0% found this document useful (0 votes)

4 views

[English (auto-generated)-English (auto-generated)] Cloud Hacking_ Hacking Amazon AWS [DownSub.com]

This episode of the cloud hacking series focuses on Amazon Web Services (AWS), exploring its functionalities and common misconfigurations. The discussion highlights the importance of Identity Access Management (IAM) and the risks associated with over-privileged users and credentials. Additionally, the episode includes demos on AWS services like S3 and Cognito, emphasizing security considerations and best practices.

Uploaded by

h775105831

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

4 views

[English (auto-generated)-English (auto-generated)] Cloud Hacking_ Hacking Amazon AWS [DownSub.com]

Uploaded by

h775105831

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

You are on page 1/ 46

welcome back to episode 4 of the cloud

hacking Series this episode is

completely dedicated to AWS so all we're

going to do this episode is take a look

at AWS solve some Labs that are hosted

on an AWS infrastructure and just

specifically dedicate this whole entire

episode to Amazon AWS let's roll it hey

Carlos thanks again for uh meeting me

around the last couple of episodes the

theme so far has been

web 2 and web 3 infrastructures don't

have a lot of differences you know you

still rely on web too

I know I figured this episode will come

back and talk about Amazon exactly as in

specific what Amazon is like so before

we jump into it can you tell me kind of

like is it common to see a lot of you

know your customers or these projects to

know your customers or these projects to
be on Amazon
be on Amazon

um you know is it common you still see

that
that

um yeah so most of the clients the

Harbor House are using actually AWS

and it's fun because most of the service

they use are also always going to be

very very similar yeah

um potentially one of the most common

ones is Amazon S3 S3 means simple

storage service yeah but this service

stopped being simple years ago I mean

everything
everything

exactly
exactly

um well here is the place where you will

be throwing some files some documents

you need some logs even it's like an FTP

server but it's supposed to be simpler

even though it's not that simple yeah I

suppose that was the goal yes to have

some place to restore these documents

but then Amazon has like two or three

case you want to access them faster or

slower or more data or less data like

yeah it stop being Simple Man

when it comes down to just AWS you

mentioned S3 what are some of the

other functionalities before we talk

about the functionality what are some

like the the core things I know like I

am is a big deal with AWS right I miss

how you manage all your roles and how

the applications work and what they have

access to before we do that is that an

accurate way of explaining I am can you

explain how I am works and maybe what

are some common mistakes you see with

you know I am roles yeah so am is

you know I am roles yeah so am is
potentially my favorite Savers the
potentially my favorite Savers the

service in AWS this is because it is

impossible to use AWS without using IM

this is the service uh it means identity

access management yeah which means that

you are going to be well creating users

creating roles groups and assigning

permissions via policies to these

principles the thing is that it's

impossible to do anything in the in AWS

if you specifically doesn't have their

require permission the thing is that

when someone start using AWS the idea is

what this must be super simple like I

just want to spin up a machine I just

want to store some things I want to run

this script in in a Lambda function so

most of the people start using AWS

without even learning about AWS so they

are going to be giving over privilege to

are going to be giving over privilege to
these principles and once things work
these principles and once things work

usually they are not touched anymore so

uh the most common misconfiguration you

will find in some AWS account is going

to be our privileged users and it

doesn't always have to be the case that

the the person didn't know what he was

doing but it could also be the case that

maybe they give this or this privilege

to a user that needed it but you know

that companies grows companies change

maybe people doesn't even work in the in

the same account but the previous remain

in there so I think that the most common

misconfiguration you're going to find in

um in an AWS is going to be that over

privileged principles also makes it

funny because the most common

vulnerability to entry in AWS account is

to find credentials right so if you

combine both of them you're going to

have an over privileged leak of

credentials to people that I watched

last episode we pool than I am

credential in one of the videos and I

think with uh what you were saying when

you go to like set up your role they

give you so many options that is so

confusing and I can see someone just

going oh I want to have access to so

many things especially if they're new

there's just so many options I feel like

when it comes to setting up and signing

up a new user
up a new user

yeah moreover
yeah moreover

um when you create when you want to give

these permissions to to a role or to a

user
user

um AWS has already created predefine it

um AWS has already created predefine it
a set of permissions to do something
a set of permissions to do something

with a name such as I don't know ec2

instance to run other instances or

something like that and all uh

oftentimes these roles predefine it but

AWS are going to be over privileged

themselves so that also doesn't help so

instead of like assigning it to a

specific machine you're so instead of

assign it took an ec2 you're assigned to

all the ec2 instances yeah yeah that

could be a very bad we'll talk about

this a little bit now that we can

understand I am and then with I am when

you go there are different

um
um

Services right you can click what

service you want to have access to what

are some of the common services that you

see being used by maybe your customers

see being used by maybe your customers
you know from a hacker's perspective I
you know from a hacker's perspective I

