Overview
Flaws.cloud is an insecurely configured website hosted in the cloud (AWS), that was created for the purpose of teaching cloud security. The site consists of six levels, which increase in difficulty, however, there are hints at each level to help along the way.
Pre-Requisites
- Knowledge of AWS
- Knowledge of AWS CLI
- Knowledge of S3
Level 1
The challenge states:
This level is *buckets* of fun. See if you can find the first sub-domain.
S3 (Simple Storage Service) is an AWS object storage service, this means that data is stored in an unstructured format, as opposed to block storage which stores data in block format, like with hard drives. It also stores data in a flat non-hierarchical format, unlike file storage which follows a hierarchy with files and folders.
A container unit of S3 is a bucket, which can be thought of as a folder, and can hold up to 5TB of data. All S3 buckets have a global name scope therefore need to be unique.
A unique feature of S3 is that it can host static websites with the bucket name used in the URL, combined with the S3 endpoint.
Taking this into account I added this to the URL.
This leads to an XML page. The page lists details of different files, however, one looks particularly interesting.
Searching for this file in the URL…
…leads to level 2.
Conclusion
I believe the lesson of this level is that users of S3 need to ensure they are aware of who has access to their buckets, this includes blocking all public access to their buckets, which is probably why AWS automatically enabled the feature in all buckets by default from April 2023.
