Real-world context
If a hacker gets their hands on an AWS Account ID, they can try to figure out the IAM roles and users tied to that account. They can do this by taking advantage of detailed error messages that AWS services spit out when inputting an incorrect username or role name. These messages can verify if an IAM user or role exists, which can help hackers compile a list of possible targets in the AWS account. It's also possible to filter public EBS and RDS snapshots by the AWS Account ID that owns it.
Nmap
Copy nmap - Pn 54.204 . 171.32
Starting Nmap 7. 94SVN ( https: // nmap.org ) at 2024 - 03 - 07 01 : 33 EET
Nmap scan report for ec2-54-204-171-32.compute-1.amazonaws.com ( 54.204 . 171.32 )
Host is up ( 0. 13s latency).
Not shown: 999 filtered tcp ports (no - response)
PORT STATE SERVICE
80 / tcp open http
Nmap done: 1 IP address ( 1 host up) scanned in 14.86 seconds
Access the website
Inspect the source code and find images being referred from s3 of mega-big-tech
Copy https: // mega-big-tech.s3.amazonaws.com / images / workpro1.jpg
Access the S3 Bucket
https://mega-big-tech.s3.amazonaws.com/
Copy < ListBucketResult xmlns = "http://s3.amazonaws.com/doc/2006-03-01/" >
< Name > mega - big - tech </ Name >
< Prefix />
< Marker />
< MaxKeys > 1000 </ MaxKeys >
< IsTruncated > false </ IsTruncated >
< Contents >
< Key > images /</ Key >
< LastModified > 2023 - 06 - 25T22: 40 : 57. 000Z </ LastModified >
< ETag > "d41d8cd98f00b204e9800998ecf8427e" </ ETag >
< Size > 0 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / banner.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 34. 000Z </ LastModified >
< ETag > "3ad5c014c01ffeb0743182379d2cd80d" </ ETag >
< Size > 3184176 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / notepro1.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 35. 000Z </ LastModified >
< ETag > "f5435f26a11fac38006d8fe32ed75045" </ ETag >
< Size > 941294 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / notepro2.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 36. 000Z </ LastModified >
< ETag > "c7b217afa365714334597643889c5daa" </ ETag >
< Size > 1660205 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / notepro3.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 37. 000Z </ LastModified >
< ETag > "11acc403ec7efabdf2743404e1fc6be7" </ ETag >
< Size > 490794 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / notepro4.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 38. 000Z </ LastModified >
< ETag > "2ba1a84a0908e91bec8d05981c28fc40" </ ETag >
< Size > 2415092 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / phonepro1.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 39. 000Z </ LastModified >
< ETag > "8b2541f6138dd34e392f45fc6ab8ba6f" </ ETag >
< Size > 1003564 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / phonepro2.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 40. 000Z </ LastModified >
< ETag > "f9bf19e16a9a31a6754d7c55d0576ec4" </ ETag >
< Size > 1277058 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / phonepro3.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 41. 000Z </ LastModified >
< ETag > "c5e3b974eb2a8cc3cb6cd7f14a358419" </ ETag >
< Size > 2322525 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / phonepro4.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 42. 000Z </ LastModified >
< ETag > "e77b77f088be31b907562c1c08d3c1ea" </ ETag >
< Size > 4080373 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / watchpro1.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 43. 000Z </ LastModified >
< ETag > "8c6b69baa95f5a7ed0f9d2e1dae73160" </ ETag >
< Size > 1160096 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / watchpro2.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 44. 000Z </ LastModified >
< ETag > "ab66d316fbdfa90eea53e89855dc243f" </ ETag >
< Size > 2877784 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / watchpro3.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 46. 000Z </ LastModified >
< ETag > "a105349b350b257b05438dbc1c8fbe4d" </ ETag >
< Size > 3232387 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / watchpro4.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 47. 000Z </ LastModified >
< ETag > "f5315cb77b5de5a74c13417e185d3953" </ ETag >
< Size > 3041540 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / watchpro5.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 49. 000Z </ LastModified >
< ETag > "f137be90eec86dd71da37f25bdc5452e" </ ETag >
< Size > 3400957 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / workpro1.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 50. 000Z </ LastModified >
< ETag > "ee9140f394608d8ed638c9b39b9c1c4f" </ ETag >
< Size > 1632585 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / workpro2.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 51. 000Z </ LastModified >
< ETag > "fd33607a6406f4a6cb1550cba96ea200" </ ETag >
< Size > 1081259 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / workpro3.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 54. 000Z </ LastModified >
< ETag > "78fec3d6d2c81294346fa618ba0caf00" </ ETag >
< Size > 1599810 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
< Contents >
< Key > images / workpro4.jpg </ Key >
< LastModified > 2023 - 06 - 25T22: 42 : 56. 000Z </ LastModified >
< ETag > "9a70d62b2f2bd2bf6604943bde09f6bd" </ ETag >
< Size > 1144134 </ Size >
< StorageClass > STANDARD </ StorageClass >
</ Contents >
</ ListBucketResult >
Do connect with the received AWS account
Use "aws configure"
Copy aws sts get - caller - identity
{
"UserId" : "AIDAWHEOTHRF62U7I6AWZ" ,
"Account" : "427648302155" ,
"Arn" : "arn:aws:iam::427648302155:user/s3user"
}
Install and use s3-account-search
https://github.com/WeAreCloudar/s3-account-search
python3 -m pip install s3-account-search
Copy s3 - account - search arn:aws:iam:: 427648302155 :role / LeakyBucket mega - big - tech
Starting search (this can take a while )
found: 1
found: 10
found: 107
found: 1075
found: 10751
found: 107513
found: 1075135
found: 10751350
found: 107513503
found: 1075135037
found: 10751350379
found: 107513503799
Find S3 Bucket Region
Copy curl - I https: // mega-big-tech.s3.amazonaws.com
HTTP / 1.1 200 OK
x - amz - id - 2 : 5xhnucqe ++ L3eBraV4DXjJs0eBpB3QHSRqwurRrSa6fAG3ezE05 / Dr2FkXfCWQ03u7mSOF4zwh / VAKWKX3aeEg ==
x - amz - request - id: RXYQ6QPVE856HYMV
Date: Wed , 06 Mar 2024 23 : 54 : 16 GMT
x - amz - bucket - region: us - east - 1
x - amz - access - point - alias: false
Content - Type: application / xml
Server: AmazonS3
Log into the AWS management console in your own personal AWS account and make sure that the us-east-1
region is selected.
Then search for the EC2
service. Click the service and in the EC2 dashboard, in the left-hand menu, select Snapshots
under the Elastic Block Store
menu item. In the dropdown list, select Public snapshots
, paste the discovered AWS account ID into the field and hit enter/return. After waiting a minute we get a hit and see that the company has a publicly exposed EBS snapshot! PWNED!
Last updated 10 months ago