Pulled from the sky
Solve
Whilst on the AWS Console, lets utilize the Console User Interface to enumerate.
We identified that there are 2 EC2 instances running
admin 54.211.110.193
web-prod 44.208.228.94
As we do not have access to the EC2 machine via SSM, the second best option will be to look into the snapshot to see if theres any sensitive files inside.
First lets configure the credential we get from the previous flag, and verify that it is working properly.
Next, refering to HackTricks and RhinoSecurityLabs article, we will be dumping the snapshot. For the exact instruction on installing and utlizing dsnap, please refer to the article.
Doing some manual enumeration of the file system, we found a few interesting files/folders
/home/nacer/.azure
/root/.aws/credentials
/home/nacer/.aws/credentials
However, when attempting to use those credentials, they are unusable, most likely due to them expiring or been rotated out.
However, I'm able to retrieve the private and public key in the /home/nacer/.ssh folder
Copying out the private key, lets attempt to use it to SSH into the web-prod server.
Recall how previously we tried using thne credentials that we have found in the docker container, but they were unusable, we have gotten our answer. The AWS Keys are set to rotate daily.
Lets copy out the current nacer key.
In Flag 1, we have a S3 bucket that haru wasn't able to access. Lets try using nacer credentials to access the bucket now.
We have manged to then retrieve the flag succesfully from the s3 bucket.
TLDR
Enumerate AWS console with Haru Credentials
Identify EC2 running along with snapshots
Utilize dsnap to dump snapshot
Within the snapshot, contains a private key
Utilize the private key to SSH into the web-prod EC2 instance and get nacer access key id and access key secret
Retrieve flag from S3
Reference
Last updated
Was this helpful?