Another smug cloud service boasting abut their security. Care to prove them wrong?
When you visit http://alieni.se:3002/ you notice that there is a CDN service on cdn.alieni.se which uses Amazon S3 and is behind Amazon Cloudfront.
If you vist http://cdn.alieni.se/WEB-INF you are redirected to http://cdn-origin.alieni.se.s3.amazonaws.com/WEB-INF/ and you can get the S3 bucket name: cdn-origin.alieni.se
Now you just need to connect to the bucket via
awscli and try to list its content.
smaury@hitch-hicker:$ aws s3 ls s3://cdn-origin.alieni.se PRE css/ PRE font-awesome/ PRE js/ 2017-05-14 15:18:04 36 flag_9182quwaisjnzkmasj.txt
As you can see the S3 bucket’s ACL are screwed up and you can list content without being authenticated.
To get the flag you just need to browse http://cdn-origin.alieni.se.s3.amazonaws.com/flag_9182quwaisjnzkmasj.txt