# Level 1

Let’s first install the AWS cli. You can do so by following the link here for the latest version: <https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html>

The first thing I wanted to try is to see what the site (flaws.cloud) resolves to. We can do a DNS lookup by using the nslookup command. It returned a number of associated IP addresses.

```
nslookup flaws.cloud
```

<div align="left"><figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FGMV0lmhfxNqdzFcY2j96%2Fimage.png?alt=media&#x26;token=12b90146-c72f-4f00-8662-1274a492c40f" alt=""><figcaption></figcaption></figure></div>

Another way of achieving this result is by using the host command.

```
host flaws.cloud
```

<div align="left"><figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2F5hgwijqSvP63cDltrf4g%2Fimage.png?alt=media&#x26;token=6dfd0044-ec0f-4a5f-892e-626f9906ab65" alt=""><figcaption></figcaption></figure></div>

Now, let’s do a reverse lookup of the IP address using the host command again. The results came back with an s3 bucket that is located in US-West-2. S3 buckets are commonly used to host static websites. With this information in mind, we can use this to find the subdomain.

```
host 52.92.163.195
```

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FZTp6EYuDwmt6mrzA9SC6%2Fimage.png?alt=media&#x26;token=6c025e89-2f30-4909-afb1-ac280fe787a7" alt=""><figcaption></figcaption></figure>

S3 buckets typically follow two different URL formats (see below).

* <http://s3.amazonaws.com/\\[bucket\\_name]/>
* http\://\[bucket\_name].s3.amazonaws.com/

\
Let’s attempt to browse to the site using the first format (<http://s3.amazonaws.com/flaws.cloud>). It seems that this endpoint is not the correct one, but it does point us to an endpoint that matches our second URL format.

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2F0NBXiTloVK0YhnlVq4b8%2Fimage.png?alt=media&#x26;token=9ce01a4e-3c96-45aa-9b16-2232cd1e28e6" alt=""><figcaption></figcaption></figure>

When we browse to <http://flaws.cloud.s3.amazonaws.com/> we are greeted with bucket contents. Within the contents, we can see that there is a "secret" html file.

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FDFHwldCFY1ZLjD52bxZy%2Fimage.png?alt=media&#x26;token=a2a4eb6a-daea-4ee2-a747-66fe21a1c24e" alt=""><figcaption></figcaption></figure>

We can append this to the URL (<http://flaws.cloud.s3.amazonaws.com/secret-dd02c7c.html>) and we passed Level 1!

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FaBKzbW4DmNxrJaxFwwru%2Fimage.png?alt=media&#x26;token=ec337cf7-9967-4066-82b0-ab1e51d24ebf" alt=""><figcaption></figcaption></figure>

Another way to accomplish this is to use the command line. We can try to list the content of the bucket by using the aws s3 ls command. We will also need to specify the region which we gathered from the domain lookup.&#x20;

When we run the command, we get an error message saying “Unable to locate credentials. You can configure credentials by running “aws configure”. Since we are not authenticated, do not have access to the bucket.

```
aws s3 ls s3://flaws.cloud/ --region us-west-2
```

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FslAGzloYcCPDMZVJSk2t%2Fimage.png?alt=media&#x26;token=b2cade11-081a-4ad7-93ca-ac412962ecc2" alt=""><figcaption></figcaption></figure>

Let’s try to get around this by using the --no-sign-request. This is a Boolean switch that allows you to disable signing HTTP requests to the AWS endpoint.

You can find more information here: <https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-options.html>

It looks like that worked! We were able to access the contents of the bucket and see the same contents as the XML page.

<figure><img src="https://450836410-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fgns9cN7UvH1POIBCfrRn%2Fuploads%2FHjlD4oJuP3nTzHSPq9MJ%2Fimage.png?alt=media&#x26;token=4e15a072-ba5e-420f-b60e-07d3a0888008" alt=""><figcaption></figcaption></figure>

**Lessons Learned**

Although S3 buckets are private when created, many have to change the bucket policy to allow everyone to view it when hosting a public website. To ensure that the bucket contents cannot be listed, the "List" permission should be turned off.