Level 1
A CTF walkthrough for level 1 of Flaws.Cloud
Last updated
A CTF walkthrough for level 1 of Flaws.Cloud
Last updated
Upon navigating to the challenge, flaws.cloud, we're provided a hint to get started.
We can assume this website is hosted in an AWS S3 Bucket. Let's confirm!
Let's see if we can list the bucket contents.
We'll use --no-sign-request which basically means we're trying to access the bucket as an anonymous user.
Skip the hints and we'll view the file secret-dd02c7c.html. This can be done in the browser but we'll view it in the terminal.
Nice! We've found the next entry point for Level 2.
In Level 1, we're provided with a website endpoint. After enumerating it, we discovered it's an AWS S3 static website. Further enumeration as an unauthenticated user leads to finding a new domain for Level 2.
While no sensitive data was found in this bucket, it's important to be mindful of what actions someone can perform. In this case, as an anonymous user, we can enumerate the full bucket contents and even download files locally e.g.,
