Metapwned — Cloud Security Challenges

These fun challenges are created and hosted by Ian Austin. You can provide your feedback on their Linkedin.

Challenge 1

Solution

The IP address resolves to a domain. Add the domain in the /etc/hosts file.

Now, we get the following page.

Viewing the source, the image source is AWS S3 bucket.

Upon checking, this bucket is misconfigured and accessible publicly. We can see its content.

We can download the files from bucket and get the flag.

Challenge 2

Solution

Visiting the website, there’s a status page.

Clicking on check status, it takes a domain name in the name parameter and shows the status of that domain.

If this is vulnerable to SSRF, we can get the AWS secrets from the Instance Meta-data Service which runs on 169.254.169.254 (also called magic IP). In this challenge, we get the secrets from following path:

http://hugelogistics.pwn/status/status.php?name=169.254.169.254/latest/meta-data/iam/security-credentials/MetapwnedS3Access

Now, lets configure AWS profile with these found secrets.

We also need to provide the token which we can set by manually editing the aws credentials file at path ~/.aws/credentials .

Looking at the privileges, we have assumed role of MetapwnedS3Access.

As the role name suggests, now we can access the whole S3 bucket as previously we could not access the backup folder.

Let’s download the backup folder and get our second flag. As a bonus, we also get the sensitive credit card details XX.

Thanks.