GotRoot! AWS root Account Takeover

Gaurav Chib
3 min readAug 24, 2020

This write-up details how I was able to escalate privileges to the Nature’s Basket AWS root account starting as an unauthenticated user.

GotRoot!

TL;DR

Give me a quick description please!

What was the vulnerability?

Public S3 bucket leaking sensitive configuration files with hardcoded access credentials.

What was the attack path?

Unauthenticated User to Cloud Root Account Takeover:
Open S3 bucket -> Server backend code -> Hardcoded AWS keys in configuration file -> GotRoot!

Was users personal data breached?

The AWS root account had complete access over all of NB’s cloud assets including EC2 instances, RDS instances, databases, S3 buckets, etc. where users personal data may have been stored. So there is a chance of data breach if this has been exploited by an attacker previously.

Attack Path

Interesting, details please!

Step 1: Google dorks revealed Natures basket’s “gnbdevcdn” open bucket:

Google dorks revealed public S3 bucket

Step 2: gnbdevcdn bucket was found to be world readable. A quick search revealed hardcoded credentials and AWS access keys:

Hardcoded credentials
Hardcoded AWS access keys: user 1

Step 3: Gathered credentials were enumerated for permissions. First user account “gnbrobosoft” found with limited access.

User 1: gnbrobosoft limited privileges

Step 4: GotRoot!! Second gathered credentials found with root user access:

Hardcoded AWS access keys: user 2
GotRoot!

Step 5: An audit user account was set-up and access to the console was verified.

EC2 console access
Billing dashboard

Attack success! From Unauthenticated user to Complete Cloud Account Takeover.

Bonus!

Created a map showing some of Natures Basket’s cloud resources using cloudmapper:

NB cloud assets (cloudmapper)

Thanks for reading!

Disclosure timeline

[+] 12 July 2020: Issue first reported to Natures Basket (NB) team with detailed report
[+] 15 July 2020: Request for updates. NB team asks to re-share the details, re-shared
[+] 16 July 2020: Update from NB team, issue being verified
[+] 25 July 2020: Request for updates. No reply received.
[…] Access restricted for some of the sensitive files
[+] 22 August 2020: Request for updates. Informed NB team about my intention for public disclosure.
[+] 25 August 2020: Report disclosure

--

--