Walkthrough AWS S3 Enumeration Basics lab | Pwnedlabs 🪣🔎

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone and welcome back to my channel in this video I'm going to walk you through to a pond lab Lab AWS S3 neration Basics so in this video I'm going to cover all the S3 enumeration that is like basics of the enumeration of the S3 bucket so let me introduce firstly what is S3 so when on AWS it if you are a pentester and you know about FTP and in any case you know about FTP understand that in AWS S3 is same as FTP because it is used to store files Okay and like we used to get Anonymous access on FTP there are many ways where the misconfigurations the settings or the permissions that are misconfigured in the S3 buckets that allows the anonymous access which can lead to data leakage and you can search on Google you can search anywhere you will get a lot of things that you'll see the data breaches and other things that has happened before and it's all because of S3 so in this video I'll going to uh move walk you through to this slab where we'll check it out and let's spin it into it right okay so S3 numeration Basics let's start our lab and I have already connected to my VPN because uh I was working on it before you can just download it here and P sudo open VPN and your VPN name uh if you have any problem check uh comment in the description and I'll help you out so our lab is starting let's check the scenario first so our scenario is it's your first day on the red team and you have been tasked within examining a website that has found in the first employees bookmark check it out and see where it leads in scope is the company's infrastructure including cloud service so what we are supposed to do here is that we are on a red team and it's our first day and we are given a task to uh examine a website that we found through a fist emails uh employees bookmark okay and we have to see where it takes us where it leads to us okay and one good thing about this lab is that you don't have to know different tools or you don't have to use any tool you just have to uh use your mind you just have to use your hacking mindset your curiosity to dive into it to uh figure it out to scratch surfaces and we'll just use the AWS CLI and you just need to get basic commands ideas okay and it's a beginner friendly lab focuses on red team uh real word contracts will not go to walk through and let's just dive into it uh we here we have the website and I'm already connected to VPN so I'll just put my website here and let's see okay so we are connected to VPN properly that's why we are accessing the file and let's go through the website as okay so don't think about it just like a cloud okay don't go right into the cloud mindset just think about it as a hacker as a penetration tester because a website can lead you to many other things as well like you can find out many website vulnerabilities like xss sqli also so but this lab is only focused on cloud so I'm just telling you the way you can think of it so let's see what all services or what all things we have okay everything mostly we are getting here only back and this is 45 not allowed so we are not allowed to do this and most of the things okay so as you can see most of the things are redirecting us to here only so we don't have anything to work around what we can do is we can do directory boosting directory search fuzzing and other things sub domains we can find out things but uh it will take some time you can do this you should do that firstly but I'll just uh see other stuff so what I'll do is I'll check the source code because the uh meanwhile the directory fuzzing or the domain fuzzing is going on you should check the source code because you have to utilize the time so let's go on source code and if we see here if you see my marker Let's uh let me zoom in for you so if you see my marker and here you'll see that here it is mentioned about S3 bucket here it is also mentioned about S3 bucket so all the things that they are storing it's an S3 bucket and I just told you that maybe they have a public accessible bucket which will lead to data break data breach okay so uh we got uh let me tell you a little Basics about it as well so S3 buckets are uh referred to as two things okay either it will be bucket name. s3. Amazon aws.com or it will be like this s3. Amazon aws.com uh SL the bucket name okay so we have the bucket name here let's just copy it down uh I can copy it down from here here okay so we'll just copy the bucket name down from here and we'll move to our AWS CLI uh which I already told you we'll have to work on and I'll open a new terminal I'll just zoom it for you guys okay and now we'll walk it through the AWS CLI so I've already done a little bit uh I have not done the complete one so I'll let you know and that's the Syntax for it and we are trying the anonymous thing so if we go for anonymous thing uh in the FTP as you have uh if you remember in FTP we have to write Anonymous uh so the ftp1 is like this FTP anonymous anonymous at the rate your IP okay so this is what we do in I uh for FTP but for uh S3 we have to use this so this is the Syntax for it if I'm not not wrong I have previously used it if I'm not wrong