Posts

Showing posts from March, 2021

flAWS.cloud Experience and Write-Up

Image
FLAWS is not a CTF per se. There are no teams, no scoreboard, no score, and the hints will walk you through each step for every challenge if you choose to view them. FLAWS is a freely available series of challenges designed to teach its users about common mistakes and misconfigurations when using AWS. The challenges can be found at: http://flaws.cloud/ Here's my writeup for the six levels: Level 1 This level is *buckets* of fun.  See if you can find the first sub-domain. I began this level by enumerating buckets with cloud_enum, targeting the keyword "flaws.cloud," and I pressed Ctrl+C after I saw the "secret" html file to limit the amount of requests to Amazon: # cloud_enum -k flaws.cloud --disable-azure --disable-gcp <snip> [+] Checking for S3 buckets     OPEN S3 BUCKET: http://flaws.cloud.s3.amazonaws.com/       FILES:                                                                                                                  ->http://flaws.cloud