> For the complete documentation index, see [llms.txt](https://www.marialc.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.marialc.com/pentesterlab-labs/recon-badge/recon_25-s3.md). # recon\_25 (S3) View the exercise here: [PentesterLab: Recon 25](https://pentesterlab.com/exercises/recon_25/course) ### **OBJECTIVE** For this challenge, your goal is to look at the server used to load assets (JavaScript, CSS) and find a file named **key2.txt**. However, this time you will need to be logged in to access it. Amazon Web Services Storage Service (S3) allows file owners to set permissions on files. Historically, the rules "Any users" wasn't well explained and lead a lot of people to think only people in their Amazon account could access a file. However, this was allowing any AWS account to access the file. ### **WHY?** It's essential to look for files that may be publicly available on the servers used to load assets. ### **SOLUTION** `View Page Source` of hackycorp.com then open the links with assets on them

Remove the `view-source:` prefix and retain the `http://assets.hackycorp.com`

We need to find a file called `key2.txt`, so we try to access the path `http://assets.hackycorp.com/key2.txt` Access is denied for this path but from the objective, it was said that this file can be viewed by anyone with an AWS account.

So I created a temporary IAM user and produced access keys to be used in AWS CLI.

Using **AWS CloudShell:** Enter the line below to access AWS CLI: ```bash aws configure ``` Type the `Access Key ID` & `Secret Access Key` \**Region name & Output format may be left blank*

I tried `aws s3 cp s3://assets.hackycorp.com/key2.txt ~/` but this is forbidden.

We need to set the permissions of the user first to view S3 buckets.

{% hint style="danger" %} *This is not the best practice to set permissions but I’m just doing this for this exercise only.* {% endhint %} I tried listing the contents of assets.hackycorp.com... ```bash aws s3 ls s3://assets.hackycorp.com ```

...and using the line below, but Access is still denied. ```bash aws s3 ls s3://assets.hackycorp.com/key2.txt ```

So I tried copying the contents of `assets.hackycorp.com/key2.txt` to the machine, and we were successful. ```sh aws s3 cp s3://assets.hackycorp.com/key2.txt ~/ ```

{% hint style="success" %} Opening the contents of **key2.txt**, we get the flag. {% endhint %}

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.marialc.com/pentesterlab-labs/recon-badge/recon_25-s3.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.