okay so no sign in request it means we are not using any profile or anything and we got our source so what we have here is we can read it so first thing first it is not uh properly permissioned the permissions are not properly given because we can access it publicly without any signin so anybody with naws account can access or read the files uh actually so we'll check out one by one what all we can read so we'll just keep on adding the folders in it so we'll check admin first and it is is taking some time it will take some time it may not take some time for you but it is taking for me uh so we don't have access for it okay let's go to next one if we check all the files one by one you'll see that somewhere other where you'll have a way to go ahead like you won't get stuck anywhere you'll see and find ways the other thing is also not accessible by us it is permission denied we'll go for the third folder and let's hope for the best okay so we can access it we have a folder zip file here uh before taking it out let's check the last one as well because maybe we'll find something most more important in that folder and if we check on that and we have a JavaScript script a logo and a style and I guess this is for the website so we have index already and in static I guess it's script for the website and CSS for the website and logo for the website so I guess it is of no use so this is the only thing that is reliable or like beneficial for so I'll just copy its name and move it back upwards I'll move it back to the shared one and just paste my file name here and this time I don't have to do LS I just have to do copy so I'm copying this file to my this file like my present directory so dot is for present directory and I'm copying this file here so I'll copy it down just here and we'll wait for it because it's taking some time due to the VPN one PN thing and due to the region thing okay so it is downloaded here as we can see here LS and we already have it here and if we unzip it let's go and unzip it and here it is and yes it is already unzipped and let's check it out LS and we have the script here let's read it out okay Vim you can use any uh reader any file opener and I'm just using whim here okay so if we read it out whole it is something related to if you read the whole code and if you don't even know the code and you can't read it you can just see the comments that's why comments are here so this is what they are reading some secrets from export. XML file okay they are outputting the file in this way and they are error handling it for something if we uh if they get error from something they are doing Secret note XML file again so I guess it is something related to secret manager because AWS has a secret manager service which keeps uh keeps your secret but the main thing is the big jackpot that we hit here is the access key and the secret access key now if you are already working with AWS you know that how important access key and secret access key is you just can't let it uh allow allow anyone to share it or to get access to it so this is the most important thing this is like your username and password for your account so we have got all the things and we just need to set up our account so I'll just open another terminal here and set up my another AWS account and for that AWS configure and for this I'll create a profile enum S3 okay and when I'll configure it it will ask for uh all the things and from here I'll copy it down we have the secret key we have the normal access key oh my bad I just copied the same thing so we have the secret key we have the access key and we have the region as well okay so we are all set now we'll just put it here and now we'll do the same thing that we did previously what we'll do is we'll do all the S3 commands all the S3 things that we did and we'll just see what all we can access now so we'll just go here and we'll see if we can access something new we'll click on profile enum S3 now we are not choosing the no signin option so we are not accessing it or we are not reading it through Anonymous yeah uh all the other thing we are just reading it through the enum S3 account that we just got okay so before that uh I would advise you to do something like when you get access to some account or you just create an account you just you should do a check of who am I okay so this is what who am I command is for AWS you should write AWS STS get caller identity and profile for this so enam S3 and I'll check what user I am what's my name and other things so we got our user ID we got our account we got our I uh an IM am and we are Pam test so we are the Pam test user now we'll just copy down the command that we use for enumerating S3 and we'll just enumerate it so I'm just enumerating it with the uh new account that I got and not the anonymous account just to be clear again I'm using profile just to get the access from that account so we have got this access now let's try getting access to other folders if we are privileged enough to do that and yes so previously we couldn't access it at as it was permission denied now we can access it so we have got our flag here let's see if we can copy it down directly and maybe it's all done okay so CP