Access Lab Here->
https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=2282
Content:
- Fingerprinting the Website
- Command Injection
- Accessing Credentials
- S3 Bucket Access
Lab Description: Serverless Architecture is said to be more secure compared to traditional architectures. However, this does not mean attacks cannot be performed on it.
In this lab, we will learn how a vulnerable lambda function can be leveraged to perform a privileged operation.
Objective: Identify the command Injection vulnerability, leverage it to get hold of temporary access credentials and interact with the S3 buckets on the AWS account.
URL: https://cwlw44ht84.execute-api.ap-southeast-1.amazonaws.com/Prod
Let’s get started.
1. Fingerprinting the Website
Given Web Application is hosted on AWS, it is based on Serverless architecture and uses AWS Lambda.[1]
- Landing page -> https://cwlw44ht84.execute-api.ap-southeast-1.amazonaws.com/Prod
The application seems to be a File Upload service. I tried uploading some files, it seems to not accept any of them and throws a 500 Internal Server Error
response code.
We can try can capture requests through Burp Proxy and examine the request and response.
2. Command Injection
As we don’t have much functionality to test, we can start by testing the upload request. It can be noticed that we receive the file name back in the error response. We can try some common command injections and execute arbitrary commands. [2]. We can try different shell metacharacters in the filename and “id” command to test injection such as —
; id
& id
&& id
On manipulating the intercepted request(filename;id) we see the command injection.
3. Accessing Credentials
Now that we Command infection we can leverage it to get access to AWS Keys. We can try accessing AWS CLI config file[3]-
- Linux: /home/USERNAME/.aws/credentials (or /root/.aws/credentials)
- Windows: C:\Users\USERNAME\.aws\credentials
We unfortunately cannot find such file.
Another way the credentials could be accessed is in the environment variables, we can run “env” command on Linux or a simple PowerShell command on Windows to retrieve the current environment variables.
We can see different environment variables that are used for AWS CLI config, we can straight away see the destination bucket and default region. These two will help us in accessing the bucket. We can use the AWS URL format to try to access the bucket —
AWS_REGION=ap-southeast-1
DEST_BUCKET=temporary-public-image-storehttps://temporary-public-image-store.s3.ap-southeast-1.amazonaws.com/
On accessing the bucket we get Access denied, but the bucket does exist and we can access it using the exfiltrated AWS Keys from the environment variable.
We can set our local environment variables with the exfiltrated keys to access the bucket[4]. These variables are supported by AWS CLI and can be used to access buckets by providing necessary keys.
I am on a Linux system, so I’ll be setting my environment variables using “export “ it is used to set export attributes for shell variables.
4. S3 Bucket Access
Now that we have our keys configured we can use AWS CLI to access the bucket. We can use the s3 URL scheme, to transform the destination bucket “temporary-public-image-store”—
s3://bucket-name/paths3://temporary-public-image-store
To list your buckets, folders, or objects, we can use the s3 ls
command.
aws s3 ls <target> [--options]
We can see the file named flag.txt, to access the file we can use the s3 cp
command to copy objects from a bucket or a local directory.
aws s3 cp <source> <target> [--options]
That’s it for today, do visit PA Attack Defense labs for trying it out for yourself. And not only this there are several other labs to try and learn from.
You can start with free labs here — https://attackdefense.com/freelabs