Level 4: Unencrypted Snapshots

Task

For the next level, you need to get access to the web page running on an EC2 at 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud

It'll be useful to know that a snapshot was made of that EC2 shortly after nginx was setup on it.

Resolution

  1. Listing EC2 Snapshots:

For this level, we need to list the EC2 snapshots.

First, we need to identify our user's account (from the previous level):

aws --profile default sts get-caller-identity

Now, we list the snapshots:

aws --profile default ec2 describe-snapshots --owner-id <Account>

  1. Creating a Volume:

Once we have the snapshot listed, we can create a volume.

However, with the user from the previous level, we don't have the necessary permissions. To fix this, we need to go back to IAM and add permissions. Since we don't have access to the previous user, we'll add the permissions to our own user and update our AWS configuration.

In the user's permissions, we need to create a new policy.

  1. Creating the Volume:

Now, we try creating the volume again.

Perfect!

  1. Launching an EC2 Instance:

The next step is to create an EC2 instance. In the AWS console, search for EC2.

Click on Launch Instance.

  1. Creating a Key Pair:

Create a new key pair.

  1. Attaching the Volume to the EC2 Instance:

First, we connect to our EC2 instance via SSH:

ssh -i YOUR_KEY.pem ubuntu@<EC2_PublicIPv4DNS>

Now, we mount the volume.

While exploring, we find a file called setupNginx.sh located in /mnt/home/ubuntu. We use cat to view its contents:

cat setupNginx.sh

Finally, we go back to the URL mentioned in Level 4 and enter the credentials.

Lesson Learned

AWS allows you to make snapshots of EC2's and databases (RDS). The main purpose for that is to make backups, but people sometimes use snapshots to get access back to their own EC2's when they forget the passwords. This also allows attackers to get access to things. Snapshots are normally restricted to your own account, so a possible attack would be an attacker getting access to an AWS key that allows them to start/stop and do other things with EC2's and then uses that to snapshot an EC2 and spin up an EC2 with that volume in your environment to get access to it. Like all backups, you need to be cautious about protecting them.

PreviousLevel 3: Leaked SecretsNextLevel 5: Metadata Exposure

Last updated