recon_25 (S3)

View the exercise here: PentesterLab: Recon 25

OBJECTIVE

For this challenge, your goal is to look at the server used to load assets (JavaScript, CSS) and find a file named key2.txt. However, this time you will need to be logged in to access it.

Amazon Web Services Storage Service (S3) allows file owners to set permissions on files. Historically, the rules "Any users" wasn't well explained and lead a lot of people to think only people in their Amazon account could access a file. However, this was allowing any AWS account to access the file.

WHY?

It's essential to look for files that may be publicly available on the servers used to load assets.

SOLUTION

View Page Source of hackycorp.com then open the links with assets on them

Remove the view-source: prefix and retain the http://assets.hackycorp.com

We need to find a file called key2.txt, so we try to access the path http://assets.hackycorp.com/key2.txt

Access is denied for this path but from the objective, it was said that this file can be viewed by anyone with an AWS account.

So I created a temporary IAM user and produced access keys to be used in AWS CLI.

Using AWS CloudShell:

Enter the line below to access AWS CLI:

aws configure

Type the Access Key ID & Secret Access Key

*Region name & Output format may be left blank

I tried aws s3 cp s3://assets.hackycorp.com/key2.txt ~/ but this is forbidden.

We need to set the permissions of the user first to view S3 buckets.

I tried listing the contents of assets.hackycorp.com...

aws s3 ls s3://assets.hackycorp.com

...and using the line below, but Access is still denied.

aws s3 ls s3://assets.hackycorp.com/key2.txt 

So I tried copying the contents of assets.hackycorp.com/key2.txt to the machine, and we were successful.

aws s3 cp s3://assets.hackycorp.com/key2.txt ~/