in Uncategorized 373 Words

flAWS – AWS CTF – Level 1

Level 1 – Challenge statement:

This level is buckets of fun. See if you can find the first sub-domain.

Background

flaws.cloud itself says it best:

Through a series of levels you'll learn about common mistakes and gotchas when using Amazon Web Services (AWS). 
There are no SQL injection, XSS, buffer overflows, or many of the other vulnerabilities you might have seen before. As much as possible, these are AWS specific issues.

A series of hints are provided that will teach you how to discover the info you'll need. 
If you don't want to actually run any commands, you can just keep following the hints which will give you the solution to the next level. 
At the start of each level you'll learn how to avoid the problem the previous level exhibited.

Scope: Everything is run out of a single AWS account, and all challenges are sub-domains of flaws.cloud.

My approach:

The emphasized word buckets must refer to S3 buckets. And given that S3 buckets are able to host static websites on them – it’s likely that flaw.cloud is hosted on s3.

Lets get the IP address (A Record) of flaws.cloud

  nslookup flaws.cloud

  > flaws.cloud
  Server:         8.8.8.8
  Address:        8.8.8.8#53

  Non-authoritative answer:
  Name:   flaws.cloud
  Address: 54.231.184.251

Now, lets do an reverse look-up on 54.231.184.251

  > 54.231.184.251
  Server:         8.8.8.8
  Address:        8.8.8.8#53

  Non-authoritative answer:
  251.184.231.54.in-addr.arpa     name = s3-website-us-west-2.amazonaws.com.

Ok – confirmed. It’s an s3 static website in the us-west-2 region.

If you using a custom domain (e.g. flaws.cloud) for you S3 hosted static site, then the bucket name must match the domain name.

This tells us the bucket name is flaws.cloud

The URL format for S3 HTTP end points are as follows: s3-<region>.amazonaws.com/<bucketname>

So given the information we have, we can tell that the s3 end point for this bucket is: http://s3-us-west-2.amazonaws.com/flaws.cloud

Browse there, and you’ll get an XML response referencing the following files within the bucket:

  • hint1.html
  • hint2.html
  • hint3.html
  • index.html
  • robots.txt
  • secret-dd02c7c.html

Obviously secret-dd02c7c.html looks juicy, lets browse there: http://s3-us-west-2.amazonaws.com/flaws.cloud/secret-dd02c7c.html

Level 2 unlocked.

Leave a comment