flAWS – AWS CTF – Level 2

Level 2 – Challenge statement:

The next level is fairly similar, with a slight twist. You’re going to need your own AWS account for this. You just need the free tier.



flaws.cloud itself says it best:

Through a series of levels you'll learn about common mistakes and gotchas when using Amazon Web Services (AWS). 
There are no SQL injection, XSS, buffer overflows, or many of the other vulnerabilities you might have seen before. As much as possible, these are AWS specific issues.

A series of hints are provided that will teach you how to discover the info you'll need. 
If you don't want to actually run any commands, you can just keep following the hints which will give you the solution to the next level. 
At the start of each level you'll learn how to avoid the problem the previous level exhibited.

Scope: Everything is run out of a single AWS account, and all challenges are sub-domains of flaws.cloud. 

My approach:

Given that they say this is similar to before, I imagine it’s related to S3 permissions again – and they require us to have our own AWS Account – so initial thinking is this is a misconfiguration in cross-AWS account access.

We know the bucket name is level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud

Configure AWS CLI with your Access Key and Secret Key:

  ~$ aws configure
  AWS Access Key ID [********************]:
  AWS Secret Access Key [********************]:
  Default region name [ap-southeast-1]: us-west-2
  Default output format [None]:

Now lets list the objects in the bucket via the AWS CLI:

        :~$ aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud --region us-west-2 --recursive
        2017-02-27 10:02:15      80751 everyone.png
        2017-03-03 11:47:17       1433 hint1.html
        2017-02-27 10:04:39       1035 hint2.html
        2017-02-27 10:02:14       2786 index.html
        2017-02-27 10:02:14         26 robots.txt
        2017-02-27 10:02:15       1051 secret-e4443fc.html

Again, the secret file looks good, lets open it in a browser

The URL format for S3 HTTP end points are as follows: s3-<region>.amazonaws.com/<bucketname>

So given the information we have, we can tell that the s3 end point for this bucket is: http://s3-us-west-2.amazonaws.com/level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud

So lets open the browser too: http://s3-us-west-2.amazonaws.com/level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html

Level 3 unlocked.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s