see a lot of Lambda being used history

is a huge one whether it's for static

sites for storage or like uploading

files I know people use some databases

on there you know IM is a big one itself

I know they can do integration with

GitHub and that kind of stuff that we

talked about in the last episode too but

what are some other ones that uh you

know you have seen that could be

commonly used in AWS so definitely C2

instance is something that everyone

everybody is using
everybody is using

um and also you usually find either ECS

for containers or AKs for kubernetes

those are other very too typical

services and another service that I like

a lot when people need to create these

applications to allow people to log in

to have some user management they

usually will be using this cognito which

is amazing because for some reason AWS

decided I guess in order to give more

power and versatility to to the

developers to give IEM permissions to

authenticated an unauthenticated users

in cognito applications so people could

be able to to even access your account

with cognitive credentials

um I can understand the the the reasons

I don't think I will share them from a

security point of view and actually one

of the demos we are going to be solving

is about that about how to get am

credentials abusing cognitive

applications very cool you mentioned eks

I know there was recently Recent

research done on eks I think lightspan

research done on eks I think lightspan
yeah I did a cool write-up on owning
yeah I did a cool write-up on owning

some eks stuff we're not going to look

at that but you said we have Cognito as

a demo what's the other than was another

one yeah we are going to be taking a

look to some H3 previous installation

some very common thing at least in the

past I think in the bug Bounty world was

to find a lot of
to find a lot of

widely open buckets so today we are

going to be seeing not only a widely

open bucket but we are also going to be

exploring some buds ACLS configurations

in order to pre-visk inside the inside

the same bucket yeah for people that are

watching and they're not familiar the

whole idea was you would find buckets

the storage buckets where you could

either just read all the files under and

people will have like their source code

people will have like their source code
on there they could have backups on
on there they could have backups on

there it could be just your user data or

you can actually write to them which was

crazy because you can override files you

can host you know JavaScript probably

HTML file stuff like that I don't think

that's as common from what I understand

always like Cloud providers I don't want

to give like bug bounties the credit for

it but there was so much research that

came out of the bug boundary community

that I feel like it force a lot of these

Cloud providers to put things in place

uh to stop sector you know it has a huge

warning now are you sure you want to

make this public and for some reason

people are still making public but yeah

if you're watching this don't freak out

you know these are things had you as an

organization should put in place it's

not on Amazon or AWS themselves to do it

but they do have things in place that

kind of stops you from by default giving

access to read your book and that kind

of stuff so let's just jump into a demo

and kind of see what it looks like yep

and then we can just also tell us how we

can prevask and you know move around a

little bit from the S3 bucket

sounds good so
sounds good so

let me let me explain you first

the setup I create in order to make the

bucket fully accessible so first of all

I generated this bucket with a very

complex name so nobody was going to find

it so I could prepare the demo we saw

people being actually exploiting this I

made it publicly accessible as you can

as you said it will just make very very

as you said it will just make very very
sure people know when a bucket is a
sure people know when a bucket is a

giant Loretta publicly accessible yeah

just a joke you don't confuse also you

have to say that nowadays is even

complicated to make it public accessible

like you need to stop blocking which is

by default all these options to make it

accessible
accessible

um I have also this bucket policy so

there are these services in AWS that not

only supports
only supports

um only supports IM permissions but also

supports ACLS which means that

inside its service

its resource of the service you can

identify a new policy to give

permissions to other principals to

access it so in this case I have this

ACL of earthy of S3 to well in this case

to allow everyone to to put a bucket ACL

to allow everyone to to put a bucket ACL
like this is the permissions we are
like this is the permissions we are

