PWNEDLABS Identify the AWS Account ID from a Public S3 Bucket

Real-world context

If a hacker gets their hands on an AWS Account ID, they can try to figure out the IAM roles and users tied to that account. They can do this by taking advantage of detailed error messages that AWS services spit out when inputting an incorrect username or role name. These messages can verify if an IAM user or role exists, which can help hackers compile a list of possible targets in the AWS account. It's also possible to filter public EBS and RDS snapshots by the AWS Account ID that owns it.

Nmap

nmap -Pn 54.204.171.32
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-07 01:33 EET
Nmap scan report for ec2-54-204-171-32.compute-1.amazonaws.com (54.204.171.32)
Host is up (0.13s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 14.86 seconds

Access the website

Inspect the source code and find images being referred from s3 of mega-big-tech

https://mega-big-tech.s3.amazonaws.com/images/workpro1.jpg

Access the S3 Bucket

https://mega-big-tech.s3.amazonaws.com/

Do connect with the received AWS account

Use "aws configure"

Install and use s3-account-search

https://github.com/WeAreCloudar/s3-account-search

  • python3 -m pip install s3-account-search

Find S3 Bucket Region

Log into the AWS management console in your own personal AWS account and make sure that the us-east-1 region is selected.

Then search for the EC2 service. Click the service and in the EC2 dashboard, in the left-hand menu, select Snapshots under the Elastic Block Store menu item. In the dropdown list, select Public snapshots, paste the discovered AWS account ID into the field and hit enter/return. After waiting a minute we get a hit and see that the company has a publicly exposed EBS snapshot! PWNED!

PreviousWriteupsNextTryHackMe Anthem

Last updated