Directory Traversal to AWS Data Breach
Intro: Hey hackers!👋 what’s up….hope you are all fine. Today I will discuss about Path or Directory Traversal Vulnerability and with that how Attacker can access internal Data like AWS Creds to get Access AWS Account. So let’s get into it.
Recon :
So as usual recon is the most important part of Attack. An IP is already given as a Scope.
13.50.73.5
So after Scanning the IP with Nmap I got 1 Port is open : 80 (http).
So I visit that Website in my Browser and it is like Below.
So after that I start a Directory Brute Force scan with ffuf.
ffuf -u http://13.50.73.5/FUZZ -w /path/to/a/wordlist.txt
Here I got Several Endpoints. But after visiting invoices page it Redirects me to Register Account Page. So I tried to Register an Account.
After logged in I got that invoice Page where I can Export a CSV File of a Invoice.
So I try to download that and the request is something like this. It is using API Endpoint.
Data Disclose via Path Traversal :
So after hitting forward button it goes to the Below Endpoint.
GET /download?file=something.csv
So this type of request sometimes Vulnerable to Path Traversal if it don’t sanitize user’s Input. So I send that into Repeater and test it and I have found it is actually Vulnerable. I can see the Passwd File.
I found there are some Valid User’s → User and nedf.
I confirmed it by the following Process. I try for nedf User. And I found it is a valid directory.
So I search for if there any .aws Directory like .ssh. Because that contains AWS Credentials.
AWS Credentials Path --> .aws/credentials
And I got the valid Credentials. Access_key and Secret_key.
Another thing is that the Website Resources are hosted into a S3 Bucket. I try to view the Source code and I found it.
Bucket : huge-logistics-bucket
Access to AWS :
So I try to access that Bucket using that AWS Credential I have found via Directory Traversal. Because it is not listable without Authentication.
So after Authentication I can easily Access the Bucket using awscli tool.
cmd> aws configure
cmd> aws sts get-caller-identity [to see current AWS User]
Then I try to List the Bucket.
I copied the Content in my VM.
As this is a CTF Challenge so we find some Flag but in real life cases it can contains Sensitive Information.
So that’s it for today. Hope you learn something new!!
If you also want learn more about AWS you can try it in PwnedLabs Platform. This is a Very Good Platform to learn AWS Attacks.
THANKS FOR READING!
If you enjoy this don’t forget to Like it and Follow me for more Articles.
Happy Hacking~