# Cloud Labs

## Misconfigured Bucket

![Misconfigured Bucket Lab](/files/HbpEFezP8zW3h6GMxOtT)

* When launching the lab we end up on this page

![landing](/files/WfpSyf4vfs3XhlOygqKf)

It is hosted on an AWS S3 bucket `vnm-sec-aws`.\
Googling around we find a few interesting articles and we can try this command with the aws cli `aws s3 ls s3://vnm-sec-aws --no-sign-request`\
However we get an access denied

![Access denied](/files/rdUhQQWB5PyogHEmwQCi)

> We need to create an aws account and get access ID and secret access this way we will be able to use this account for our test. Check out [here](/pentips/cloud-pentest/aws.md) how to do so

Let's try this `aws s3api get-bucket-acl --bucket <Bucket_Name>`\
`aws s3api get-bucket-acl --bucket vnm-sec-aws`

![get acl](/files/XijFgXgQgWWPo1ko0Ghw)

This means that all authenticated users (globally) can read the bucket.

Sounds good let's try to list the content

![ls bucket](/files/Fd6o6wOYlGeBwd0TJzWC)

The a folder seems interesting

It goes like this until letter p and in the p folder we have a flag file!!

![flag](/files/trxp025Qpul12RdlxhH5)

We can cp it to our local folder `aws s3 --profile gabrielle cp s3://vnm-sec-aws/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/flag.txt .`

![encoded flag](/files/BV8cFhwx3HdIwvvQV7X4)

We now need to decode the flag which is in ROT47. We can use Cyberchef to decode it.

![ROT47](/files/gCL8g1uPey5DahdRR5vd)

## Public Bucket

![public bucket challenge](/files/XGg70pxqjuIBFOwYisDx)

We have this landing page\
![public bucket](/files/tQpL1US1bcCIahsa5lgA)

* Let's ls the bucket with this command `aws s3 ls s3://vnm-sec-bucket --no-sign-request`

![ls public bucket](/files/wjqyMmDo86bBscSHsvy3)

We can now try to cp the flag file `aws s3 cp s3://vnm-sec-bucket/flag.txt --no-sign-request .`

It works and we get the flag!

![flag](/files/utS8NPjfkiJhf9t2eMFm)

## Special Policy Bucket

![Specila Policy challenge](/files/xI3YKmJ9ZdDUYFkiCEO8)

We end up here:

![website](/files/Pc1XHLsAPBn1nwTHzTJi)

Let's use nslookup on the IP

![nslookup](/files/bNNLFcxOYtgBoO6rEjM9)

### COMING SOON

![Coming soon](/files/jkI4QotoHecf62YipxxY)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://csbygb.gitbook.io/pentips/writeups/vulnmachines-writeups/vulnmachines-cloud.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.