Metapwned — Cloud Security Challenges
These fun challenges are created and hosted by Ian Austin. You can provide your feedback on their Linkedin.
Challenge 1
Solution
The IP address resolves to a domain. Add the domain in the /etc/hosts
file.
Now, we get the following page.
Viewing the source, the image source is AWS S3 bucket.
Upon checking, this bucket is misconfigured and accessible publicly. We can see its content.
We can download the files from bucket and get the flag.
Challenge 2
Solution
Visiting the website, there’s a status page.
Clicking on check status, it takes a domain name in the name parameter and shows the status of that domain.
If this is vulnerable to SSRF, we can get the AWS secrets from the Instance Meta-data Service which runs on 169.254.169.254
(also called magic IP). In this challenge, we get the secrets from following path:
http://hugelogistics.pwn/status/status.php?name=169.254.169.254/latest/meta-data/iam/security-credentials/MetapwnedS3Access
Now, lets configure AWS profile with these found secrets.
We also need to provide the token which we can set by manually editing the aws credentials file at path ~/.aws/credentials
.
Looking at the privileges, we have assumed role of MetapwnedS3Access.
As the role name suggests, now we can access the whole S3 bucket as previously we could not access the backup folder.
Let’s download the backup folder and get our second flag. As a bonus, we also get the sensitive credit card details XX.
Thanks.