going to be exploring okay okay

um
um

so what else do we have here here uh

well the ACL I am allowing it and

everyone can read the bucket ACL so in

this at this point in time we know that

an an authenticated privilege is go is
an an authenticated privilege is go is

not going to be able to read the bucket

but it's going to be able to read the

ACL and to put an ecl so he's going to

be able to escalate privilege in order

to read the bucket which is what we are

going to be doing but also he will be

able to write on it okay

um nothing was interesting here so let's

go and check the demo so I have prepared

here some command lines so first of all

the the first thing we are going to be

seeing is
seeing is

well this no sign request basically

means don't use any kind of credentials

that this computer might have set up so

we are going to be accessing like an

unauthenticated users so there's the

credentials that we Import in the last

episode is going to be ignored by just

putting no sign requests yeah and the

people that are watching the S3 LS S3

slash slash is just uh how the AWS CLI

Works you're telling it what service you

want what uh performer you want to

perform like you know what you want to

execute which is the listing of it you

can do things like copy move and that

kind of stuff and you're saying the as

the the function again or the service

again and then that giant thing is the

bucket in that you put in there it's on

bucket in that you put in there it's on
your screen okay
your screen okay

so now we are going to be taking a look

to the ACL because we said that we put a

policy to allow um to read the ACL so

again we are using the no sign request

and we can take a look at

all users this means anyone uh can well

in this case read the ACL I didn't know

what I didn't I don't know why this put

ACP instead of AC on to be honest

and also well this is part of the this

is part of the account so it's actually

nothing that is taking place because we

are not we are in any user inside the

account and you can do this and you can

do this on any S3 bucket

to see their ACL if that's enabled right

yeah okay if they have a policy allowing

list you can take a look

actually you think this is something

actually you think this is something
people usually don't look at um it's
people usually don't look at um it's

very weird very unexpected

but I haven't really seen people trying

to previously inside about the as you

said you might you might try to read you

might try to write but I haven't seen

people trying to read the policies in

order to see if they can previously and

this is it something super easy to also

automate you just have to look for that

keyword right you just kind of look for

all the users in the URI yeah okay

um so now the forecast the fun part

comes so this is the policy we are going

to be implementing actually this is the

policy this start is there the same

thing we have here

so nothing new there but

um in the guarantee now instead of

allowing to read the SEO we are just

going to be full control to all users so

we are going to be able to do anything

so let me create a file with this

content
content

I use Nano I don't know what you use

leave us a comment tell us how we should

be using them instead of Nano drop us a

comment let us know

now you've created that part that file

so you call it in your previous

style.yamo and then it's in your temp

folder
folder

so you're writing so what you're doing

here is you're doing the same thing but

you're using the put bucket operation

and you're doing the access control

policy and just feeding it where that is

right yeah
right yeah

yeah this is terribly terribly important

yeah this is terribly terribly important
if you want to indicate in AWS CLI I5
if you want to indicate in AWS CLI I5

you need three s glasses not two yeah a

lot of people confuse and it's always a

headache yeah it's protocol and then the

full path yeah starting with the root

folder yeah
folder yeah

so
so

okay
okay

we have now already needs we don't have

any kind of output so I'm going to

suppose that it works so if it works we

run that command again where it says the

list and it should change it to the new

one
one

so at the top we have that and now we

can see it added full control nice okay

it changes definitely so now we are

going to do the first command here

because
because

um a first one failed when we did LS

um a first one failed when we did LS
yeah
yeah

sure work
sure work

and now we have can you see me okay

we're meant to see how common is this

have you seen this in a lot of your uh

pen tests um so fortunately uh ACLS and

policies is something that most of the

client doesn't even know about so that

prevents them from putting this kind of

misconfiguration but I have seen a few

of them in a while wow um well it's

always interesting because it's a

previous Insider service like people

think in the AWS you can only previous

via AMS but actually there are a lot of

misconfigurations that could be abuse so

this is pretty much like you have to

manually check for these different uh

access controls right so I think it's

people that are watching this if you're

new
new

um good place to learn and like play

around with if you're already doing like

pen testing it's really easy to automate

this I feel like you can just feed that

command into JQ and great for URI and if

it's all users then you have something

you know you have a lead pretty much

yeah exactly so creation to use cool you

mentioned Cognito yeah what is Cognito

at a high level how what is it used for

and uh what are we looking at today for

it so Cognito high level it's um

way to give developers inside AWS are

very very very easy way to maintain

um let's call it user user database so

you can allow your users to create their

own user in your platform and store them

in the Cognito user pool and then allow

in the Cognito user pool and then allow
them to to log in the thing is that it
them to to log in the thing is that it

is possible well Cognito is separated

into different pools is the identity

pool and the user pool the thing is that

the identity pool is going to allow you

to give IM permissions to
to give IM permissions to

unauthenticated users just because they

have just because they know this ID that

is publicly available so anyone with

that ID is going to be able to get

credentials for that role and then we

have
have

um and in the user pool is where you can

allow people to generate their their own

users to log in later and then after

it's also possible Incognito to

configure a different role so users

authenticated users will be able to get

this one I understand that the goal of

this one I understand that the goal of
this was imagine that you want to store
this was imagine that you want to store

