Skip to content

Business Lab red team icon   GCP

Hijack Orphaned S3 Buckets for Data Access

Code and scripts referring to buckets that no longer exist (or never existed, if a typo was made in the bucket name) can have serious consequences for individual companies or developers using open source software.

Overview
This lab showcases realistic tradecraft and techniques that we have seen on penetration tests for our clients. The lab showcases three different tools and techniques for identifying permissions, leveraging AWS resources and code repositories as we tunnel further into the environment!
Scenario

We're on an engagement for a client and have identified a user's IAM access keys that were added as Lambda environment variables using Cloudfox. Can you capitalize on this to increase our access and gain access to more sensitive information? In scope is AWS and any services such as code repositories.

Lab prerequisites
  • Familiarity with AWS and the AWS CLI
  • Familiarity Linux and CLI tools
Learning outcomes
  • Gain situational awareness via brute forcing IAM permissions
  • Identify and leveraging deploy keys
  • Use Truffehog to uncover secrets in code repositories
  • Replay gained credentials against SSH
  • Enumerating EC2 instances and user data
  • Increase access by hijacking orphaned S3 buckets
Real-world context

This lab features a vector that Pwned Labs found on an engagement - S3 bucket hijacking! Code and scripts referring to buckets that no longer exist (or never existed, if a typo was made in the bucket name) can have serious consequences for individual companies or developers using open source software.

platform mock(1)

Cloud Security Training To Protect Your Business

Pwned Labs for Business gives your team access to dedicated business content, including labs and cyber ranges.

We also offer in-person or remote workshops, and our cloud penetration services are helping businesses become more secure!