Hi Guys, Welcome to InfoSecSecure.

In this Blog, we are going to solve Flaws.cloud LEVEL6 challenge. Before solving this challenge you need to solve the previous challenge. we will not only solve the challenges other than will provide the impact & mitigation/solution for this vulnerability.

Click here for LEVEL1 Challenge
Click here for LEVEL2 Challenge
Click here for LEVEL3 Challenge
Click here for LEVEL4 Challenge
Click here for LEVEL5 Challenge

These challenges provide us the knowledge of basic vulnerability. which we don’t think, That It can be a vulnerability. in this flaws.cloud LEVEL4 challenges there are AWS configuration-related vulnerabilities. which we are going to discover :


Before solving this challenge. you should be aware of the IAM Policy, policy-arn, and lambda. If you don’t know. Don’t worry. We will provide a small Intro for the IAM Policy, policy-arn, and lambda.

AWS IAM Policy :

Amazon Web Services (AWS) Identity and Access Management (IAM) policies are documents that define permissions and access controls for AWS resources. IAM policies are associated with IAM users, groups, or roles and determine what actions users and resources are allowed or denied.

AWS Policy ARN (Amazon Resource Name):

IAM policies use ARNs to uniquely identify AWS resources. ARNs are structured strings that represent resources in a consistent format.

  • Example S3 bucket ARN:
    • arn:aws:s3:::example-bucket

AWS Lambda :

AWS Lambda is a serverless computing service provided by Amazon Web Services (AWS). It enables you to run your code without the need to provision or manage servers. Lambda automatically scales and manages the compute resources required to run your code, allowing you to focus on writing the actual application logic.

Let’s solve this challenge:


Challenge: We’re getting a user access key that has the SecurityAudit policy attached to it. See what else it can do and what else you might find in this AWS account. through the policy, we have to collect the evidence and make a URL. Our challenge is to find or make a URL.

Solution: We have to take advantage of this AWS account and find the evidence to make a URL. That will help us to solve this challenge.


We will follow some steps to solve this challenge:

  • Open LEVEL6 ” http://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/ “ on your browser and copy AWS credentials.
  • Configure these credentials on your machine.
    • Run: aws configure –profile level6
      • AWS Access Key ID [None]: AKIAJFQ6E7BY57Q3OBGA
      • AWS Secret Access Key [None]: S2IpymMBlViDlqcAnFuZfkVjXrYxZYhP+dZ4ps+u
      • Default region name [None]: us-west-2
      • Default output format [None]:
  • As mentioned in this challenge the user access key that has the SecurityAudit policy attached to it. See what else it can do and what else you might find in this AWS account.
    • Run: aws –profile level6 iam get-user
      • aws: This is the AWS CLI command-line tool.
      • –profile level6: This specifies the named AWS CLI profile to use. Profiles are configurations that store your AWS security credentials and other settings. In this case, it’s using the profile named “level6.”
      • iam: This indicates that the AWS Identity and Access Management (IAM) service is the target of the command.
      • get-user: This is the specific command to retrieve information about an IAM user.

The output of the command provides details about the specified IAM user with the username “Level6.” The response is in JSON format and includes the following information:

  • Path: The path to the user. In this case, it is “/” indicating the root path.
  • Username: The name of the IAM user, which is “Level6.”
  • UserId: The unique identifier for the user, in this case, “AIDAIRMDOSCWGLCDWOG6A.”
  • Arn: The Amazon Resource Name (ARN) for the user, which is a unique identifier across AWS accounts and regions. It follows the format “arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/USERNAME.”
  • CreateDate: The timestamp indicates when the user was created, in this case, “2017-02-26T23:11:16+00:00.”
  • Open the Notepad and write down ” level6 ” username.
  • We have a username “level6”. here we will try to find attached user policies for a specific IAM (Identity and Access Management) user.
    • Run : aws –profile level6 iam list-attached-user-policies –user-name Level6
      • list-attached-user-policies: This is the specific IAM command used to list the managed policies that are attached to a specified IAM user.
      • –user-name Level6: This specifies the IAM user name for which the attached policies should be listed (Level6 in this case).

