Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  • Getting Started
  • Exploitation Route
  1. Cloud Security
  2. AWS

Cloud Breach S3

Exploit misconfigured reverse proxy to query EC2 metadata service

PreviousAWSNextIAM PrivEsc - RollBack

Last updated 1 year ago

  • Create a cloudgoat IAM profile generate with access keys - set it up via aws configure

  • Simply deploy the cloud breach scenario - wait until it configures a vulnerable env

If you face any issues - read the tab

Scenario Start

  • The IP address of an EC2 instance is running a misconfigured reverse proxy

Scenario Goal

  • Dump the confidential data from the S3 buckets

Getting Started 

./cloudgoat.py create scenarios/cloud_breach_s3

So when we analyze the start.txt - we find our EC2 IP address

  • When we ping the IP we don't get any response - maybe they've disabled ICMP on thier instance

  • Let's scan the IP using 

nmap -vvv --top-ports 5 44.204.156.174

  • We find port 80 and 22 being open - Let's quickly curl it

  • The error says

This server is configured to proxy reqs only to the EC2 metadata service

Please modify the req's host header !

Ok let's add the magic IP as the host header and then request again

It works! - we see alot of dirs displayed, out of which the latest stands out

We require the meta-data , and iam/security-credentials looks interesting :)

We get a AcessKeyId, SecretAccessKey and a SessionToken - we can now configure a new user with this and try enumerating the S3 buckets !

aws configure --profile vulnacc

  • After configuring the profile - we'll have to edit the .aws/credentials file

  • Add a new-line, aws_session_token = <TOKEN_VALUE>

The user can't retrieve the user details - He's not authorized, let's now enumerate it

aws s3 ls --profile vulnacc
aws s3 ls s3://<BUCKET_NAME> --profile vulnacc

Hurray! we now found the sensitive files - let's dump them :)

aws s3 sync s3://<BUCKET_NAME> aws_dump --profile vulnacc

Exploitation Route

☁️
Issues
AWS Magic IP