Marial's Notes
  • Hello!
  • Pentesterlab Labs
    • Recon Badge
      • recon_00 (/robots.txt)
      • recon_01 (404 pages)
      • recon_02 (/.well-known/security.txt)
      • recon_03 (directory listing)
      • recon_04 (/admin)
      • recon_05 (wfuzz)
      • recon_06 (vhost)
      • recon_07 (vhost over TLS)
      • recon_08 (alt name)
      • recon_09 (header)
      • recon_10 (visual recon)
      • recon_11 (virtual host brute)
      • recon_12 (load balance)
      • recon_13 (TXT)
      • recon_14 (zone transfer)
      • recon_15 (int zone transfer)
      • recon_16 (bind version)
      • recon_17 (dev name)
      • recon_18 (public repos)
      • recon_19 (find email)
      • recon_20 (check branches 1)
      • recon_21 (check branches 2)
      • recon_22 (deleted file)
      • recon_23 (commit message)
      • recon_24 (assets)
      • recon_25 (S3)
      • recon_26 (JS)
  • TryHackMe Rooms
    • Basic Pentesting
    • EasyPeasy
    • Kenobi
    • Vulnversity
Powered by GitBook
On this page
  • OBJECTIVE
  • WHY?
  • SOLUTION

Was this helpful?

  1. Pentesterlab Labs
  2. Recon Badge

recon_25 (S3)

Previousrecon_24 (assets)Nextrecon_26 (JS)

Last updated 7 months ago

Was this helpful?

View the exercise here:

OBJECTIVE

For this challenge, your goal is to look at the server used to load assets (JavaScript, CSS) and find a file named key2.txt. However, this time you will need to be logged in to access it.

Amazon Web Services Storage Service (S3) allows file owners to set permissions on files. Historically, the rules "Any users" wasn't well explained and lead a lot of people to think only people in their Amazon account could access a file. However, this was allowing any AWS account to access the file.

WHY?

It's essential to look for files that may be publicly available on the servers used to load assets.

SOLUTION

View Page Source of hackycorp.com then open the links with assets on them

Remove the view-source: prefix and retain the http://assets.hackycorp.com

We need to find a file called key2.txt, so we try to access the path http://assets.hackycorp.com/key2.txt

Access is denied for this path but from the objective, it was said that this file can be viewed by anyone with an AWS account.

So I created a temporary IAM user and produced access keys to be used in AWS CLI.

Using AWS CloudShell:

Enter the line below to access AWS CLI:

aws configure

Type the Access Key ID & Secret Access Key

*Region name & Output format may be left blank

I tried aws s3 cp s3://assets.hackycorp.com/key2.txt ~/ but this is forbidden.

We need to set the permissions of the user first to view S3 buckets.

This is not the best practice to set permissions but I’m just doing this for this exercise only.

I tried listing the contents of assets.hackycorp.com...

aws s3 ls s3://assets.hackycorp.com

...and using the line below, but Access is still denied.

aws s3 ls s3://assets.hackycorp.com/key2.txt

So I tried copying the contents of assets.hackycorp.com/key2.txt to the machine, and we were successful.

aws s3 cp s3://assets.hackycorp.com/key2.txt ~/

Opening the contents of key2.txt, we get the flag.

PentesterLab: Recon 25