LinkedInGitHubYouTube

Level 2

A CTF walkthrough for level 2 of Flaws.Cloud

Enumerating the Domain

In the previous level, we identified the entry point for Level 2 as level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud.

Again, we can look up the DNS records and identify this is also an S3 bucket hosting a website. 

nslookup level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud

Name:	level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
Address: 52.92.251.123
nslookup 52.92.251.123

Non-authoritative answer:
123.251.92.52.in-addr.arpa	name = s3-website-us-west-2.amazonaws.com.

Enumerating the S3 Bucket

Level 2 is similar to Level 1 however this time we're unable to list the bucket contents as an unauthenticated user. 

aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud --no-sign-request              

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

However, we can list the bucket contents as an AWS user. In this case, we can use an AWS account of our own with a user/role with S3 permissions (s3-ListBucket). 

aws --profile dev s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud 

2017-02-26 19:02:15      80751 everyone.png
2017-03-02 20:47:17       1433 hint1.html
2017-02-26 19:04:39       1035 hint2.html
2017-02-26 19:02:14       2786 index.html
2017-02-26 19:02:14         26 robots.txt
2017-02-26 19:02:15       1051 secret-e4443fc.html

We've discovered the entry point for level 3! 

curl level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html

Level 3 is at <a href="http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud">http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud

Wrap-Up

In Level 2, we enumerate the domain we found in Level 1. After which we discover it's also a static website hosted on AWS S3. While we as an unauthenticated user could not list the bucket contents, we could as an authenticated user from our personal AWS account.

The website administrator may have thought "authenticated users" meant only users in their AWS account could list the bucket contents. However, as we've seen, this means AWS users in any AWS account.

Regardless, the data can be viewed as an unauthenticated user since we viewed it using curl. Having the ability to list the bucket contents made it easier to find the data in the first place.

PreviousLevel 1NextLevel 3

Last updated

Was this helpful?