The SecOps Cheat Guide

SecurityLabs challenge: week one (public S3 bucket)

This one was pretty simple. A (slightly) public S3 bucket exists, Help ITSec gather evidence to escalate

How I solved this:

  1. You will need to be authenticated with AWS. This bucket is not really public, but open to all auth'd users.

  2. aws s3 ls gave an "access denied" error. This tells me that we dont have bucket level privs, that it has to be ACLs on the file itself.

  3. aws s3 sync <bucket name> gave me a boatload of permission denied messages...and one file: flag.txt

  4. flag.txt did not have our flag in it. In fact, all it said was "keep looking ;)". This is where I got lucky. I recently had to clean up a bucket with bad perms and versioning enabled. One of the most useful commands was aws s3api head-object, and it did not fail this time. This showed the file had another version!

  5. aws s3api get-object --bucket bucket-name --key flag.txt --version-id <version id from metadata> flag.txt gave me the correct file, with the correct flag.