01 Flaws - Level 1 - Seize The Shell

# FLAWS: Level 1 ![[Pasted image 20230629173345.png]] [Level 1](http://flaws.cloud/) --- #### Let's Run `nslookup` on The Site: ![[Pasted image 20230627172714.png]] It appears we have a list of non-authoritative answers. Let's create a script that will enumerate each IP address using `nslookup`. #### Script: ```bash #!/bin/bash # Define an array of IP addresses ip_addresses=( "52.92.161.235" "52.92.131.115" "52.92.146.59" "52.92.137.91" "52.92.139.123" "52.92.129.3" "52.218.177.250" "52.218.234.106" ) # Iterate through each IP address for ip in "${ip_addresses[@]}"; do # Perform nslookup result=$(nslookup "$ip") echo "IP Address: $ip" echo "$result" echo "-------------------" done ``` >**Remember To**: >```bash >1 chmod +x *.sh >2 ./[script_name] >``` #### Results: ![[Pasted image 20230629173922.png]] It appears the results use the same S3 bucket. Now, we can attempt to access the S3 bucket. #### Access Attempt One: ![[Pasted image 20230629175253.png]] If you encounter this error, it indicates that the access keys provided, whether you have any or not, do not apply to the AWS account and S3 Bucket in question. However, there is an alternative solution. By using the `--no-sign-request` option, you can bypass the authentication process altogether. This option removes the need for authentication when interacting with the specified AWS resources. #### Access Attempt Two: ![[Pasted image 20230629175659.png]] There you have it! And I see you have some juicy files! I'll start with the one that shows "secret..." First, we should create a directory and `cd` into the new directory. This will make things easier for the next step. #### Create Directory: ![[Pasted image 20230629180403.png]] Great! Now let's run the S3 command the displays the bucket contents and attempt to copy the "secret..." file. #### Copy S3 Object: ![[Pasted image 20230629181031.png]] >**NOTE**: > To access an S3 bucket, you should use the URI format `s3://[BUCKET NAME]`. This format is considered the standard URI for referring to S3 buckets. By specifying the bucket name in this format, you can correctly reference the desired bucket and interact with its contents. Now we can check it out. #### Inspect The File: ![[Pasted image 20230629181406.png]] Whoa, nice! If you see the information on the bottom, copy the `http://level2...` address and paste it into you browser. #### Level 2: ![[Pasted image 20230629182350.png]] [Level 2](http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/) ### Alternative: We could have copied the `secret-dd02c7c.html` and pasted it at the end of `flaws.cloud`. #### Alternative: ![[Pasted image 20230629182619.png]]