In this blog, we will take a look at the "PwnedLabs - Exploiting Weak Bucket Policies" where the S3 bucket name is been exposed into the source code of a public webpage, the bucket also has weak permissions leading to extraction of backup sensitive credentials file leading to gaining access to WebCRM portal having sensitive data of customers.
Topics Covered
Here are the topics covered in this blog -
What is AWS S3 bucket?
Lay of the attack chain.
S3 Bucket Policies
Detailed explanation of the attack steps.
Possible defensive measure.
What is AWS S3 Bucket?
I've explained S3 Bucket concept in my previous blog. Please take a read before moving forward.
During a red team engagement for Huge Logistics, your team found the IP address 13.43.144.61 and hardcoded AWS credentials in a shipping application. Your primary objective is to access sensitive data. Using the discovered AWS credentials and the IP address, your goal is to delve deeper into their cloud infrastructure and demonstrate impact.
Before we move forward in the lab. I would like to visualize the whole attack chain.
Firstly, the attacker has credentials of compromised user.
Scanning the provided public IP 13.43.144.61, the port HTTP port 3000 is opened leading to a webpage.
Analyzing the source code of the webpage.
The webpage source code has exposed AWS S3 bucket name hugelogistics-data.
Enumerating S3 bucket policy shows any authenticated AWS can access backup.xlsx
Downloading the backup.xlsx file from the S3 bucket.
Bruteforcing the password of backup.xlsx and then analyzing
Bruteforcing directory endpoint of the HTTP webpage
Loging to the CRM web panel with credentials from backup.xlsx
Analyzing the logs and export it to a document to extract the flag.
For this demonstration I've named the profile as "initial-user".
Attack Steps Explanation
We will start with a nmap scan for the public IP provided - 13.43.144.61
root@kali~/p/weak-bucket-policies#nmap-Pn-sC-sV--top-ports=100013.43.144.61StartingNmap7.94 ( https://nmap.org ) at 2024-03-16 05:55 EDTNmapscanreportforec2-13-43-144-61.eu-west-2.compute.amazonaws.com (13.43.144.61)Hostisup (0.0048s latency).Notshown:998filteredtcpports (no-response)PORTSTATESERVICEVERSION110/tcpopenpop3?3000/tcpopenhttpNode.jsExpressframework|_http-cors:HEADGETPOSTPUTDELETEPATCH|_http-title:HugeLogistics> HomeServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:1IPaddress (1 hostup) scanned in 464.69 seconds
After 10 mins, HTTP port 3000 is opened. Navigate to the webpage.
After that checking the source code of the page.
We can see there is AWS S3 bucket name hugelogistics-data in the source code.
Using AWS CLI S3 commands to enumerate the S3 bucket.
root@kali~/p/weak-bucket-policies#awss3lshugelogistics-data--profileinitial-user--regionus-east-1Anerroroccurred (AccessDenied) when calling the ListObjectsV2 operation: Access Deniedroot@kali ~/p/weak-bucket-policies [254]# aws s3 ls hugelogistics-data --no-sign-request --profile initial-user --region us-east-1
Anerroroccurred (AccessDenied) when calling the ListObjectsV2 operation: Access Deniedroot@kali~/p/weak-bucket-policies [254]#
The first command tests for for any authenticated AWS user being granted access to the bucket, while the second command tests for public (anonymous) access to the bucket. We got access denied.
Checking the ACL of the bucket.
root@kali ~/p/weak-bucket-policies# aws s3api get-bucket-acl --bucket hugelogistics-data --profile initial-user --region us-east-1
Anerroroccurred (AccessDenied) when calling the GetBucketAcl operation: Access Denied
We got access denied here as well.
If this is also not working then let's check if we have permission to view any bucket policy. Bucket Policies are attached directly to the bucket and define what actions are allowed or denied by which principal.
Any authenticated AWS user globally can access the ACL and the content of the two specified files (backup.xlsx and background.png) in the hugelogistics-data bucket.
They can also retrieve the policy of the hugelogistics-data bucket.
The document is password protected so we have to bruteforce it via "John The Ripper" tool. Before that we need to convert the document compatible with the tool format using the "office2john".
After that bruteforce it with "rockyou.txt" wordlist.
root@kali~/p/weak-bucket-policies#john--rules--wordlist=rockyou.txthash.txtCreateddirectory:/root/.johnUsingdefaultinputencoding:UTF-8Loaded1passwordhash (Office, 2007/2010/2013 [SHA1 256/256AVX28x/SHA512256/256AVX24xAES])Cost1 (MS Officeversion) is 2013 for all loaded hashesCost2 (iteration count) is 100000 for all loaded hashesWillrun2OpenMPthreadsPress'q'orCtrl-Ctoabort,almostanyotherkeyforstatussummertime (backup.xlsx) 1g0:00:00:18DONE (2024-03-16 06:40) 0.05313g/s 212.5p/s 212.5c/s 212.5C/s 123..summertimeUsethe"--show"optiontodisplayallofthecrackedpasswordsreliablySessioncompleted.
The password is "summertime" use this password to open the document using LibreOffice.
There are bunch of username and passwords which can be useful. Till now we only have the HTTP website running on port 3000 as our known attack surface. Let's bruteforce the directory in the website using "Gobuster" tool with a standard wordlist of your choice.
There is endpoint called "/crm", from the previous document we have a credential set related to WebCRM
admin@huge-logistics.com - 5w8=U5taN]V7
Let's login with these credentials.
Clicking View Invoices Status we see the page below containing their users credit card information.
To get the flag. Export the data into a CSV file
db7b876d88b1105b23164b6434b00f34
Defense Mechanism
Here are the several reason responsible for this attack along with the possible mitigation.
The HTML source code should be clean to avoid exposing the S3 buckets which is not planned to be exposed.
The bucket policy is overly permissive with any authenticated AWS IAM user can interact with it. So it is recommended to design policies in line with the principle of least privilege, providing resource access to only those that need it.
The backup.xlsx is a sensitive file and shouldn't be placed in S3 bucket which is publicly exposed. rahter stored in some other private S3 bucket.
The backup.xlsx has a very weak password which as easily cracked. Having a strong password policy to protect the document is recommneded.
Instead of storing sensitive credentials in a spreadsheet it is recommeneded to use apassword management solution like LastPass or Dashlane, a PAM solution or AWS SecretsManager, where the credentials can be provided as needed only to those authorized to access them.
The company was also found to be storing unencrypted customer credit card details. Additionally for a public facing website it is recommended to enable MFA for all users.