Breaching AWS

Introduction
Introduction
2 Topics
How to access the Labs
BAWS Lab Objectives
Breaching AWS – Rules of Engagement
Breaching TWOCAPITALS
BAWS 01 – Enumerating S3 Buckets
2 Topics
BAWS 01 – Lab
BAWS 01 – Lab Solution
BAWS 02 – AWS Subdomain Takeover
BAWS 02 – Dumping EBS Secrets
3 Topics
BAWS 02 – Lab 2
BAWS 02 – Video Walkthrough
BAWS 02 – Lab 2 – Solution
BAWS 03 – Enumeration & Command Execution via SSM
3 Topics
BAWS 03 – Lab 1
BAWS 03 – Video Walkthrough
BAWS 03 – Lab 1 Solution
BAWS 04 – Abuse IAM User Roles, Instance Metadata & SNS
3 Topics
BAWS 04 – Abusing Instance Metadata Service (IMDS)
BAWS 04 – Lab
BAWS 04 – Lab Solution
BAWS 05 – Capture Credentials from SNS Service
2 Topics
BAWS 05 – Lab
BAWS 05 – Lab Solution
BAWS 06 – Get Remote Code Execution on a Lambda Function
2 Topics
BAWS 06 – Lab
BAWS 06 – Lab Solution
BAWS 07 – Enumerate and Read Data from DynamoDB
2 Topics
BAWS 07 – Lab
BAWS 07 – Lab Solution
BAWS 08 – Upload Malicious Image into ECR
2 Topics
BAWS 08 – Lab
BAWS 08 – Lab Solution
BAWS 09 – AWS SSO Phishing Attack
2 Topics
BAWS 09 – Lab
BAWS 09 – Lab Solution
BAWS 10 – Enumerate AWS IAM Identity Center Permissions
2 Topics
BAWS 10 – Lab
BAWS 10 – Lab Solution
BAWS 11 – Enumerate AWS IAM Permission & Retrieve Secrets from Secret Manager
2 Topics
BAWS 11 – Lab 1
BAWS 11 – Lab Solution
BAWS 12 – Utilising Rancher to Gain Shell Access to a Pod
3 Topics
BAWS 12 – Amazon Elastic Kubernetes Service (AWS EKS)
BAWS 12 – Lab
BAWS 12 – Lab Solution
BAWS 13 – Enumerate RDS and Retrieve the Final Flag
2 Topics
BAWS 13 – Lab
BAWS 13 – Lab Solution
Previous Lesson
Next Topic

BAWS 01 – Enumerating S3 Buckets

Breaching AWS BAWS 01 – Enumerating S3 Buckets

AWS Unauthenticated Enumeration

AWS (Amazon Web Services) enumeration is the process of identifying and locating AWS resources and endpoints within a given AWS environment or from outside of the environment (unauthenticated). This is an essential process for both legitimate administrative tasks and potentially malicious ones (such as penetration testing or hacking). Proper permission settings and security measures can prevent unauthorised enumeration.

OSINT

Use Google Dorks to find leaked AWS secrets in search engines such as Google:

<Target_Company> “AWS_ACCESS_KEY_ID” OR “AWS_ACCESS_SECRET_KEY”
<Target_Company> “AWS_ACCESS_KEY_ID” OR “AWS_ACCESS_SECRET_KEY” filetype:txt

Leverage the same technique to discover target AWS infrastructure cached by Google’s crawler:

site:http://amazonaws.com inurl:".s3.amazonaws.com/" "<Target_Company>”
site:.s3.amazonaws.com "Company" <Target_Company>
Intitle:index.of.bucket <Target_Company>

Use third party platforms that index S3 buckets and files hosted on them. Depending on the permission configuration S3 buckets can be left indexable, public and leak data.

GrayHatWarfare is a great tool to automate the OSINT process, register and leverage it to find Public S3 buckets at buckets.grayhatwarfare.com/buckets.

A screenshot of GrayHatWarfare

S3 Bucket Enumeration

Amazon S3 (Simple Storage Service) is a scalable storage service offered by Amazon Web Services (AWS). It is designed to make web-scale computing easier by providing secure, durable, and highly-scalable object storage. S3 allows you to store and retrieve any amount of data at any time, from anywhere on the web.

S3 URL Structure:

http://[bucketname].s3-website-[region].amazonaws.com/

Guess Naming Convention: Bucket Naming Conventions are often guessable. If you know an organisation’s main domain name or naming convention, you can guess the names of potential S3 buckets. It’s a common practice to use predictable naming patterns upon setting a new IT infrastructure it.twocapital.com, backup.twocapital.com, etc.

You can manually check the existence of a S3 bucket using the AWS CLI:

aws s3 ls s3://insert-bucket-name-example

The following error message is return when the S3 bucket does not exist:

Use automated tools such as cloud_enum and BucketFinder. An example command that searches for S3 buckets against containing the word “samplekeyword” in the Bucket’s name:

cloud_enum -k samplekeyword -t 10

Additional Tools

Lesson Content
0% Complete 0/2 Steps
Previous Lesson
Back to Course
Next Topic