Misconfigured Bucket vulnmachines lab walkthrough
AWS S3 bucket has predefined groups to grant access to specific accounts of S3 buckets. Here, we have granted “Authenticated Users group” to READ objects from the bucket. Authenticated Users group allows any AWS authenticated user to access the resources.
Step 1: Login to https://www.vulnmachines.com/
Step 2: Navigate to “Challenges >> Cloud Labs >> Misconfigured Bucket”.
Step 3: Click on “Lab Access” to navigate to lab
Step 4: Now let’s try to list all objects by modifying the URL as shown in below figure.
Here, bucket “vnm-sec-aws” is not public so it will not allow users to list all objects.
Step 5: Now, we will use AWS CLI to list all the objects of the “vnm-sec-aws” bucket. Use “https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html” to setup AWS CLI and use “aws configure” to add credentials as shown in below figure.
Step 6: As “vnm-sec-aws” bucket allows any authenticated user to read all objects from S3 bucket, you can use “aws s3 ls s3://vnm-sec-aws/ — recursive” command to list all objects as shown in below figure.
Step 7: Use “aws s3 cp s3://vnm-sec-aws/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/flag.txt .” command to copy flag.txt on your computer.
Final Step: Decode the text to get the flag. Decoding method used here is ROT47.