Skip to main content

2 posts tagged with "cloud"

View All Tags

flAWS Level 1

Shubham
Cybersecurity Enthusiast

okay so this is a new series .. on cloud pentesting .. here we will be exploiting cloud and looking into some misconfigurations in it which can lead to accessing information that wasnt meant to ..
so this is level 1 ... you can see the homepage ...

Screenshot 2026-06-10 at 13 11 41

also this is cloud pentesting ... so no legacy methods will be applicable here lol ... if you inspect element ..

Screenshot 2026-06-10 at 14 06 11

faaahhh faaahhh moment lol ...

now look carefully at the description ... This level is *buckets* of fun .
in aws, bucket refers to aws s3 .. which is used to store files .. websites can actually be hosted directly out of these buckets ....
the level description explicitly highlights the word with asterisks ... it's a dead giveaway that the objective is to interact with an s3 bucket configuration ...

after looking into internet i found out that we can append the url with the .s3.amazonaws.com
thats basically bucketname.s3.amazonaws.com ...
so ... by navigating directly to http://flaws.cloud.s3.amazonaws.com/ instead of the standard web presentation layer ... you are bypassing the default index.html page and asking the s3 api directly .. "what files do you have in here?"

Screenshot 2026-06-10 at 14 09 17

now look at the last html file ... secret-xxxxxx.html ... thats what we want i believe ... so lets navigate there

Screenshot 2026-06-10 at 14 11 11

and yeah we did level one ...
alternatively we can use aws-cli also to solve this .. i might use it in upcoming levels ...!!

flAWS Level 2

Shubham
Cybersecurity Enthusiast

moving on to level 2 ...

Screenshot 2026-06-10 at 14 14 49

look here ... they have also given the explaination to the previous level .. good one ..

now its given that we'll need our own aws account ... so just go for it .. signup for free tier ... and create access key (make sure to download the access key .csv file else it will be gone) .. you might need while configuring aws-cli ... if you are on mac use brew install awscli or if you are using linux .. then go for installation script ...

# 1. Download the installer bundle
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
# 2. Extract the files
unzip awscliv2.zip
# 3. Run the installation script
sudo ./aws/install

sorry i dont use windows :) ... just google it you'll find it easily ...

then .. configure your aws using command .. aws configure ... it will ask for access key you just generated ... once its done .. use the command: aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud --region us-west-2

Screenshot 2026-06-10 at 14 24 12

and yeah we got the file ... so what was the misconfiguration here?
the core vulnerability here comes down to a massive misunderstanding of how aws defines "authenticated users".
when developers set up permissions on a bucket, aws gives them a pre-made access control list (acl) group called "any authenticated aws user".
the mistake was that ... the developer thought: "cool, i want to block the random public, but i want anyone on my team who is logged into our aws organization to be able to see these files. i'll check this box."

why it failed?

in aws architecture, "authenticated user" means absolutely anyone with a valid aws account anywhere on earth. it does not mean "authenticated to my specific company account". because aws manages identities globally, the brand-new personal account you just made is recognized as a valid, authenticated identity.
when you ran that aws s3 ls command with your new keys configured, the bucket looked at your signature, verified you were a real aws user, saw the broken permission policy, and let you right in to view the directory.

how to actually fix it

to secure this in the real world, you completely avoid using global acl groups. instead, you write a specific bucket policy that limits access strictly to your own unique aws account id or explicit iam roles, like this:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOnlyMySpecificAccount",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud"
}
]
}

anyway, grab that secret file name from the terminal output (secret-e4443fc.html), slap it onto the end of the level 2 URL, and let's head over to the next challenge page.

Screenshot 2026-06-10 at 14 37 21