# Level 3: Leaked Secrets

### <mark style="color:purple;">Task</mark>

The next level is fairly similar, with a slight twist. Time to find your first AWS key! I bet you'll find something that will let you list what other buckets are.

### <mark style="color:purple;">Resolution</mark>

1. **Listing the Level 3 Bucket:**\
   The first step is to list the Level 3 bucket:

```bash
aws s3 --profile default ls s3://<url>.flaws.cloud
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfndcqKbnT__k86jfZwK2lZSBs4cDVGI9Uo2T7S8hy_mddx7r7PlgOBtkRkchrcNjybS4iamce4aBSoW9kUMZ01h5ZbY1cHbaMNlITAjFrQGTCa6ViTKG_2C3mGQJ0s9YNjWFDu1Q?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

As we can see, there is a **.git** folder.

To avoid running `ls` on every folder and subfolder, it's better to download the entire bucket locally for easier navigation. To do this, we use the **sync** command:

```bash
aws s3 --profile default sync s3://<url>.flaws.cloud
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdXJGGRxqr9qKBtHzO8_abvBwKAh2SNNWnYSbddIvJy4stL3fIPEX0evTHCI2628LBMPCk5ZcRim81-jHM4i09ngSh-SJRBYR5aDB6ZCrkJMto9j6qjSNZ8jw7HIGwXRfCvuOh2?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

2. **Navigating the Bucket:**\
   Now, we go into the **flaws/** folder:

```
cd flaws
```

While exploring, we find the following:

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXceaGVN_9zYk-eikkKGLmeGWctmtQSU5ZtswuV8rY_BnrGWpqBQnx19MnH4aDN-y1FjH0rh12vqnho6e46gPGNF0_4NYWhYAn7zBrimex3Y6lzXUjVXugUmaA-oXfE-OEwhThRG?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

It seems there was a commit that added data that shouldn't be there. Let's check the commit history.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfpSSvmT5ry7pqOoNLtESHY-a9UbGwomvszQng0mdNNLuGGZbCA_Strj3Oaya-Ttdz34_uYuoUuWpw9yIHmAqYOlkl2RrI4sj9trPBLlK6-cp73LiY1YDLssMIJGVvlb99B62_9yQ?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

3. **Comparing Commits:**\
   To compare the commits, we run:

```bash
git diff
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXemOlgQj87F0Ex5ALuE8emlJ4n2rfxfmwKkb52ni0xr-DH7jHcpJK5O9enN22zjCccTwvnWGJoCRC-haXjyHXHQhPkz8ln6NoxLxjGtfc568IO8c-uz63SfL7rgnsvl8Gz44czZqw?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

4. **Configuring AWS with the Keys:**\
   Now that we have the keys, we need to add them to our AWS configuration using:

```bash
aws configure
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfmdzkT-hs07JmT_-fZOqdaK8h_x-8JhH5W1kVBNgzmr-cSFuLpQhhtB0RxmNVbe9NaEmFkWyq4UuafSko95tMvbZa0RE9jqdfYm84jDtOKT36Oc81xS8rNdmBPPSdv2I3eyz9WaA?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

5. **Listing the Buckets:**\
   Finally, we list the buckets with:

```
aws s3 ls
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXe18QvP1dvXsAUCkUtR07cbWM3YpcGS0shYP6lJLZ2_O41_-hYdYndMpFxygY8hxupH0PX0DN8RiWglbrtolcPpdb3hU1yHvhxEfKs8IOW3xrevrZH5wJjUYl6zv6Yni991U7vSng?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

### <mark style="color:purple;">Lesson Learned</mark>

People often leak AWS keys and then try to cover up their mistakes without revoking the keys. You should always revoke any AWS keys (or any secrets) that could have been leaked or were misplaced. Roll your secrets early and often.

### <mark style="color:purple;">Examples of this problem</mark>

* [Instagram's Million Dollar Bug](http://www.exfiltrated.com/research-Instagram-RCE.php): In this must read post, a bug bounty researcher uncovered a series of flaws, including finding an S3 bucket that had .tar.gz archives of various revisions of files. One of these archives contained AWS creds that then allowed the researcher to access all S3 buckets of Instagram. For more discussion of how some of the problems discovered could have been avoided, see the post ["Instagram's Million Dollar Bug": Case study for defense](https://summitroute.com/blog/2015/12/24/instagram_bounty_case_study_for_defense/)

Another interesting issue this level has exhibited, although not that worrisome, is that you can't restrict the ability to list only certain buckets in AWS, so if you want to give an employee the ability to list some buckets in an account, they will be able to list them all. The key you used to discover this bucket can see all the buckets in the account. You can't see what is in the buckets, but you'll know they exist. Similarly, be aware that buckets use a global namespace meaning that bucket names must be unique across all customers, so if you create a bucket named `merger_with_company_Y` or something that is supposed to be secret, it's technically possible for someone to discover that bucket exists.

### <mark style="color:purple;">Avoiding the mistake</mark>

Always roll your secrets if you suspect they were compromised or made public or stored or shared incorrectly. Roll early, roll often. Rolling secrets means that you revoke the keys (ie. delete them from the AWS account) and generate new ones.