Help
RSS
API
Feed
Maltego
Contact
Domain > level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
×
More information on this domain is in
AlienVault OTX
Is this malicious?
Yes
No
DNS Resolutions
Date
IP Address
2025-10-18
3.5.84.95
(
ClassC
)
2026-01-16
52.218.218.194
(
ClassC
)
Port 80
HTTP/1.1 200 OKx-amz-id-2: 4UyzF5P/OzyFt9hChg1ji1mX5gZTwTUsmDaWwXLKtBpEx+DaevV7NksrP8kmHNvSNAC4zD577/cx-amz-request-id: WE3NPB529HVV9GXPDate: Fri, 16 Jan 2026 02:53:16 GMTLast-Modified: Mon, 27 Feb 2017 02:02:14 GMTETag: bbc2900889794698e208a26ce3087b6fContent-Type: text/htmlContent-Length: 2786Server: AmazonS3 html> head> title>flAWS - Level 2/title> META NAMEROBOTS CONTENTNOINDEX, NOFOLLOW> style> body { font-family: Andale Mono, monospace; } img { margin: 10px; display: block; margin-left: auto; margin-right: auto; } /style> /head>body text#00d000 bgcolor#000000 stylemax-width:800px; margin-left:auto ;margin-right:auto vlink#00ff00 link#00ff00>center>pre> _____ _ ____ __ __ _____| || | / || |__| |/ ___/| __|| | | o || | | ( \_ | |_ | |___ | || | | |\__ || _ | || _ || ` |/ \ || | | || | | \ / \ ||__| |_____||__|__| \_/\_/ \___|/pre>h1>flAWS - Level 2/h1>/center>h3>Lesson learned/h3>On AWS you can set up S3 buckets with all sorts of permissions and functionality including using them to host static files. A number of people accidentally open them up with permissions that are too loose. Just like how you shouldnt allow directory listings of web servers, you shouldnt allow bucket listings.h4>Examples of this problem/h4>ul> li>Directory listing of S3 bucket of Legal Robot (a hrefhttps://hackerone.com/reports/163476>link/a>) and Shopify (a hrefhttps://hackerone.com/reports/57505>link/a>). li>Read and write permissions to S3 bucket for Shopify again (a hrefhttps://hackerone.com/reports/111643>link/a>) and Udemy (a hrefhttps://hackerone.com/reports/131468>link/a>). This challenge did not have read and write permissions, as that would destroy the challenge for other players, but it is a common problem./ul>h3>Avoiding the mistake/h3>By default, S3 buckets are private and secure when they are created. To allow it to be accessed as a web page, I had turn on Static Website Hosting and changed the bucket policy to allow everyone s3:GetObject privileges, which is fine if you plan to publicly host the bucket as a web page. But then to introduce the flaw, I changed the permissions to add Everyone to have List permissions.img stylemax-width:500px src./everyone.png>Everyone means everyone on the Internet. You can also list the files simply by going to a hrefhttp://flaws.cloud.s3.amazonaws.com/>http://flaws.cloud.s3.amazonaws.com//a> due to that List permission.hr size3 color#00d000 />h1>Level 2/h1>The next level is fairly similar, with a slight twist. Youre going to need your own AWS account for this. You just need the a hrefhttps://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free_np/>free tier/a>.p>For hints, see a href./hint1.html>Hint 1/a>br>br>br>br>br>br>br>br>br>br>br>
View on OTX
|
View on ThreatMiner
Please enable JavaScript to view the
comments powered by Disqus.
Data with thanks to
AlienVault OTX
,
VirusTotal
,
Malwr
and
others
. [
Sitemap
]