# Cloud Labs ## Misconfigured Bucket ![Misconfigured Bucket Lab](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-61ceb3bb96475f4b61191309408f71ab107a980f%2F2023-04-29-16-20-02.png?alt=media) * When launching the lab we end up on this page ![landing](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-ed87c901dd100d1136ac2217f929dd8a54c95ae7%2F2023-04-29-16-23-20.png?alt=media) It is hosted on an AWS S3 bucket `vnm-sec-aws`.\ Googling around we find a few interesting articles and we can try this command with the aws cli `aws s3 ls s3://vnm-sec-aws --no-sign-request`\ However we get an access denied ![Access denied](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-269a7b5e6c58edd7a944282c4effa3bee3e79cd5%2F2023-04-29-16-38-22.png?alt=media) > We need to create an aws account and get access ID and secret access this way we will be able to use this account for our test. Check out [here](https://csbygb.gitbook.io/pentips/cloud-pentest/aws) how to do so Let's try this `aws s3api get-bucket-acl --bucket `\ `aws s3api get-bucket-acl --bucket vnm-sec-aws` ![get acl](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-243c11d7687eede6dbf54537742a1d4199ae7137%2F2023-07-07-16-24-33.png?alt=media) This means that all authenticated users (globally) can read the bucket. Sounds good let's try to list the content ![ls bucket](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-cbc3b7512b5e4ef3cbd1fc4d3f8e8cc06788eaab%2F2023-07-07-16-43-17.png?alt=media) The a folder seems interesting It goes like this until letter p and in the p folder we have a flag file!! ![flag](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-7d738a080f2dbac893590f064c65ff229ec1f8eb%2F2023-07-07-16-45-41.png?alt=media) We can cp it to our local folder `aws s3 --profile gabrielle cp s3://vnm-sec-aws/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/flag.txt .` ![encoded flag](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-58abae509973200398e13e4ea432bfcc597c1adc%2F2023-07-07-16-48-32.png?alt=media) We now need to decode the flag which is in ROT47. We can use Cyberchef to decode it. ![ROT47](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-287c17a249d7c422c1231fa7f231d88e35b42243%2F2023-07-07-17-15-13.png?alt=media) ## Public Bucket ![public bucket challenge](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-8df619a11775c24182f23918fdadb524606301c3%2F2023-07-07-17-29-33.png?alt=media) We have this landing page\ ![public bucket](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-5475cf0602035bcc22565a0b68d884e8fd9ec0c8%2F2023-07-07-17-29-21.png?alt=media) * Let's ls the bucket with this command `aws s3 ls s3://vnm-sec-bucket --no-sign-request` ![ls public bucket](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-2bb5a9e498af2e8566c1b0f13bdecb300967597f%2F2023-07-07-17-40-59.png?alt=media) We can now try to cp the flag file `aws s3 cp s3://vnm-sec-bucket/flag.txt --no-sign-request .` It works and we get the flag! ![flag](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-ba0951f2fbda5d41f8a571ed35deaadd7e5158bd%2F2023-07-07-17-42-50.png?alt=media) ## Special Policy Bucket ![Specila Policy challenge](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-a00ec6440b2941297de3703c81c23a26242cb7a7%2F2023-07-07-17-16-15.png?alt=media) We end up here: ![website](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-b9e4a655ece988fba5e31630b1f3884c16ef8ab7%2F2023-07-07-10-15-02.png?alt=media) Let's use nslookup on the IP ![nslookup](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-a62c0137cde5bf3837828fc0eb470433e6681f75%2F2023-07-07-10-16-00.png?alt=media) ### COMING SOON ![Coming soon](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-79c94f83d11d2dcfbf46dd6e9f56209f3dcdcfc1%2F2024-07-03-16-57-38.png?alt=media)