📔
Cyber Security Notes
  • Introduction
  • CVEs
    • CVE-2022-33106
  • Paper Reviews
    • Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
  • Security Basics Notes
    • Identification, Authentication and Authorization
  • Enumeration and Initial Compromise
    • Methodology
    • Footprinting
    • Network Protocols
      • FTP
      • SMB
      • DNS
      • NFS
      • SMTP
      • IMAP/POP3
      • SNMP
      • MySQL
      • MSSQL
      • Oracle TNS
      • IPMI
    • Nifty One Liners
    • Brute-Force Web Pages
      • Hydra
    • Network Pentest
      • Quick SMB cheatsheet
      • SSH keypair basics
      • Compromise using SSH Key
      • Networking fundamentals Interview topics
      • nmap quick cheatsheet
      • Metasploit Quick Reference
    • Web Pentest
      • Web Pentest Interview top topics
      • Wordpress Exploitation
      • Joomla Exploitation
      • Login Bypass using Cookie Tampering/Poisoning
      • Subdomain Enumeration
      • CSRF mitigation
      • XSS mitigation
      • CSP bypass with JSONP
      • PHP Vulnerabilities
      • Python Serialization Vulnerabilities - Pickle
      • SQL Injections
        • SQLmap
      • SSTI
      • XSS
    • Buffer Overflow Prep
      • Understanding CPUs
      • Virtual Memory and Paging
      • Syscalls
      • Theorem Proving
      • Stripping readable function names
      • Insecure C functions
      • Stack Canaries
      • Linking - GOT,PLT
      • Return Oriented Programming
    • Active Directory - Basics
      • AD DS
      • Managing OUs
      • Group Policies
      • Authentications
      • Trees, Forests and Trusts
      • Kerberos
      • Attacking Kerberos
      • Priv Esc (Post Exploitation)
    • DNS/Domain Enum Masterguide
  • Post Exploitation
    • Shell Escape Techniques
    • Getting stable shell after compromise
    • Linux Privilege Escalation
      • Sudoers file
      • Sudoers entry - Yum
      • Wildcards - Basics
      • Wildcards - Chown
      • Wildcards - Tar
      • Linux Permissions & SUID/SGID/Sticky Bit
      • SUID - nmap
      • SUID - bash
      • SUID - man
      • NFS no_root_squash
      • SUID - pkexec
      • Bad permissions
    • Windows Privilege Escalation
      • SeImpersonatePrivilege Token Impersonation
      • Firefox Creds
      • Potatoes
      • Print Spooler Basics
      • Print Spooler CVE 2020-1030
      • SpoolFool
    • Data Exfiltration Post Exploitation
  • Port Forwarding Cheatsheet
  • Powershell Essentials
    • Powershell Basics
    • Powershell Enumeration
    • Powershell Port Scanner
    • Powershell One Liner Port Scanning
    • Powershell Port Scan in a given CIDR
  • Application Security
    • System Calls in Linux
    • Buffer Overflow Defenses
    • Format string vulnerabilities
    • Sample Github Actions
    • Basic Bugs in Demo Application
    • Using AFL++
  • Linux 64-bit Assembly
    • GDB Basics
      • My relevant GDB cheatsheet
      • Task 1 - Tamper strcmp logic
      • Breakpoints
      • Always starting with intel flavor
      • GDB TUI Mode
    • Basic Hello World Program
    • Registers in 64-bit
    • global directive
    • Reducing instructions and Removing NULL-> Optimizing memory in Assembly
    • Data Types
    • Endianness
    • Moving Data
    • push, pop, and the stack
    • Analysis - Writing data on memory location and referencing
    • Arithmetic Operations
    • Bitwise Logical Operations
    • Bit-Shifting Operations
    • Control Instructions
    • Loops
    • Procedures
    • Stack-Frames and Procedures
    • String Operations
    • Shellcoding basics
      • Introduction and Common Rules
      • Basic Shellcodes->Exit
      • Testing shellcode->Skeleton Code
      • Techniques-> JMP,CALL,POP
      • Techniques-> Stack
      • Techniques-> (64-bit only) RIP Relative Addressing
      • Shellcode 1 -> execve(/bin/sh) STACK PUSH
      • Shellcode 1 -> execve(/bin/sh) JMP CALL POP
      • Techniques-> XOR-Encoder
  • Cloud Security
    • Foundational Technology
    • Learning Through Project Omega
    • IAM Essentials
      • Deep dive into IAM - Part 1
    • Amazon S3
    • Risk Management & Data Controls
    • Enumeration
      • S3 - Enum Basics - PwnedLabs
      • S3 - Identify the AWS Account ID from a Public S3 Bucket
      • EBS - Loot Public EBS Volumes
      • S3- Exploit Weak Bucket Policies for Privileged Access
  • API Security
    • WSDL
  • Reverse Engineering
    • Some string Operations
    • Numbers and Inputs
    • Address inputs
    • Recursive Function
    • Crackme: level1
    • Crackme: level2
    • CTF: Memory Dereferencing
    • CTF: Monty Python
  • CTF Challenge Learnings
    • vsCTF 2024
      • Sanity Check
      • not-quite-caesar
      • Intro to reversing
    • NCL Individual 2024
      • Web Challenges
        • PiratePals
        • Pierre's Store
    • Pico CTF 2024
      • Web Exploitation
        • Bookmarklet
        • WebDecode
        • Unminify
        • Trickster
      • General Skills
        • Commitment Issues
        • Time Machine
        • Blame Game
        • Collaborative Development
        • Binary Search
        • Dont-you-love-banners
    • Sunshine CTF
      • Knowledge Repository
    • Amazon WiCys CTF
      • I am Lazy
      • Password Locker on the Web
      • Happy Birthday Card Generator
      • Bloggergate
      • simple offer
      • Bad Actor
      • Secret Server
      • Simple PCAP
      • Hidden Message
    • C code using getenv()
    • Command Injection with filter
    • Pwning
      • Shoddy_CMP
      • PLT_PlayIT
  • Applied Cryptography
    • Linear Congruential Generator
  • Tools for everything
Powered by GitBook
On this page

