PwnedLabs - Leverage Insecure Storage and Backups for Profit
Summary
In this blog, we will take a look at the "Leverage insecure storage and backups for profit" lab, in which the attacker get hold of initial IAM user credentials to probe Huge Logistics' cloud infrastructure. From file extraction from AWS S3 Buckets then leading to gaining access to Windows endpoint on an Active Directory environment, where the attacker dumps NTDS file which has sensitive hashes.
Topic Covered
Here are the topics covered in this blog -
Lay of the attack chain.
Detailed explanation of the attack steps.
Possible defensive measure.
Attack Scenario
Official scenario description.
Your team stumbled upon AWS credentials on a compromised IT workstation. Your mission now is to use these credentials to probe Huge Logistics' cloud infrastructure. Dive in, seek out sensitive data, and identify accessible critical resources to determine the potential extent of exposure.
Exposed backups and images on file shares and buckets is common vector with both on-premise and cloud infrastructure. Backups often contain a wealth of sensitive data, including user credentials, databases, configuration files, and more. Gaining access to a backup can provide an attacker with the same level of data access as compromising the primary system. Once an attacker has credentials or other sensitive data from a backup, they can use this information to move laterally and vertically within a network or cloud environment.
Before we move further into exploitation, I would like to visualize the whole attack chain.
Attack Steps -
Attacker gains keys for the authenticated IAM user.
Checking attached user policies, then checking policy document.
Checking S3 Bucket policy.
Download sensitive connection keys from the S3 Bucket.
Checking EC2 Instaces, discovered EC2 instance called "Backup".
Nmap scan on the EC2 Backup Instance, discovered Port 5985.
Get password data from the EC2 Backup Instance.
Logging into Windows endpoint using Powershell remoting.
Exfiltrating sensitive files from the Windows endpoint.
Dumping hashes from the NTDS file.
Cracking hashes using Hashcat.
Setup
Use the AWS keys provided for the initial user and authenticated it using AWS CLI.
As we can see the password for the Windows EC2 instance "Backup" is dumped. We can use PowerShell remoting to connect with the Windows endpoint. Firstly here are the commands to install PowerShell on Linux.
## Instructions for Ubuntu# Update the list of packagessudoapt-getupdate# Install pre-requisite packages.sudoapt-getinstall-ywgetapt-transport-httpssoftware-properties-common# Download the Microsoft repository GPG keyswget-q"https://packages.microsoft.com/config/ubuntu/$(lsb_release-rs)/packages-microsoft-prod.deb"# Register the Microsoft repository GPG keyssudodpkg-ipackages-microsoft-prod.deb# Delete the the Microsoft repository GPG keys filermpackages-microsoft-prod.deb# Update the list of packages after we added packages.microsoft.comsudoapt-getupdate# Install PowerShellsudoapt-getinstall-ypowershell# Install PSWSMan modulepwsh-Command'Install-WSMan'# Install NTLMSSP authentication mechanismaptinstallgss-ntlmssp
After downloading the files, using impacket-secretdump to dump all the hashes in the huge-logistics.local domain.
root@kali ~/p/insecure-storage-backup# impacket-secretsdump -ntds "ad_backup/Active Directory/ntds.dit" -system "ad_backup/registry/SYSTEM" LOCAL
Impacketv0.11.0-Copyright2023Fortra[*] Target system bootKey: 0x8e47e7e457e33035cfabaea711975407[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Searching for pekList, be patient[*] PEK # 0 found and decrypted: 6df8fdd3a446ef9ed1a64c6a03a28ce2[*] Reading and decrypting hashes from ad_backup/Active Directory/ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DC04$:1003:aad3b435b51404eeaad3b435b51404ee:fc15058af730b1de899a7aa6759e894c:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:fb22f21bc86dfe7b0073d9f9f722ae0e:::......
From all the hashes dumped for various users, we will crack the NTLM hash of the Administrator users.
Administrators often make multiple types of backups of critical resources. In the case of a domain controller installed on-prem or in the cloud this could be snapshots, full system images, incremental backups, system state backups and copy backups of important files such as the NTDS.dit and registry hives.
In this scenario, the contractor credentials were used to identity and download a backup of multiple SSH keys for multiple privileged systems. With these keys we were able to gain access to an administrator account on a Windows EC2 instance and access AWS stored unencrypted in the credentials file. This allowed file access to the S3 bucket that also contained the Active Directory backup. With many organizations adopting a hybrid multi-cloud architecture, it's compromise of the cloud can often lead to compromising the on-premise infrastructure - and vice versa.
Instead of storing the SSH private keys on an S3 bucket, they could have been securely stored in AWS Secrets Manager. From there, only the key that the contractor requires for the work could be shared. The IAM credentials in the EC2 instance were also in cleartext. Instead, we could use a tool such as aws-vault to store IAM credentials in the operating system's secure keystore. It can then generate temporary credentials from this to expose to your shell and applications. AWS Vault is designed to be complementary to the AWS CLI tools, and is aware of your AWS profiles and configuration.