recon_25 (S3)
Last updated
Last updated
View the exercise here: PentesterLab: Recon 25
For this challenge, your goal is to look at the server used to load assets (JavaScript, CSS) and find a file named key2.txt. However, this time you will need to be logged in to access it.
Amazon Web Services Storage Service (S3) allows file owners to set permissions on files. Historically, the rules "Any users" wasn't well explained and lead a lot of people to think only people in their Amazon account could access a file. However, this was allowing any AWS account to access the file.
It's essential to look for files that may be publicly available on the servers used to load assets.
View Page Source of hackycorp.com then open the links with assets on them
Remove the view-source: prefix and retain the http://assets.hackycorp.com
We need to find a file called key2.txt, so we try to access the path http://assets.hackycorp.com/key2.txt
Access is denied for this path but from the objective, it was said that this file can be viewed by anyone with an AWS account.
So I created a temporary IAM user and produced access keys to be used in AWS CLI.
Using AWS CloudShell:
Enter the line below to access AWS CLI:
Type the Access Key ID & Secret Access Key
*Region name & Output format may be left blank
I tried aws s3 cp s3://assets.hackycorp.com/key2.txt ~/ but this is forbidden.
We need to set the permissions of the user first to view S3 buckets.
This is not the best practice to set permissions but I’m just doing this for this exercise only.
I tried listing the contents of assets.hackycorp.com...
...and using the line below, but Access is still denied.
So I tried copying the contents of assets.hackycorp.com/key2.txt to the machine, and we were successful.
Opening the contents of key2.txt, we get the flag.