Was this helpful?

  1. Cloud Security
  2. Enumeration

S3- Exploit Weak Bucket Policies for Privileged Access

During a red team engagement for Huge Logistics, your team found the IP address 13.43.144.61 and hardcoded AWS credentials in a shipping application. Your primary objective is to access sensitive data

PreviousEBS - Loot Public EBS VolumesNextAPI Security

Last updated 2 months ago

Was this helpful?

  1. Accessing the IP

  1. Viewing the source code and discovering link to the S3 bucket

  1. Basic enumeration commands:

aws s3 ls s3://hugelogistics-data # This would send a signed call
aws s3 ls s3://hugelogistics-data --no-sign-request # This would send an unsigned call
aws s3 cp s3://hugelogistics-data . --recursive # This would try to copy all contents in the s3 bucket

But everything failed.

  1. Trying to fetch the bucket's ACL. Bucket ACLs are older and less flexible than bucket policies. They grant read or write access to the bucket (or objects in the bucket) to predefined Amazon S3 groups. aws s3api get-bucket-acl --bucket hugelogistics-data

  1. Trying to see bucket's policy instead! aws s3api get-bucket-policy --bucket hugelogistics-data

  1. We can make it more readable using sed but I used GPT.

{
  "Policy": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "PublicReadForAuthenticatedUsersForObject",
        "Effect": "Allow",
        "Principal": {
          "AWS": "*"
        },
        "Action": [
          "s3:GetObject",
          "s3:GetObjectAcl"
        ],
        "Resource": [
          "arn:aws:s3:::hugelogistics-data/backup.xlsx",
          "arn:aws:s3:::hugelogistics-data/background.png"
        ]
      },
      {
        "Sid": "AllowGetBucketPolicy",
        "Effect": "Allow",
        "Principal": {
          "AWS": "*"
        },
        "Action": "s3:GetBucketPolicy",
        "Resource": "arn:aws:s3:::hugelogistics-data"
      }
    ]
  }
}
  1. Here we see that any user (represented by AWS: *) can access only background.png and backup.xlsx files in the bucket (resource tag specifies the ARN) aws s3 cp s3://hugelogistics-data/backup.xlsx .

This is encrypted. I verified this with msoffcrypto tool

  1. There is no way to know the password. So using office2john makes sense

  1. I removed the "backup.xlsx" name in front of the hash and saved it.

  1. Used john to get password john hash.txt --wordlist=<path>/rockyou.txt

  1. Used msoffcrypto-tool to decrypt msoffcrypto-tool -p summertime backup.xlsx backup_opened.xlsx

  1. Open it up in excel viewer

  1. By utilizing dirb I find different login portals.

  1. I logged in to CRM using admin credentials, viewed invoices, exported the data, and found the flag.

Mitigation

Several factors contributed to allowing us to achieve our objectives. Firstly the bucket policy was overly permissive and allowed all AWS users (in any AWS account) to read the policy, read file ACLs, and also download them (as long as they know the file names). It is recommended to design policies in line with the principle of least privilege, providing resource access to only those that need it. The spreadsheet sitting exposed in the S3 bucket was encrypted with a password but it was found to be very weak and in a common wordlist. Instead of storing login details in a spreadsheet it would be better to use a password management solution like LastPass or Dashlane, a PAM solution or AWS SecretsManager, where the credentials can be provided as needed only to those authorized to access them. The company was also found to be storing unencrypted customer credit card details. Additionally, for a public facing website it is recommended to enable MFA for all users. This adds an extra layer of security, ensuring that even if a user's credentials are compromised, an attacker won't gain access without the second factor.