Level 4
A CTF walkthrough for level 4 of Flaws.Cloud
Discovering a Public EC2 Snapshot
In the previous level, we identified the entry point for Level 4 as, 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud
. Upon navigating to this site, we're prompted for a login.
The previous level also hinted "It'll be useful to know that a snapshot was made of that EC2 shortly after nginx was setup on it."
Our cloudfox results didn't contain any info about EC2 snapshots (a reason why we shouldn't rely solely on tools) but we can check ourselves, assuming we have permission to do so as the backup
user.
Nice! This is a public snapshot meaning we can load this up in our AWS account and enumerate it.
Enumerating a Public EC2 Snapshot
Creating a Volume from Snapshot
We can quickly create an EC2 Volume from this Snapshot with the following command (or this can be done in the AWS console).
Creating an EC2 and Attaching the Volume
After, we need to spin up an EC2 instance and attach this volume to it. Make sure your instance is in the same availability zone as this volume. In this case, us-west-2a
. Also, take note of the "device name".
Mounting the Volume
Connect to your new instance (SSH, SSM, EC2 Instance Connect, etc.).
We need to mount our volume. Let's search for it.
As you can see, /dev/sdb
isn't shown here. The previous screenshot from the console discusses how "newer linux kernels may rename your devices". Not to worry, we can confirm the right disk with this command.
Alright, so we need to mount xvdb
and then we can navigate into it.
Enumerating the Volume
Eventually, I discovered credentials for the webserver.
Let's see if they're still active! We need to navigate back to the website at http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/
and attempt to login.
Gaining Access to the Server
We're successful and we find the entry point for Level 5!
Wrap-Up
In Level 4, we discovered a public EC2 snapshot in the account. After creating a volume from this in our account, we attached it to our EC2, enumerated the volume, and discovered credentials for the server. Using these credentials we successfully logged in and discovered Level 5's entry point.
It's important to ensure snapshots are not made public unless there is an intended reason to do so. Additionally, these snapshots shouldn't have sensitive data on them such as credentials since anyone in the world can access public snapshots.
Last updated