Level 1 – Challenge statement:
This level is buckets of fun. See if you can find the first sub-domain.
flaws.cloud itself says it best:
Through a series of levels you'll learn about common mistakes and gotchas when using Amazon Web Services (AWS). There are no SQL injection, XSS, buffer overflows, or many of the other vulnerabilities you might have seen before. As much as possible, these are AWS specific issues. A series of hints are provided that will teach you how to discover the info you'll need. If you don't want to actually run any commands, you can just keep following the hints which will give you the solution to the next level. At the start of each level you'll learn how to avoid the problem the previous level exhibited. Scope: Everything is run out of a single AWS account, and all challenges are sub-domains of flaws.cloud.
The emphasized word buckets must refer to S3 buckets. And given that S3 buckets are able to host static websites on them – it’s likely that flaw.cloud is hosted on s3.
Lets get the IP address (A Record) of flaws.cloud
nslookup flaws.cloud > flaws.cloud Server: 184.108.40.206 Address: 220.127.116.11#53 Non-authoritative answer: Name: flaws.cloud Address: 18.104.22.168
Now, lets do an reverse look-up on 22.214.171.124
> 126.96.36.199 Server: 188.8.131.52 Address: 184.108.40.206#53 Non-authoritative answer: 251.184.231.54.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
Ok – confirmed. It’s an s3 static website in the
If you using a custom domain (e.g. flaws.cloud) for you S3 hosted static site, then the bucket name must match the domain name.
This tells us the bucket name is flaws.cloud
The URL format for S3 HTTP end points are as follows:
So given the information we have, we can tell that the s3 end point for this bucket is: http://s3-us-west-2.amazonaws.com/flaws.cloud
Browse there, and you’ll get an XML response referencing the following files within the bucket:
Obviously secret-dd02c7c.html looks juicy, lets browse there: http://s3-us-west-2.amazonaws.com/flaws.cloud/secret-dd02c7c.html
Level 2 unlocked.