SecurityLabs challenge: Week 5 and 6 (Public S3, and Public API Gateway)

22 Mar, 2022

Well, life got in the way and I missed week 5. The good news is that SecurityLabs_ has started publishing postmortems so you can still go back and see what it took (Check out their twitter feed for links.)

Week 6 was stupid easy as we were given a large amount of info at the start:

"Team found an API Gateway with Id ‘redacted‘ publicly accessible in us-east-2 region. There are allegations that you cant really bruteforce to find the right Endpoint and hence we have these access keys for you"

I started by just doing a simple GET/POST just to see if it would puke more info, but it did not. I guess they set this one up a little tighter than the last (they kind of alluded to that with the bruteforce comment). But, we already have keys, so let's see what we can do...

1. Configure terminal to use the access keys
2. aws apigatewayv2 get-routes --api-id "redacted" --region us-east-2

which returns something interesting. We see the standard GET and POST routes, but we get a second GET route

{
     "Items": [
         {
             "ApiKeyRequired": false,
             "AuthorizationScopes": [],
             "AuthorizationType": "NONE",
             "RequestParameters": {},
             "RouteId": redacted,
             "RouteKey": GET /redacted,
             "Target": "integrations/redacted"
          }
    ]
}

Nice, now we have a target and route. all we need to do now is a simple Curl

curl https://redacted.execute-api.us-east-2.amazonaws.com/redacted_route_key

And boom! Flag was presented.