EBS - Loot Public EBS Volumes

Assuming we have the account ID we found through xyz mechanisms. Here, through user ID bruteforce by public S3 bucket URL.

First, it would be good to know the AWS region that the S3 bucket was created in, as public snapshots are available to all users in the same region that the EBS or RDS snapshot was created in. It's likely that if the S3 bucket was created in a specific region, that other resources will be available there too!

To find the S3 bucket region we can use another trick, this time with cURL.

curl -I https://mega-big-tech.s3.amazonaws.com

From the account ID and region we can now go to the amazon console in personal account and go to EC2 and look for public snapshots.

You can loot public EC2 snapshots: https://pwnedlabs.io/labs/loot-public-ebs-snapshots

Loot Public EBS SnapshotsMedium

Then launch an EC2 instance and attach this volume

You can SSH into the EC2 then and run lsblk command

Here, as we specified earlier xvdf1 is our disk. let's mount this

PreviousS3 - Identify the AWS Account ID from a Public S3 Bucket NextS3- Exploit Weak Bucket Policies for Privileged Access

Last updated 1 year ago