Businesses are increasingly shifting their operations to the cloud environment, cloud provide you access to more applications, enhance data accessibility, assists your team collaborate more effectively, and provides easier content management.
Cloud offerings like Amazon Web Services (AWS) are generally secure, However, it's almost impossible to eliminate cloud security risks.
Cloud security is a collection of security measures designed to protect cloud-based infrastructure, applications, and data. These measures ensure user and device authentication, data and resource access control, and data privacy protection They also support regulatory data compliance. Cloud security is employed in cloud environments to protect a company's data from distributed denial of service (DDoS) attacks, malware, hackers, and unauthorized user access or use.
The flaws or security misconfiguration, which could enable attackers to disable security affect cloud services.
Now we will be discussing the security on the Amazon Web Services. by the FLAWS challenges
flaws.cloud is an interesting AWS based security misconfiguration challenge developed by Scott Piper from Summit Route.
this challenge may have been developed to highlight common misconfigurations in the AWS cloud environment. A large portion of the beginning of the challenge has to do with s3(Simple Storage Service) misconfigurations.
Through a series of levels you'll learn about common mistakes and gotchas when using Amazon Web Services (AWS).
There are no SQL injection, XSS, buffer overflows, or many of the other vulnerabilities you might have seen before. as much as possible, these are AWS specific issues.
A series of hints are provided that will teach you how to discover the info you'll need.
A series of hints are provided that will teach you how to discover the info you'll need. If you don't want to actually run any commands, you can just keep following the hints which will give you the solution to the next level. At the start of each level you'll learn how to avoid the problem the previous level exhibited.
Also you can note that everything is run out of a single AWS account, and all challenges are sub-domains of flaws.cloud.
Now lets get started with the challenge
- lets see if we can find the first sub-domain.
- I'll open up my terminal
I run a command to obtain the IP address of the website by using
Now we can start with domain reconnaissance by using the
After we ran this command, we got this information, which tells us that the website is hosted on an S3 bucket in the region (west-2).
- I attempted to use the aws-cli tool to list the buckets contents to see if they were available to the general public, but it required user credentials.
aws s3 ls s3://flaws.cloud
- because we didn't have any user credentials, I attempted to use the
--no-sign-requestflag, which allows access to the bucket without requiring credentials. It worked, and the bucket's contents were shown.
- Now, we navigate to the "secret-dd02c7c.html" file since it appeared interesting.
The flaw in this level:
Some developers or cloud users set up the S3 buckets while utilizing them without the correct permissions implementation (which makes it accessible to everyone), rendering it vulnerable to unauthorized access to the bucket's content.
- I open the URL that I obtained from the secret file in level 1 to start level 2
- This level is fairly similar, with a slight twist.
- Now, I tried to list the content of s3 bucket
As You can see, access was denied, We should have authenticated AWS account, You just need the free tier.
- I already have one, so I'm going to clarify how to get the AWS access key.
- I open my account and select the security credential option.
- then I created an access key
- I'll use the key to set the AWS configuration, and then I can list the content of the S3 bucket using the command below.
aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/
- Now, I'm going to open the secret file by adding it to the URL and opening it with my browser.
- I solved the challenge, and the secret file also has the link to the next level.
The flaw in this level:
Open permissions to "Any Authenticated AWS User, anyone with an AWS account who was an authenticated user could list out a bucket this setting can no longer be set in the webconsole; However, you may find some older environments that were configured using a third-party tool or the software development kit that may have this option on, so this is one way to check.
- In this level, Its time find the first AWS key that will let you list what the other buckets are.
- Let's list the S3 content by running this command:
aws s3 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ --no-sign-request --region us-west-2
- I found some files, but what is really important and what I want to draw your attention to is this .git directory is a version control system that keeps track of changes made to computer files and allows several users to work on those files among multiple people, so let's list that directory and see what will happen.
- Now, I'm going to download the content of s3 buckets to interact with .git file, I do this using this command
aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2
- a lot of time in the cyber security we have to see what are in the log so, I am going to take a look at the history logs of this file after I list the content and am sure the file exists. I'm going to use this command:
- It looks like author saved the access keys and tried to remove it in the next git commit. Now, I'm going to check the first log using the command:
git checkout f52ec03b227ea6094b04e43f475fb0126edb5a61
then I list the content to see what I can find.
- As you can see, I found access_keys.txt, so I opened it, and now we have an AWS access key.
- Now, lets go to configure a profile on AWS CLI to use this access key
- I listed the content and found the level 4 file I'm going to open up in my browser.
The flaw in this level:
Many users mistakenly leak their AWS keys and secrets through version control, then who attempt to hide their errors without revocation. Since the versions will still have changes recorded, it is not as easy as just deleting the file from git. You should always revoke any AWS keys or secrets that may have been compromised.