Cloud Breach S3

Exploit misconfigured reverse proxy to query EC2 metadata service

• Create a cloudgoat IAM profile generate with access keys - set it up via aws configure

• Simply deploy the cloud breach scenario - wait until it configures a vulnerable env

If you face any issues - read the Issues tab

Scenario Start

• The IP address of an EC2 instance is running a misconfigured reverse proxy

Scenario Goal

• Dump the confidential data from the S3 buckets

Getting Started

./cloudgoat.py create scenarios/cloud_breach_s3

So when we analyze the start.txt - we find our EC2 IP address

• When we ping the IP we don't get any response - maybe they've disabled ICMP on thier instance

• Let's scan the IP using

nmap -vvv --top-ports 5 44.204.156.174

• We find port 80 and 22 being open - Let's quickly curl it

• The error says

This server is configured to proxy reqs only to the EC2 metadata service

Please modify the req's host header !

Ok let's add the magic IP as the host header and then request again

AWS Magic IP

It works! - we see alot of dirs displayed, out of which the latest stands out

We require the meta-data , and iam/security-credentials looks interesting :)

We get a AcessKeyId, SecretAccessKey and a SessionToken - we can now configure a new user with this and try enumerating the S3 buckets !

aws configure --profile vulnacc

• After configuring the profile - we'll have to edit the .aws/credentials file

• Add a new-line, aws_session_token = <TOKEN_VALUE>

The user can't retrieve the user details - He's not authorized, let's now enumerate it

aws s3 ls --profile vulnacc
aws s3 ls s3://<BUCKET_NAME> --profile vulnacc

Hurray! we now found the sensitive files - let's dump them :)

aws s3 sync s3://<BUCKET_NAME> aws_dump --profile vulnacc

Exploitation Route