The output of the command provides information about the attached policies for the specified IAM user (Level6). In your example output, the user has two attached policies:

  • MySecurityAudit:
    • PolicyName: MySecurityAudit
    • PolicyArn: arn:aws:iam::975426262029:policy/MySecurityAudit
  • list_apigateways:
    • PolicyName: list_apigateways
    • PolicyArn: arn:aws:iam::975426262029:policy/list_apigateways
  • We got policy ARN. using this policy ARN will retrieve information about an Identity and Access Management (IAM) policy.
    • Run: aws –profile level6 iam get-policy –policy-arn arn:aws:iam::975426262029:policy/list_apigateways
      • get-policy: This is the subcommand used to retrieve details about an IAM policy.
      • –policy-arn arn:aws:iam::975426262029:policy/list_apigateways: This specifies the Amazon Resource Name (ARN) of the IAM policy you want to retrieve information about. In this case, the ARN is for the policy named “list_apigateways” in the AWS account with ID 975426262029.

The output of the command provides information about the IAM policy with the specified ARN. ere we will not focus on other details. we need ” DefaultVersionId “ for this challenge.

  • Here we have two things policy ARN & versionid. using these details will retrieve information about a specific version of an IAM policy in AWS Identity and Access Management (IAM).
    • Run: aws –profile level6 iam get-policy-version –policy-arn arn:aws:iam::975426262029:policy/list_apigateways –version-id v4

This output provides details about the specified IAM policy version, including the policy document, version ID, whether it is the default version and the creation date. In this case, the policy allows the “apigateway:GET” action on resources with the specified ARN in the “us-west-2” region.

  • Run: aws –region us-west-2 –profile level6 lambda list-functions
    • This command is used to list Lambda functions in a specific AWS region and use a named profile.

The output of the command provides information about the function name.

  • Run: aws –region us-west-2 –profile level6 lambda get-policy –function-name Level6
    • This command is used to retrieve the resource-based policy attached to an AWS Lambda function.
      • lambda: This is the AWS service identifier. It indicates that you are working with AWS Lambda.
      • get-policy: This is the sub-command used to retrieve the resource-based policy attached to an AWS Lambda function.
      • –function-name Level6: This flag specifies the name of the Lambda function for which you want to retrieve the policy. In this case, the function name is set to “Level6.”

The output of the command provides information about the Lambda function’s policy.

Note: note down the Rest API ID ” s33ppypa75 “

The policy JSON document includes information such as the version, statement, effect, principal, action, resource, and conditions. In this example, the policy allows the API Gateway service to invoke the “Level6” Lambda function under specific conditions related to the source ARN of the API Gateway endpoint.

  • Open Notepad and write a URL using the highlight point from the above screenshot.
    • URL: http://s33ppypa75.execute-api.us-west-2.amazonaws.com/
  • Run: aws –profile level6 –region us-west-2 apigateway get-stages –rest-api-id “s33ppypa75”
    • This command will help us to retrieve information about the stages of an API Gateway deployment.
      • apigateway: This is the AWS service targeted by the command, in this case, Amazon API Gateway.
      • get-stages: This is the specific command to retrieve information about the stages of an API Gateway deployment.
      • –rest-api-id “s33ppypa75”: This is the unique identifier for the API Gateway REST API. The value “s33ppypa75” represents the REST API ID for which you want to get information about the stages.

The output of the command provides information about the stages of the specified API Gateway deployment. in this output, we have to note the stage name.

  • Open Notepad and write a proper URL ” http://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6 “.
  • Open this URL ” http://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6 “ on your browser. the output of this website provides a URL ” http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/ “.
  • Open this URL ” http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/ ” on your browser and observe the response.

As we have mentioned above after solving this challenge we will discuss about impact & mitigation of this vulnerability.

Impact for hardcoding credentials:

  • Attackers who gain access to AWS credentials can misuse them to access and control AWS resources, leading to data breaches, service disruptions, or financial losses.
  • Exposing AWS credentials increases the risk of data breaches, as attackers can potentially access sensitive data stored in AWS services.
  • Unauthorized access to AWS resources can lead to financial losses due to misuse of services or resource scaling.

Mitigation for hardcoding credentials:

  • Use the principle of least privilege, ensuring that AWS credentials have only the necessary permissions. Regularly review and update permissions to minimize the potential impact.
  • Encrypt sensitive data stored in AWS using tools like AWS Key Management Service (KMS). Implement access controls and regularly audit access logs to detect and respond to unauthorized access attempts.
  • Store credentials securely using tools like AWS Secrets Manager or AWS Systems Manager Parameter Store. Avoid hardcoding credentials in code or configuration files.
  • Enable MFA for AWS accounts and IAM users to add an additional layer of security, even if credentials are compromised.
  • Implement AWS CloudTrail for logging and monitoring AWS API activity. Set up alerts to notify of any suspicious activity.

Congratulations on completing the flAWS challenge!