What is flAWS?

Pre-requisite Tools

To complete these challenges, you’ll need to have the following tools:

• AWS CLI
• DNS resolution tools (dig on *nix, Resolve-DNSName on Windows)

Note: While I will be essentially providing a full walkthrough for each level, all solutions or “flags” will be redacted so please go run these commands on your own.

Level 1

This level is buckets of fun. See if you can find the first sub-domain.

Initial Recon

With any web-based challenge, it’s always a good starting point to look at the source code. However, this first level quickly shuts that down:

<!--
###############################################################################
# You're not going to find anything in the HTML code.  
# This is an AWS challenge.  None of what you used in other challenges will be
# helpful here.
###############################################################################    
-->

Hint 1

The first hint tells us to use dig to query the domain flaws.cloud for DNS record information. Because I’m wanting to just use my Windows desktop for everything, we need to find an alternative (because dig is not a native Windows binary, and for some reason ISC.org makes you go through a registration process to get your hands on pre-compiled binaries). Luckily, PowerShell does include a native cmdlet that mimics dig, which is Resolve-DnsName.

 Resolve-DnsName flaws.cloud

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
flaws.cloud                                    A      5     Answer     52.218.249.195
flaws.cloud                                    A      5     Answer     52.92.240.147
flaws.cloud                                    A      5     Answer     52.92.145.131
...

We can then use the same cmdlet on one of the A Record IP addresses:

 resolve-DnsName 52.218.249.195

Name                           Type   TTL   Section    NameHost
----                           ----   ---   -------    --------
195.249.218.52.in-addr.arpa    PTR    900   Answer     s3-website-us-west-2.amazonaws.com

This information tells us that the flaws.cloud domain points to a resource hosted on S3 within the us-west-2 region. We’ll pivot to the AWS CLI to see what kind of information we can gather with that.

S3 Recon

The AWS CLI is fortunately very intuitive to use, and Amazon’s documentation is also very good. We will try to enumerate the S3 bucket by running a simple ls command which functions like a normal *nix ls.

The format of the command is: aws <service> <command> <resource> <optional args>, so we’ll try aws s3 ls s3://flaws.cloud/ --region us-west-2. Unfortunately this command nets us an error: Unable to locate credentials. You can configure credentials by running "aws configure".. That kind of makes sense, because I don’t have any AWS credentials or profiles configured on my machine currently. This isn’t the end of the road though, the AWS Docs tell us we can use --no-sign-request to override the credential check and send an unauthenticated command request:

 aws s3 ls  s3://flaws.cloud/ --no-sign-request --region us-west-2
2017-03-13 23:00:38       2575 hint1.html
2017-03-02 23:05:17       1707 hint2.html
2017-03-02 23:05:11       1101 hint3.html
2020-05-22 14:16:45       3162 index.html
2018-07-10 12:47:16      15979 logo.png
2017-02-26 20:59:28         46 robots.txt
2017-02-26 20:59:30       1051 <the "flag">

Lesson Learned

This S3 bucket had weak permissions that allowed us to enumerate the directory contents, which is typically something blocked by most web-servers by default. This exposed a potentially sensitive document publicly. Being aware of what is publicly facing within your environment, and hardening where possible is an important step that is unfortunately often overlooked.

Level 2

Accessing the secret document on Level 1 points us to a new page http://redacted.flaws.cloud.