command.

img_6

Now, it’s time to delve into what lies within the bucket.

— profile flaws_1

In this context specifies the AWS CLI profile to use.

aws s3 ls

Signifies that it will list the objects (files) in the specified S3 bucket or directory.

s3://level1.flaws2.cloud

Indicates the S3 bucket or directory path we want to list.

Upon inspection, there’s a secret HTML file hidden there. Let’s take a look!

img_7

And voilà, we’ve uncovered the link to the next level (level 2).

img_8

So, what lessons have we learned from this adventure?

• Lambda’s IAM roles should strictly adhere to the “least privilege” principle.
• Avoid any exposure of Lambda’s IAM credentials through environment variables, even during debugging.
• Make it a practice to consistently validate user input on the client side.
• Approach Lambda’s handling of user input with the same care and scrutiny as you would for any other website or web API; validate input and exercise caution.