Jaeger

Solve

Note that in the lambda function, it contains an access key id.

With the access key id, we are able to enuemrate the username of the access key.

With the new username, lets just spray the password against this new user to see if we are able to authenticate.

Macie is also a reference to Amazon Macie, which identifies sensitive data in the AWS instances. With the macie user credentials, we are able to find sensitive information or read existing report to try and escalate our privileges through Amazon Macie.

Looking at the Sumamry Dashboard, there are 6 buckets being sacnned, of which 3 are publicly accesible.

We had enumerated the it-storage bucket previously so lets look into the other 2 buckets.

It seems like within the contractor bucket, there is a file with access key, lets try and dump the file.

When attempting to unzip the file, it ask for a password.

We are able to use zip2john along with our existing password wordlist to crack the file.

WIthin the zip file, it contains a AWS Access Key ID and AWS Secret Access Key. We are able to authenticate with it and run get-caller-identity as a sanity check that the key is still working

Next, I will be attempting to enumerate the IAM policy of the user to see if we have any interesting permission.

It seems like the ext-contractor user has permission to Create, List and Delete access key for the backup user. Lets try and create a new access key.

Each IAM user can only have 2 active access key, so lets delete one of the current access key and create another one.

aws iam delete-access-key --user-name backup-user --access-key-id AKIA6GBMFYWSKHOQDV6X --profile external
aws iam create-access-key --user-name backup-user  --profile external

Lets run get-caller-identity again as a sanity check that the credentials is working properly.

Next, Ill be using the tool bf-aws-permission to bruteforce the user permission.

It seems like the backup-user have permission over secretsmanager and elastic beanstalk. So lets enumerate those accordingly.

Looking at the secretsmanager output, theres 2 secret

• Flag

• azure-integration credentials

Lets dump out both secrets

aws secretsmanager describe-secret --secret-id  flag --profile backup
aws secretsmanager get-secret-value --secret-id flag --profile backup

aws secretsmanager describe-secret --secret-id azure-integration --profile backup
aws secretsmanager get-secret-value --secret-id azure-integration --profile backup

TLDR

• Use get-access-key-last-usedto get the username of the access key from lambda

• Spray the macie-user-467 user with password wordlist

• Enumerate Amazon Macie to identify public buckets with files

• Download contractor-install-tmp-52364/ext-contractor_accessKeys_24534.zip file

• Crack the password with zip2john and john

• Autheticate as the ext-contractor user and enumerate IAM

• Use CreateAccessKey to create a new access key for the backup-user

• Bruteforce backup-user permissions with bf-aws-permission script

• Enumerate secretsmanager to get flag as well as credential for azintegration user

Reference

• ttps://aws.amazon.com/macie/

• https://github.com/carlospolop/bf-aws-permissions