in case of Ls and I'm wanting to paste it in my present directory and let's see if it's okay so forbidden so we don't have permission to copy things down let's see another thing if we can do this the testing is zero BYT so we don't need anything from Zer bytes we just see it if we can uh download it somehow okay so error for this as well let's see if we can access some other folders here uh if we get the chance to do some other folders oh I forgot to remember the folders name my bad wait a minute and we'll just do the nomination again and we'll see what folders do we have we have migration files so we already uh looked for shared we looked for static we got all the things that we needed from there so I don't think there's any requirement to check them again uh so we'll check the second second folder now and the first folder is already done and the second folder now is migration files okay so we can access it we got full things here and these two are pretty big files and they are only PDF so like you if you want to download it you can download it but I know they are of no use and it will take a lot of time to download it and use it and there is no uh any leads ahead for this we have a test export XML and we have a migrate secret. PS1 and as we previous saw that we got a ID and let's uh let me bring the terminal back and if I do this if I quit it okay so as we saw here we saw that they are providing an secret manager file migrate secrets. PS1 we already got that from previous thing okay migrate secrets. PS1 we already got that from previous thing as I told you so we don't have to download it again because uh from the shared file we got this already now let's see if we can copy the C uh the test export ml okay so we'll go for it and we'll see if we can access it and we'll copy it down to my main line okay so I'll just go here and paste it and see if we can download it so already the main thing the export ml the I would say migr Secrets PS1 we already downloaded it before so now the text export ml is only left and we have already downloaded it and here it is as you you can see and I'll just cat it out okay I'll just use mouse pad for it because cat would take a lot of space here okay so we have access to everything now and as I read through uh walkthroughs of like bug bounties I saw that this is pretty common like uh I know I got also like shocked like how they are storing the passwords and all things in the plain text but it happens in the real world like I have seen many videos like many pentesters professional pentesters who did this lab or who did pen testing they were telling it the same thing that these things are very common in a proper labs in a proper environment so we have got Oracle database credentials we have got HP server credentials we have got AWS credentials we've got every credentials that the company has but our main focus is AWS credentials because we are currently focusing on cloud we are breaching the cloud so we have another ID for AWS and let's use it again in this profile let's create another profile for it and we'll do AWS S3 enum S3 admin okay uh because you can see here AWS it admin so I am creating a profile with AWS S3 admin and we'll just copy the things down here we need an access key we need the secret access key and we don't need the region here because it is not given and if it was only the region is not as much needed because we already know that we have the S3 and which is a global Service uh which is a global Service okay so S3 a great misconception for S3 is S3 is a global Service but if you deploy an S3 if you host S3 or you use a S3 to store anything it has to be deployed in a region but it is a global Service so yeah this misconception is there uh and I wanted to clear it out to you guys if you don't know about it and now let's check it out okay so we will do the first this because I told you that you have to you should do the who am I command first and check what privileges do you have what the command you have what the what's your role and what's the user you have so we are the it admin of it and let's check the Privileges we have with S3 and we'll go directly into it because I've already checked everything else and we'll see the admin file directly because we could open it before but we can't copy it because of the Privileges limitations and we'll see if we can do it now and if we see we can LS it now and let's see if we can copy things okay so I'll just go here I'll do copy and I'll see if I can copy things here so I'll just copy it down in my main directory here that's opening and I'll see if we can access to it because previously okay so download fail again because not directory and okay I guess it's some kind of command error we can access the file flag.txt let's see if we can access this file here and it is downloaded so we have the permissions for it and if we see we have flag.txt here and if we see other files here if we go here and see other files we have website transaction that we previously tried and it was also denied access so we didn't have permissions for it as well so let's see if we can access it now and we'll download it again in this file only and we'll see that it is is also being downloaded