The IP address resolves to a domain. Add the domain in the
Now, we get the following page.
Viewing the source, the image source is AWS S3 bucket.
Upon checking, this bucket is misconfigured and accessible publicly. We can see its content.
We can download the files from bucket and get the flag.
Visiting the website, there’s a status page.
Clicking on check status, it takes a domain name in the name parameter and shows the status of that domain.
If this is vulnerable to SSRF, we can get the AWS secrets from the Instance Meta-data Service which runs on
169.254.169.254 (also called magic IP). In this challenge, we get the secrets from following path:
Now, lets configure AWS profile with these found secrets.
We also need to provide the token which we can set by manually editing the aws credentials file at path
Looking at the privileges, we have assumed role of MetapwnedS3Access.
As the role name suggests, now we can access the whole S3 bucket as previously we could not access the backup folder.
Let’s download the backup folder and get our second flag. As a bonus, we also get the sensitive credit card details XX.