Cloud Hacking: flAWS2 — Lv.3
Now that we’ve reached level 3, let’s delve into this.
In URLs, the part that precedes the “://” is known as the scheme or protocol. It specifies how the resource at the given URL should be accessed. There are several schemes available for use in URLs, depending on the intended type of resource or communication. These include http://, ftp://, smtp://, file://, ldap://, and more.
I’ve experimented with these schemes, but my interest lies in the scheme that follows “/proxy/”. I’m curious about how it operates. What we do know is that (1) it failed to load the logo.png, and (2) the server is using Ubuntu.
Since we’ve identified it’s running on Ubuntu, we need a way to access information about the settings and preferences for the specific program currently in use.
I thought we could utilize the file:// schema to access its configuration via ‘/proc/self/environ’. This is a special file in the Linux operating system that provides information about the environment variables for the current process.
And there you have it; we’ve made some progress. I believe we can access their internal resources by proxying the ECS_CONTAINER_METADATA_URI address as well as the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI to the URL using the http:// scheme. Let’s try this out.
Ah, look at that! We’ve obtained access_key, secret_key, and session_token.
We can enhance the presentation using jq.
After inputting the information into the ~/.aws/credentials file for the flaws_3 profile and testing it, we confirm its accuracy. The account ID matches the previous one.
Let’s take a look at the objects (files and folders) in the S3 bucket for that profile. And there you have it — a link to the end of the challenge.
Congratulations!
So, what have we learned?
- Exploiting a security weakness in ECS (Elastic Container Service) could allow someone to take control of IAM (Identity and Access Management) roles or obtain access credentials.
- ECS has sensitive settings and a metadata service that, if mishandled, can also lead to unauthorized access to IAM roles or credentials.
- It’s important to ensure that ECS IAM roles are set up with the least amount of access necessary, just like you would with any other security precaution.