so we have all the permissions now to download everything and we have both the things so we already know that flag is here our lab is already solved but let's see the other thing and the real world scenario what and how the website breaches happens so I'll just do the mouse pad again and open the site and let's see what do we have here okay so here we have a lot of things we have Network credit card number CVV expired date card holder number validation user name passwords IP addresses so we have literally breeed every single detail of the company of the customer's website we have done everything we can as attacker and we have literally spoiled the company's reputation and totally breeed and exposed the data of the users and this is real case scenario as you can see and you can also do Google search you can see uh read writeups how the previous big uh conceptions happened like uh how the big breaches happened okay so now just just we are all over it so just cat the flag text out and we'll see if we have done it correctly or not and I'll just open it I'll just go to my AWS and I'll just submit my flag and let's hope for the best and it is invalid okay it is invalid how uh I guess the last percentage is not here I guess I have to remove the last percentage I don't know if it is proper or not if I do now without the percentage yes so my flag is completed you have successfully completed the challenge and we have completed the lab and let's go so in this video what you guys learned from it let me explain few things to you when we store S3 what are the main problems here okay let's just uh analyze it a little okay uh I'll just do a little enumeration again for you guys and I'll show you what was the mistake here and as a beginner what you shouldn't do okay so I'm enumerating it and as you can see here there are few mistakes that I would say first mistake that may or may not be that big was they are allowing access to their public basket bucket okay so if you have very normal content here suppose I have all the pictures in my website all the pictures in my bucket I can allow the public access to it like no one would get any benefit from it all the pictures are only uh open sourced already but here what they did is they publicated the website the bucket that stored some sensitive data no matter you have privileges you have permissions for the data if you are giving permissions to public to access your bucket it will cause damage somewhere or the other if we can read the bucket it's a problem already it doesn't matter if we can copy it if we can write on it if we can just read it it's all already a problem and the second biggest mistake what they did is they compared they put the stuff sensitive stuff and the website stuff in the same bucket you should never do that if you are creating a bucket if you are creating a website if you creating anything and hosting it or saving it on bucket in a bucket you should always put uh sensitive data and like the important data in some private bucket which should not get a little even a second uh even a second of Public Access Data so if you have a sensitive bucket in your uh in your file in AWS account you shouldn't allow it for even a second to be accessed by public you can't give access for even a second to the public of that uh bucket but if you have a normal bucket even if you have public access it won't cause that much damage so you got the problem right here the problem was that they stored the sensitive data they stored the website data and they stored all the credentials so like all the important credentials data they stored in the same bucket and that's what that was the problem okay I'll be back back with another video on Pawn labs and AWS and if you haven't checked the pawn labs yet do check it out Pawn Labs is amazing amazing website and a platform where you can learn uh AWS Cloud pesting GCB pesting Azure pen testing and previously I shared a video of azure pesting as well this is my first video on AWS and I'm making uh making you guys sure that I'll make another video many more videos on AWS so keep following me keep sharing my videos and please subscribe if you like it thank you
Info
Channel: AlienwareSec
Views: 146
Rating: undefined out of 5
Keywords:
Id: zdQ3jOhbwRE
Channel Id: undefined
Length: 21min 27sec (1287 seconds)
Published: Thu May 16 2024
Related Videos
Airbus "HUGE UPGRADE" on A350F Shocked Everyone! Here's Why
FLIG AVIA
16K
Night Music for Work — Deep Focus Playlist
Chill Music Lab
4.2M
My SIMPLE $500/Day Trading Strategy To Make Daily Profit (10x Strategy)
Craig Percoco
32K
How to get 50% OFF ON ANY AWS CERTIFICATE
AlienwareSec
3.9K
Setup an emailing system using AWS SQS, SES and Lambda!
AlienwareSec
60
Start your Cloud journey in 2024 for FREE!
AlienwareSec
775
Hacking web applications : what drives the website.
Glitched Vortex
53
AWS ECS Tutorial | Deploy a New Application from Scratch | KodeKloud
KodeKloud
124K
Only tips that you'll need to pass AWS Certified Cloud Practitioner☁️ [2023]
AlienwareSec
302
Kubernetes Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
2.6M
Remotely access and share your self-hosted services
Tailscale
53K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.