Emerge through the breach

Solve

We are given a entry point of 44.208.228.94

First, lets perform the standard enumeration on IP Address.

From the output, we can identify that

1. It is running on AWS Ec2

2. Its hosting an apache web server on port 80 and 443

It seems to be a default landing page for a pharmaceutical company.

Viewing the page source, everything seems to be a standard landing page, except for a bitbucket url.

We are able to retrieve the source code of the website via the bitbucket link.

Lets git clone the repository and run trufflehog on it to try and find any secrets.

Running git logwe manage to also retrieve 2 username, so lets add that to our loot.

As the repository is relatively small, we can manually enumerate the whole repository by doing code review. There is nothing suspicious that will allow us to escalate our privileges. Looking back at the bitbucket, I noticed that there is another repository called trial-data-management-poc within the same workspace.

Lets rinse and repeat the enumeration we have performed earlier.

The trufflehog output does not seem to give any useful infromation, maybe other than a SQLServer is running.

Looking at the git log output, there is two commits that seems interesting at first glance.

1. Pushing local changes - 14129237ea34eeefbced772092c9264f60b2cefa

   1. The author is haru sato local account instead of the domain account

2. Bucket name change - c167543e30628c5a76f79f519a0adb752b238106

So lets inspect each commits and see what are the changes.

The pushing lcoal commit gives us some juicy information

1. Password - Treatment!

2. Email - devmailer@massive-pharma.com

So lets add this two new credential to our loot.

Next, inspecting the Bucket name change commit also give us some information

1. AWS Key - AKIATCKANV3QK3BT3CVG

2. Bucket Name

   1. clinical-trial-data

   2. mp-clinical-trial-data

As we have 2 AWS bucket name, we can try and enumerate the bucket to see if theres any public bucket for low hanging fruits, which sadly there were none.

Refering to Hacktricks and AWS documentation, we are able to get the Account ID for the access key. I will also add the account id to our loot. I also performed more manual enumeration on the bitbucket repository but there were nothing else interesting. The web app source code is OpenEMR, an open source health record solution.

Looking at our current loot, we have

• 1x account id

• 2x username

• 1x password

Let's attempt to spray our credential to see if we can get an AWS Console Access. I will be using the GoAWSConsoleSpray tool to spray credentials.

We have managed to sucesfully sprayed and get a set of valid credentials. Lets add this set of valid credential to our loot.

Upon authentication, we took a look at the Recently visitedapplication. This will allow us to identify what are some application that the user might have used recently.

Looking at AWS Secrets Manger, we have found the flag, as well as a secret name called haru.

We are able to then retrieve the key/value pair for both secrets.

TLDR

• Enum IP Address

• Identify bitbucket url, retrieve AWS Access Key and S3 Bucket Name

• Utilize aws sts get-access-key-infoto get account id

• Spray AWS Console

• Flag from AWS Secrets Manager

Reference

• https://github.com/trufflesecurity/trufflehog

• https://docs.aws.amazon.com/cli/latest/reference/sts/get-access-key-info.html

• https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-services/aws-sts-enum.html#enumeration

• https://github.com/WhiteOakSecurity/GoAWSConsoleSpray