Level 1

A CTF walkthrough for level 1 of Flaws.Cloud

Discovering the S3 Bucket

Upon navigating to the challenge, flaws.cloud, we're provided a hint to get started.

This level is *buckets* of fun. See if you can find the first sub-domain.

We can assume this website is hosted in an AWS S3 Bucket. Let's confirm!

nslookup flaws.cloud

Non-authoritative answer:
Name:	flaws.cloud

Non-authoritative answer:	name = s3-website-us-west-2.amazonaws.com.

Enumerating the S3 Bucket

Let's see if we can list the bucket contents.

We'll use --no-sign-request which basically means we're trying to access the bucket as an anonymous user.

aws s3 ls flaws.cloud --no-sign-request

2017-03-13 21:00:38       2575 hint1.html
2017-03-02 21:05:17       1707 hint2.html
2017-03-02 21:05:11       1101 hint3.html
2024-02-21 19:32:41       2861 index.html
2018-07-10 10:47:16      15979 logo.png
2017-02-26 18:59:28         46 robots.txt
2017-02-26 18:59:30       1051 secret-dd02c7c.html

Skip the hints and we'll view the file secret-dd02c7c.html. This can be done in the browser but we'll view it in the terminal.

curl flaws.cloud/secret-dd02c7c.html

Level 2 is at <a href="http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud">http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud</a>

Nice! We've found the next entry point for Level 2.


In Level 1, we're provided with a website endpoint. After enumerating it, we discovered it's an AWS S3 static website. Further enumeration as an unauthenticated user leads to finding a new domain for Level 2.

While no sensitive data was found in this bucket, it's important to be mindful of what actions someone can perform. In this case, as an anonymous user, we can enumerate the full bucket contents and even download files locally e.g.,

aws --no-sign-request s3 cp s3://flaws.cloud/secret-dd02c7c.html . 
download: s3://flaws.cloud/secret-dd02c7c.html to ./secret-dd02c7c.html

Last updated