Cloud Labs

Misconfigured Bucket

Misconfigured Bucket Lab

• When launching the lab we end up on this page

landing

It is hosted on an AWS S3 bucket vnm-sec-aws. Googling around we find a few interesting articles and we can try this command with the aws cli aws s3 ls s3://vnm-sec-aws --no-sign-request However we get an access denied

Access denied

We need to create an aws account and get access ID and secret access this way we will be able to use this account for our test. Check out here how to do so

Let's try this aws s3api get-bucket-acl --bucket <Bucket_Name> aws s3api get-bucket-acl --bucket vnm-sec-aws

get acl

This means that all authenticated users (globally) can read the bucket.

Sounds good let's try to list the content

ls bucket

The a folder seems interesting

It goes like this until letter p and in the p folder we have a flag file!!

flag

We can cp it to our local folder aws s3 --profile gabrielle cp s3://vnm-sec-aws/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/flag.txt .

encoded flag

We now need to decode the flag which is in ROT47. We can use Cyberchef to decode it.

ROT47

Public Bucket

public bucket challenge

We have this landing page

• Let's ls the bucket with this command aws s3 ls s3://vnm-sec-bucket --no-sign-request

ls public bucket

We can now try to cp the flag file aws s3 cp s3://vnm-sec-bucket/flag.txt --no-sign-request .

It works and we get the flag!

flag

Special Policy Bucket

Specila Policy challenge

We end up here:

website

Let's use nslookup on the IP

nslookup

COMING SOON