flaws.cloud notes
Level 1
1. Identify whether a site is hosted as an S3 bucket
Use dig
to do a DNS lookup on the domain.
❯ dig +nocmd flaws.cloud +answer +multiline
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54467
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;flaws.cloud. IN A
;; ANSWER SECTION:
flaws.cloud. 4 IN A 52.218.251.26
;; Query time: 8 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 11 10:18:48 +08 2021
;; MSG SIZE rcvd: 45
Visiting 52.218.251.26 in the browser brings me to https://aws.amazon.com/s3/. Or use curl
to see the redirected URL.
❯ curl -Ls -o /dev/null -w %{url_effective} 52.218.251.26
https://aws.amazon.com/s3/
Or, use nslookup
, to realize that it is indeed a s3 bucket, hosted in the AWS region us-west-2.
❯ nslookup 52.218.251.26
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
26.251.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
Authoritative answers can be found from:
Side note: All S3 buckets, when configured for web hosting, are given an AWS domain you can use to browse to it without setting up your own DNS. In this case, flaws.cloud can also be visited by going to http://flaws.cloud.s3-website-us-west-2.amazonaws.com/
2. Attempt to browse the bucket
❯ aws s3 ls s3://flaws.cloud --no-sign-request --region us-west-2
2017-03-14 11:00:38 2575 hint1.html
2017-03-03 12:05:17 1707 hint2.html
2017-03-03 12:05:11 1101 hint3.html
2020-05-23 02:16:45 3162 index.html
2018-07-11 00:47:16 15979 logo.png
2017-02-27 09:59:28 46 robots.txt
2017-02-27 09:59:30 1051 secret-dd02c7c.html
The --no-sign-request
argument works as follows:
--no-sign-request (boolean)
Do not sign requests. Credentials will not be loaded if this argument is provided.
Due to bad permission configurations, I can list the bucket without any credentials.
If I don’t know the region, I can either try them one by one, or use cyberduck to browse it, which will figure out the region automatically.
You can also just visit http://flaws.cloud.s3.amazonaws.com/ which lists the files due to the permissions issues on this bucket.
Level 2
Trying to list the bucket doesn’t work here.
❯ aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud --no-sign-request --region us-west-2
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied