Hi Guys, Welcome to InfoSecSecure.
In this Blog, we are going to solve Flaws.cloud level 1 challenge. we will not only solve the challenges other than will provide the impact & mitigation /solution for this vulnerability. First of all, you need to understand why we should solve flaws.cloud challenges.
Simple Answer for that If you want to cloud pentester or want to grow your carrier in Cloud Security. You need to solve flaws.cloud challenges etc…
There are no SQL injection, XSS, buffer overflows, or many of the other vulnerabilities you might have seen before. These challenges provide us basic Knowledge of the vulnerability. which we don’t think, That It can be a vulnerability. in this flaws.cloud level 1 challenges there are AWS configuration-related vulnerabilities. which we are going to discover :
Before solving this challenge. required basic knowledge of S3 bucket and Region. If you don’t know. Don’t worry. We will provide a small Intro for the S3 bucket and Region.
S3 bucket:
S3 bucket like a harddisk or pendrive. where we create the folder or store the data.
Region:
Region like a location. where we store our data. For ex: In India. Mumbai is one AWS region, on this region we can store our data.
Let’s solve Flaws.cloud Level1 challenge:
There are two solutions for that particular level of challenge.
Solution 1 :
We will follow some steps to solve this challenge:
- Visit the flaws.cloud website on your browser.
- First of all. Read the carefully LEVEL1 challenge. In this LEVEL1 challenge, we have to find a subdomain.
Now we have an Idea of what have to find. Let’s find a subdomain.
- Now Open the terminal and run the ” dig flaws.cloud ” command in terminal and observe the response in below highlighted point. Multiple IP addresses are showing.
- Now we will use the nslookup command to check the domain name. run the below-shown command in the screenshot. Observe in response. it’s showing ” s3-website-us-west-2.amazonaws.com ” related to S3 bucket and region. it will help to solve this challenge.
- Run the ” aws s3 ls s3://flaws.cloud/ –no-sign-request –region us-west-2 ” following command in terminal to check the data in this particular s3 bucket.
- aws: aws means awscli
- S3: S3 means we are running this command for S3 bucket.
- ls: ls means to list the file or folder.
- s3://flaws.cloud/: Defining the location where have to check.
- –no-sign-request: This means we are not using credentials
- –region: us-west-2 is location. where our data is stored.
There is one sensitive file stored. The sensitive file name is secret-dd02c7c.html.
- Download secret-dd02c7c.html file using aws command ” aws s3 cp s3://flaws.cloud/secret-dd02c7c.html –no-sign-request –region us-west-2 InfoSecSecure.html “.
- cp: means copy this file from this particular region to a particular region.
- Here we will Open the downloaded ” InfoSecSecure.html ” file. In this file, we got the message that Congrats! You found the secret file! Here is a subdomain for Level2 challenge: http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
- Visit http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud URL. successfully we have solved this challenge.
Solution 2:
In Solution1 We did a lot of hard work. In Solution2 we will solve this challenge through smart work. In Solution2. You have to run a simple command and the sub-domain will be on your screen. after that, you will say AMAZING………..
- Run: subfinder -d flaws.cloud
subfinder is a tool that helps to find the sub-domain of a website. We got the sub-domain through a single command. This is a simple solution to find sub-domain.
As we have mentioned above after solving this challenge we will discuss about impact & mitigation of this vulnerability.
Impact for S3 bucket allows access to everyone without aws account :
- Unauthorized access can lead to data exposure or leakage, compromising sensitive information stored in the bucket.
- Malicious actors may tamper with or delete data, affecting the integrity and availability of stored information.
- A data breach or loss of sensitive information can damage the organization’s reputation and erode customer trust.
- Unauthorized access can disrupt normal business operations, leading to downtime and productivity losses.
Mitigation for S3 bucket allows access to everyone without aws account :
- Review and adjust the bucket permissions to ensure that only authorized users and services have access.
- Implement the principle of least privilege, granting the minimum necessary permissions to perform required tasks.
- Enable AWS Identity and Access Management (IAM) for controlling access to AWS services.
- Use IAM roles and policies to enforce proper authentication and authorization.
- Review and modify bucket policies and ACLs to restrict access to specific IP ranges or authorized AWS accounts.
- Avoid using overly permissive “public” or “everyone” access in policies.
- Set up AWS CloudTrail to log all S3 bucket activities and regularly review these logs for any unauthorized access attempts.
- Utilize AWS Config to assess and audit the compliance of your resources.
Here we have successfully solved the Level1 challenge. In the Next Blog, We will solve the Level2 challenge.