Module 19: Cloud Computing
Objective
The objective of the lab is to perform cloud platform hacking and other tasks that include, but are not limited to:
Performing S3 bucket enumeration
Exploiting misconfigured S3 buckets
Escalating privileges of a target IAM user account by exploiting misconfigurations in a user policy
Overview of Cloud Computing
Cloud computing refers to on-demand delivery of IT capabilities, in which IT infrastructure and applications are provided to subscribers as metered services over a network. Cloud services are classified into three categories, namely infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS), which offer different techniques for developing cloud.
Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools
Overview of Enumeration Tools
Enumeration tools are used to collect detailed information about target systems to exploit them. Information collected by S3 enumeration tools consists of a list of misconfigured S3 buckets that are available publicly. Attackers can exploit these buckets to gain unauthorized access to them. Moreover, they can modify, delete, and exfiltrate the bucket content.
Task 1: Enumerate S3 Buckets using lazys3
lazys3 is a Ruby script tool that is used to brute-force AWS S3 buckets using different permutations. This tool obtains the publicly accessible S3 buckets and also allows you to search the S3 buckets of a specific company by entering the company name.
You can search the S3 buckets of specific company.
Task 2: Enumerate S3 Buckets using S3Scanner
S3Scanner is a tool that finds the open S3 buckets and dumps their contents. It takes a list of bucket names to check as its input. The S3 buckets that are found are output to a file. The tool also dumps or lists the contents of “open” buckets locally.
You can also use other S3 bucket enumeration tools:
S3Inspector (https://github.com)
s3-buckets-bruteforcer (https://github.com)
Mass3 (https://github.com)
Bucket Finder (https://digi.ninja)
s3recon (https://github.com) to perform S3 bucket enumeration
Lab 2: Exploit S3 Buckets
Overview of S3 Buckets
S3 buckets are used by customers and end users to store text documents, PDFs, videos, images, etc. To store all these data, the user needs to create a bucket with a unique name.
Listed below are several techniques that can be adopted to identify AWS S3 Buckets:
Inspecting HTML: Analyze the source code of HTML web pages in the background to find URLs to the target S3 buckets
Brute-Forcing URL: Use Burp Suite to perform a brute-force attack on the target bucket’s URL to identify its correct URL
Finding subdomains: Use tools such as Findsubdomains and Robtex to identify subdomains related to the target bucket
Reverse IP Search: Use search engines such as Bing to perform reverse IP search to identify the domains of the target S3 buckets
Advanced Google hacking: Use advanced Google search operators such as “inurl” to search for URLs related to the target S3 buckets
Task 1: Exploit Open S3 Buckets using AWS CLI
The AWS command line interface (CLI) is a unified tool for managing AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts.
Now, we need to configure AWS CLI. To configure AWS CLI in the terminal window, type
It will ask for the following details:
AWS Access Key ID
AWS Secret Access Key
Default region name
Default output format
Steps to get the following details:
Click the AWS account drop-down menu and click Security Credentials, as shown in the screenshot.
Click Access keys (access key ID and secret access key) in the Your Security Credentials section.
Click the Create New Access Key button.
A Create Access Key pop-up appears, stating that your access key has been successfully created. Click the Show Access Key link to view the access key.
Copy the Access Key ID displayed by pressing Ctrl+C on your keyboard and switch to the Terminal window.
This will show you the list of directories in the S3 bucket.
You have successfully moved the Hack.txt file to the s3 bucket.
By issuing this command, you have successfully deleted the Hack.txt file from the s3 bucket.
Lab 3: Perform Privilege Escalation to Gain Higher Privileges
Overview of Privilege Escalation
Privileges are security roles assigned to users for using specific programs, features, OSes, functions, files, code, etc. to limit access depending on the type of user. Privilege escalation is required when you want to access system resources that you are not authorized to access. It takes place in two forms: vertical and horizontal.
Horizontal Privilege Escalation: An unauthorized user tries to access the resources, functions, and other privileges of an authorized user who has similar access permissions
Vertical Privilege Escalation: An unauthorized user tries to access the resources and functions of a user with higher privileges such as application or site administrators
Task 1: Escalate IAM User Privileges by Exploiting Misconfigured User Policy
A policy is an entity that, when attached to an identity or resource, defines its permissions. You can use the AWS Management Console, AWS CLI, or AWS API to create customer-managed policies in IAM. Customer-managed policies are standalone policies that you administer in your AWS account. You can then attach the policies to the identities (users, groups, and roles) in your AWS account. If the user policies are not configured properly, they can be exploited by attackers to gain full administrator access to the target user’s AWS account.
In this task, for demonstration purposes, we have created an IAM user account with permissions including iam:CreatePolicy, iam:AttachUserPolicy, iam:ListUserPolicies, sts:AssumeRole, and iam:ListRoles. These policies can be exploited by attackers to gain administrator-level privileges.
Enter the details of the target IAM user’s access key in the AWS Access Key ID field and press Enter. Similarly, in the AWS Secret Access Key filed, enter the target IAM user’s secret access key and press Enter.
The AWS Access Key ID and AWS Secret Access Key of the target user’s account can be obtained using various social engineering techniques, as discussed in Module 09 Social Engineering.
In the Default region name field, type us-east-2 and press Enter. In the Default output format field, type json and press Enter.
After configuring the AWS CLI, we create a user policy and attach it to the target IAM user account to escalate the privileges.
In the terminal window, type vim user-policy.json and press Enter.
This command will create a file named user-policy in the root directory.
A command line text editor appears; press I and type the script given below:
This is an AdministratorAccess policy that gives administrator access to the target IAM user.
Now, we will attach the created policy (user-policy) to the target IAM user’s account. To do so, type:
The created user policy is displayed, showing various details such as PolicyName, PolicyId, and Arn.
In the terminal, type
The above command will attach the policy (user-policy) to the target IAM user account (here, test).
Now, type
to view the attached policies of the target user (here, test).
The result appears, displaying the attached policy name (user-policy), as shown in the screenshot.
Now that you have successfully escalated the privileges of the target IAM user account, you can list all the IAM users in the AWS environment. To do so, type
Similarly, you can use various commands to obtain complete information about the AWS environment such as the list of S3 buckets, user policies, role policies, and group policies, as well as to create a new user.
List of S3 buckets:
aws s3api list-buckets --query "Buckets[].Name"User Policies:
aws iam list-user-policiesRole Policies:
aws iam list-role-policiesGroup policies:
aws iam list-group-policiesCreate user:
aws iam create-user
Hacker's Mantra:Make things worth sharing - Will Fraser