# Level 1

<figure><img src="/files/9Th4N8NEBOSD8C3hddIm" alt=""><figcaption></figcaption></figure>

## Discovering the S3 Bucket

Upon navigating to the challenge, [flaws.cloud](http://flaws.cloud), we're provided a hint to get started.&#x20;

```
This level is *buckets* of fun. See if you can find the first sub-domain.
```

We can assume this website is hosted in an AWS S3 Bucket. Let's confirm!

```bash
nslookup flaws.cloud

Non-authoritative answer:
Name:	flaws.cloud
Address: 52.218.178.42
[snip]
```

```sh
nslookup 52.218.178.42

Non-authoritative answer:
42.178.218.52.in-addr.arpa	name = s3-website-us-west-2.amazonaws.com.
```

## Enumerating the S3 Bucket

Let's see if we can list the bucket contents.&#x20;

We'll use `--no-sign-request` which basically means we're trying to access the bucket as an anonymous user.&#x20;

```sh
aws s3 ls flaws.cloud --no-sign-request

2017-03-13 21:00:38       2575 hint1.html
2017-03-02 21:05:17       1707 hint2.html
2017-03-02 21:05:11       1101 hint3.html
2024-02-21 19:32:41       2861 index.html
2018-07-10 10:47:16      15979 logo.png
2017-02-26 18:59:28         46 robots.txt
2017-02-26 18:59:30       1051 secret-dd02c7c.html
```

Skip the hints and we'll view the file `secret-dd02c7c.html`. This can be done in the browser but we'll view it in the terminal.&#x20;

{% code overflow="wrap" %}

```sh
curl flaws.cloud/secret-dd02c7c.html

[snip]
Level 2 is at <a href="http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud">http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud</a>
```

{% endcode %}

Nice! We've found the next entry point for Level 2.

## Wrap-Up

In Level 1, we're provided with a website endpoint. After enumerating it, we discovered it's an AWS S3 static website. Further enumeration as an unauthenticated user leads to finding a new domain for Level 2.&#x20;

While no sensitive data was found in this bucket, it's important to be mindful of what actions someone can perform. In this case, as an anonymous user, we can enumerate the full bucket contents and even download files locally e.g.,&#x20;

```sh
aws --no-sign-request s3 cp s3://flaws.cloud/secret-dd02c7c.html . 
                            
download: s3://flaws.cloud/secret-dd02c7c.html to ./secret-dd02c7c.html
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/capture-the-flags-ctfs/flaws.cloud/level-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.