Pulled from the sky

Solve

Whilst on the AWS Console, lets utilize the Console User Interface to enumerate.

More IAM username added to loot

Policies, however we dont have permission to get the actual policy but good to take note

EC2 running instances

No permission over s3

We identified that there are 2 EC2 instances running

• admin 54.211.110.193

• web-prod 44.208.228.94

AMI owned by haru

snapshot owned by haru

As we do not have access to the EC2 machine via SSM, the second best option will be to look into the snapshot to see if theres any sensitive files inside.

First lets configure the credential we get from the previous flag, and verify that it is working properly.

Next, refering to HackTricks and RhinoSecurityLabs article, we will be dumping the snapshot. For the exact instruction on installing and utlizing dsnap, please refer to the article.

installing dsnap using pipx

downloading the snapshot using dsnap

building the docker container

running the docker container and dropping into a shell

Doing some manual enumeration of the file system, we found a few interesting files/folders

• /home/nacer/.azure

• /root/.aws/credentials

• /home/nacer/.aws/credentials

However, when attempting to use those credentials, they are unusable, most likely due to them expiring or been rotated out.

However, I'm able to retrieve the private and public key in the /home/nacer/.ssh folder

nacer private key redacted

Copying out the private key, lets attempt to use it to SSH into the web-prod server.

Succesful SSH

Recall how previously we tried using thne credentials that we have found in the docker container, but they were unusable, we have gotten our answer. The AWS Keys are set to rotate daily.

Lets copy out the current nacer key.

nacer aws credentials

In Flag 1, we have a S3 bucket that haru wasn't able to access. Lets try using nacer credentials to access the bucket now.

able to list bucket

able to also get bucket objects

We have manged to then retrieve the flag succesfully from the s3 bucket.

redacted flag.txt

TLDR

• Enumerate AWS console with Haru Credentials

• Identify EC2 running along with snapshots

• Utilize dsnap to dump snapshot

• Within the snapshot, contains a private key

• Utilize the private key to SSH into the web-prod EC2 instance and get nacer access key id and access key secret

• Retrieve flag from S3

Reference

• https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.html

• https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/