# Level 2

<figure><img src="/files/1dzPSNl7XjzEPrv6bSAF" alt=""><figcaption></figcaption></figure>

## Enumerating the Domain

In the previous level, we identified the entry point for Level 2 as `level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud`.&#x20;

Again, we can look up the DNS records and identify this is also an S3 bucket hosting a website.&#x20;

{% code overflow="wrap" %}

```bash
nslookup level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud

Name:	level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
Address: 52.92.251.123
```

{% endcode %}

{% code overflow="wrap" %}

```bash
nslookup 52.92.251.123

Non-authoritative answer:
123.251.92.52.in-addr.arpa	name = s3-website-us-west-2.amazonaws.com.
```

{% endcode %}

## Enumerating the S3 Bucket

Level 2 is similar to Level 1 however this time we're unable to list the bucket contents as an unauthenticated user.&#x20;

{% code overflow="wrap" %}

```sh
aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud --no-sign-request              

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
```

{% endcode %}

However, we can list the bucket contents as an AWS user. In this case, we can use an AWS account of our own with a user/role with S3 permissions (`s3-ListBucket`).&#x20;

{% code overflow="wrap" %}

```sh
aws --profile dev s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud 

2017-02-26 19:02:15      80751 everyone.png
2017-03-02 20:47:17       1433 hint1.html
2017-02-26 19:04:39       1035 hint2.html
2017-02-26 19:02:14       2786 index.html
2017-02-26 19:02:14         26 robots.txt
2017-02-26 19:02:15       1051 secret-e4443fc.html
```

{% endcode %}

We've discovered the entry point for level 3!&#x20;

{% code overflow="wrap" %}

```sh
curl level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html

Level 3 is at <a href="http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud">http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
```

{% endcode %}

## Wrap-Up

In Level 2, we enumerate the domain we found in Level 1. After which we discover it's also a static website hosted on AWS S3. While we as an unauthenticated user could not list the bucket contents, we could as an authenticated user from our personal AWS account.&#x20;

The website administrator may have thought "authenticated users" meant only users in their AWS account could list the bucket contents. However, as we've seen, this means AWS users in *any* AWS account.&#x20;

Regardless, the data can be viewed as an unauthenticated user since we viewed it using `curl`. Having the ability to list the bucket contents made it easier to find the data in the first place.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/capture-the-flags-ctfs/flaws.cloud/level-2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.