How I found AWS Secret Key and Access Key via Threat Intelligence.
First and foremost, begin to comprehend the web application’s business process and assemble the tech stacks of the applications. I have included all of the subdomains of the specific company in the initial round of recon. Following the subdomain enumeration, a nuclei scan was performed on the subdomains to check for any vulnerabilities. Nmap was also used to discover open ports and the services that were using them. Apart from that, we attempted to take over a subdomain, but it was unsuccessful. Google Dorking and GitHub Dorking were then performed, and nothing sensitive was found. Post that looked up in search engines like Censys, Shodan, and Zoomeye.
Then I started to manually inspect the website by checking the Inspect option in the developer tools to see if there was anything sensitive there. And finally, I found the AWS Access Key ID and Secret Access Key in a .js file.
After that, it configured AWS CLI with those keys to verify the keys were legitimate, and it listed out the S3 buckets it has access to.
The issue is that private information like these keys shouldn’t be shared in publicly accessible files. In the .js files, we can locate some sensitive data. The key is to maintain optimism.
Hope this gives a piece of valuable information.
