LinkedInGitHubYouTube

S3 Enumeration Basics

A walkthrough demonstrating how to enumerate S3, exploit a misconfiguration, and escalate privileges to obtain sensitive data.

CTF Source: Pwned Labs

Overview

In this walkthrough, we're provided with a website link. After discovering the site is hosted on AWS S3, we'll learn how to enumerate S3 and, due to a misconfiguration, uncover additional credentials leading to the compromise of several secrets and credit card data.

Pre-Requisites

  • Install awscli: (brew/apt) install awscli

Walkthrough

Finding and Accessing the S3 Bucket

We'll start by visiting the website in our browser and inspecting its source code.

We'll discover the website is retrieving content from S3.

If we attempt to navigate to the CSS file, we'll discover we can see it.

Let's try to traverse the directories of this bucket to see if we can access other files.

Let's try using the awscli like so.

  • --no-sign-request is needed so we’re not signing the request with any local AWS credentials

Okay, now we're noticing some files!

It doesn't appear we can list contents for anything but shared/

Let's attempt to download this file.

Nice! Let's open it up and see what we can find.

Finding Credentials

Unzipping the file

Reading the contents

We found some creds!

Gaining Access to migration-files

We can use the command aws configure and set up the credentials we just found.

Let's try to enumerate those admin files we found previously.

Okay, we're getting somewhere. Can we download the data?

Nope... Let's move on to those migration-files and try that.

Nice! Let's read the files.

Looks like we found several credentials for various systems! Let's test out the AWS IT Admin creds.

Gaining Access to admin

Again, we'll set up our credentials like so,

Let's try to download those admin files now.

Success! We found the flag! Likewise, if we download the other file, website_transactions_export.csv we'll uncover some plaintext credit card information!

Wrap-up

In this scenario, unauthorized access was obtained to a shared folder within the S3 bucket without authentication. Subsequently, a zip file was downloaded from this folder, revealing a script embedded with hard-coded AWS credentials. These credentials were leveraged to access the /migration-files/ folder, where a file containing additional hard-coded credentials, including those for the AWS IT Admin user, was retrieved. Utilizing the IT Admin credentials, we successfully obtained the flag and plaintext credit card data from the /admin/ directory of the S3 bucket.

Let's discuss a few issues we uncovered along the way,

  1. Multi-use of an S3 bucket

    • It's clear that this bucket was used for multiple purposes (website hosting, credit card data storage, and some sort of secrets management migration)

    • Multi-use of a bucket like this can lead to unintentional consequences as we uncovered

    • Recommendation:

      • Separate buckets should be utilized for different use cases to reduce the likelihood of permission misconfiguration

  2. Mishandling of credit card data

    • The credit card data found was unencrypted and not stored in an appropriate location

    • Recommendation:

      • Encrypt credit card data

      • Store this data in an appropriate location and restrict access

  3. World-readable shared directory

    • This directory was accessible by anyone and contained hard-coded secrets to several solutions.

    • The exposed secrets enabled privilege escalation, ultimately leading to the exfiltration of credit card data.

    • Recommendation:

      • Store this data in an appropriate location and restrict access

      • If the data needs to be shared externally, consider enabling cross-account access via an IAM Role or sharing in an alternative secure solution.

PreviousLeveraging S3 Bucket VersioningNextPillage Exposed RDS Instances

Last updated

Was this helpful?