# Level 6

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2F6VyaMQyL30noWgUfNxvQ%2Fimage.png?alt=media&#x26;token=34da23f5-a287-4f93-ad95-ada84bc9d1dc" alt=""><figcaption></figcaption></figure>

The welcome page for Level 6 provides us with credentials to an AWS account. This account has the [SecurityAudit](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SecurityAudit.html) policy attached to it. This policy allows a user to read security configuration metadata. These credentials can be used to create a new profile.

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FkQzfZOjfDFW20NP4Jm2w%2Fimage.png?alt=media&#x26;token=2453ef03-1089-420c-b426-1e18d610517a" alt=""><figcaption></figcaption></figure>

To find out more about this IAM user, we can begin with some enumeration.

```
aws sts get-caller-identity --profile flaws6
```

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FDa9fSIMsh807xOn7ze4T%2Fimage.png?alt=media&#x26;token=1b51d882-6dbd-438f-b326-b405de91d121" alt=""><figcaption></figcaption></figure>

Using the `aws iam list-policies` command, we can see what other policies are applied. One of note is the Lambda execution policy. We’ll keep this in mind for later.

```
aws iam list-policies --profile flaws6
```

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FQPqnfO9xuKmJZo6B2aTm%2Fimage.png?alt=media&#x26;token=a5c9f66a-9b4f-4952-bba6-1d19ae8a21f9" alt=""><figcaption></figcaption></figure>

Next, let’s see what policies are attached to the user.

```
aws --profile flaws6 iam list-attached-user-policies --user-name Level6
```

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2F2JiBXQS96xwJIC1ba5L8%2Fimage.png?alt=media&#x26;token=ddd37033-0731-48f4-9f7a-8099f23897ec" alt=""><figcaption></figcaption></figure>

The "list-apigateways" policy is interesting especially since it is custom.

```
aws --profile flaws6 iam get-policy  --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
```

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FKsjJJsQbWoHShBlGWij6%2Fimage.png?alt=media&#x26;token=62db4878-8637-47e7-9f93-4069bfe9d41f" alt=""><figcaption></figcaption></figure>

We can dive deeper into this policy by using ARN. By doing so, we see that it is using a GET request on the resource “arn:aws:apigateway:us-west-2::/restapis/\*

```
 aws --profile flaws6 iam get-policy-version  --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
```

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FRGQRAWexFblK6wlM0KnH%2Fimage.png?alt=media&#x26;token=8e10339d-af7a-46a4-935d-61d7a52184aa" alt=""><figcaption></figcaption></figure>

Remember when we saw the Lambda execution policy earlier? Let’s list the Lambda functions for this account and see what we find.

We can see that there is a Level 6 function.

```
aws --region us-west-2 --profile flaws6 lambda list-functions
```

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FkJjvv4orXtqExM7qWD13%2Fimage.png?alt=media&#x26;token=9ada95ed-fd99-41d1-9d0b-5eef9516a088" alt=""><figcaption></figcaption></figure>

To dig deeper, we can use the lambda get-policy command to retrieve information about this policy. This shows us that the Principal is allowed to execute this function. It also shows us the rest-api-id "s33ppypa75"

```
aws --region us-west-2 --profile flaws6 lambda get-policy --function-name Level6
```

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2F6UsA3v2daNz3xXgb5NaQ%2Fimage.png?alt=media&#x26;token=8d44955a-7fa8-4706-aa4d-6fbb5ede05ab" alt=""><figcaption></figcaption></figure>

Now we can use that ID to query the apigateway. This shows us the stageName is Prod.

```
aws --profile flaws6--region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
```

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2Fza7aVxeUOGCCV7mQIyPu%2Fimage.png?alt=media&#x26;token=cea369c4-5e81-4b2c-b402-bb9fbfa834a3" alt=""><figcaption></figcaption></figure>

After reviewing AWS [documentation](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html), we can use that information gathered to hit the endpoint.

Note: this is the structure `https://[apigateway].execute-api.[region].amazonaws.com/[stagename]/[functionname]`

```
https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6
```

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FXdP6WOFrOeg5yDgvT9xr%2Fimage.png?alt=media&#x26;token=20aa0c2f-c2b0-49d6-8a92-1d3dfd060680" alt=""><figcaption></figcaption></figure>

When we visit the URL, we are greeted with The End!

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2Fhmz1zjO144kL43vXS8ef%2Fimage.png?alt=media&#x26;token=a6915e4b-2e0f-475a-8540-f4815e20a09c" alt=""><figcaption></figcaption></figure>