Post

Identify the AWS Account ID from a Public Bucket

This challenge gives us a scenario where a global logistics company has tasked our cybersecurity firm with identifying their AWS account ID through a public S3 bucket, starting with the IP address of their website. The goal is to demonstrate how even minor oversights can be exploited, emphasizing the significance of robust security practices. By leveraging detailed error messages from AWS services, we aim to compile a list of possible IAM users and roles, ultimately finding the AWS account ID. This exercise requires basic Linux command line knowledge and offers valuable insights into techniques for discovering AWS account IDs and understanding tool functionalities through code review.


Let’s start with the challenge.

We have been given the following information about the entrypoint in the start.

Information about the entrypoint.

Enumeration

Let’s start by scanning the IP Address with Nmap.

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/Desktop/pwnedlabs]
└─$ nmap -sC -sV -vv 54.204.171.32
PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.52 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-title: Mega Big Tech
|_http-server-header: Apache/2.4.52 (Ubuntu)

This reveals the website for Mega Big Tech.

Home page of mega big tech.

On inspecting the source code, It reveals that the images are being hosted on a s3 bucket named mega-big-tech.

Source code of the website.

On inspecting the bucket, it only reveals a folder of images.

Inspection of the bucket to check the contents.

Let’s find the region of the bucket then try to login with aws-cli.

Finding region of the AWS Account.

I Logged in with aws-cli using the credentials in entrypoint.

Confiuring aws-cli account.

Using the get-caller-identity to check the user.

1
$ aws sts get-caller-identity | jq
Enumerating the user information using get-caller-identity.

It’s given in the page that the IAM credentials we need are arn:aws:iam::427648302155:role/LeakyBucket. We will use the tool s3-account-search which bruteforces the Account ID of the Public S3 Bucket.

Enumerating account ID using the arn.

Once we’ve got the account ID we can search for public listed snapshots by the Account ID 107513503799.

Public Snapshot with the respective account ID.

It’s mentioned that the flag is the Account ID which is 107513503799.

Hence we have completed the lab.

Thank you!! Happy Hacking :D

This post is licensed under CC BY 4.0 by the author.