Identify the AWS Account ID from a Public S3 Bucket

Scenario

In a world increasingly reliant on cloud technologies, the ability to expose and leverage even the smallest oversights has become a coveted skill. Amidst this backdrop, a leading tech enterprise has reached out to your specialized cyber team for assistance and have provided the IP address of their website. Your objective? Use this IP to pinpoint their AWS account ID via a public S3 bucket so we can commence the process of enumeration.

Real-world context

If a hacker gets their hands on an AWS Account ID, they can try to figure out the IAM roles and users tied to that account. They can do this by taking advantage of detailed error messages that AWS services spit out when inputting an incorrect username or role name. These messages can verify if an IAM user or role exists, which can help hackers compile a list of possible targets in the AWS account. It's also possible to filter public EBS and RDS snapshots by the AWS Account ID that owns it.

Entry Point

The entry point to the attack that was given was a single IP address. Like most intrusions let's try and see what the IP address has available as far as services being utilized.

$ sudo nmap -sS -sV -sC -oA results -Pn 54.204.171.32
[sudo] password for cscogin:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-04 16:09 CST
...
...
Host is up (0.045s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Mega Big Tech
|_http-server-header: Apache/2.4.52 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.99 seconds

Off to a good start we can see a http server is running on the IP address we were provided with. The next steps are going to be to check out and enumerate the server.

HTTP server enumeration

After visiting the site and doing some quick manual recon by inspecting the source code we can easily see that all the images are attached to an Amazon S3 Bucket.

After visiting the S3 bucket domain location we can see that its just a list of objects here. Not a whole lot of information we can use to help us identify the account ID from the S3 bucket itself.

Alright so were to we go from here. Lets try using the keys from the entry point.

PreviousIncident Response on Windows NextItsyBitsy

Last updated 1 year ago