some information about the user maybe

some settings maybe some I don't know

user Peak profiles yeah you could just

create this S3 folder and each user

could be able to write into it and

generate its um its its its picture for

their Avatar and this is a very very

easy way to get through themselves uh

check if it has permissions if he has

permissions to restore the picture and

store it in necessary that makes

everything easier to to instead of

generating other databases or creating

other ways to check permissions yeah

just using IM permissions the problem is

that as we have said before iron roles

are usually over privileged so a lot of

people might misconfigure this and

instead of giving permission to write

only his picture it might give

permission to write any kind of data

inside the S3 bucket or even just giving

Administration or privilege so pretty

much sits between AWS and the user for

an authorization mechanism yeah okay

yeah I know I've seen a talk on

something similar to this somewhere

I'm gonna think of what it was but okay

let's look at the demo what is the so

what is the demo what are we supposed to

do with this demo that we're taking a

look at so in this demo IE I

created a couple of user pool and an

identity pool what we are going to be

doing is obtain
doing is obtain

credentials for unauthenticated

connected users and then for

authentically connect to users and we

authentically connect to users and we
are not going to be solving the
are not going to be solving the

nahancome EU 2022 CTF called incognito

mode but we are going to be solving

maybe the the main part of that

um this challenge also have these bus

travels are vulnerability in order to

exfiltrate all the configuration we are

not going to taking a look to that but

we are going to be basing this demo in

that so we'll export the authentication

part yeah instead doing the whole thing

okay let's take a look okay so we're

looking at a typical login page

yeah so Hong Kong you could see these

getting Cognito config login page where

you were expecting well to to log in

maybe people will start doing something

like admin admin obviously this is it

shouldn't be working
shouldn't be working

the thing is that in this kind of CTR

the thing is that in this kind of CTR
usually you will expect a register here
usually you will expect a register here

or or something to do or our ability in

the login some SQL injection

Etc something something to do the fun

part if we take a look to the source

code is that you are all actually going

to be looking at a very weird JavaScript

and I see see where because

people I uh playing CTF is not used to

be using cognitive
be using cognitive

so the far apart fun part of this in

this script is that you're going to be

seeing well user password some weird

client ID that looks like this kind of

Secrets uh this is where and then well

you're going to be getting the username

the password and then you're going to be

taking a look to this Lambda

configuration this is where the password

vulnerability will live in we are not

going to be spreading this but yeah

that's a good point

we are not going to be exploring this

but after you managed to get valid

credentials you could get a password

here so just know in this client ID

if the developer
if the developer

registers some I am role to this

um
um

to this uh Cognito identity pool

it is going to be possible to get some

high Acro themselves and that's what we

are going to be doing okay

so if we go to the terminal and we also

take a look to this um

to discover
to discover

um well first of all we need to go to 10

minutes mail and create a

a new email
a new email
um let me come here no this was on the
um let me come here no this was on the

page here
page here

it's um mail
it's um mail

okay we have our mail

now we are going to be using

this long command line

so what we're doing here we are using

AWS CLI again and you're gonna use the

Incognito service you're going to give

it the sign up function the client ID

was in the source code yeah and the

username you're gonna give it is a super

admin12345 with the password and what

you're doing here is you're registering

that user is that right yeah okay so and

then using the 10 minute email just

created this to have a temporary email

address
address

and you're just going to sign up and get

emails there
emails there
so yeah so just because there's a sign
so yeah so just because there's a sign

up on a page it doesn't mean you can't

sign up just if they're using Incognito

then you can do this operation and see

if you can register a new account yeah

um it's a little bit more complicated

um there are obviously ways to prevent

people for creating their own account

yeah and you can configure that

also there are different ways to create

an account so this might haven't worked

out another point you may need to know

another secret
another secret

but there are

um in different
um in different

Cognito configuration so you could be

able to just create an account yes you

see a valid email a password and then

the username it's also important to know

that I change the username at the

beginning because you will need to be

using a unique one yeah but in this case

um well just any username we will do the

trick okay
trick okay

um the fun part is that people

developers might
developers might

think they are secure because you know

after you create your account you need

to verify it but obviously the the code

to verifier is going to your email

so we should receive here

an email with the verification code and

now we are going to be verifying our

our account
our account

to username and confirmation code

so same thing AWS CLR using the same

operation or same service we're just

doing the confirmed signup operation

and we just got to give it the we're

and we just got to give it the we're
going to pass it the code that we got on
going to pass it the code that we got on

email
email

me check it
me check it

myself I'm gonna pass in the code okay

on the username
on the username

and the client ID obviously

I'm with this we should be able to

verify it and now this is going to be a

valid username
valid username

so for example if uh super I mean one

two three four

if we go back to the page

what we do super I mean

pass this
pass this

should be working and now we will be

carrying this and we could be well this

is not relevant for our

our demo Bots it work we managed to

register user is it common for

developers to leak that client ID for

developers to leak that client ID for
yeah you're usually in a Javascript file
yeah you're usually in a Javascript file

or understood you know HTML you can

always see it yeah this is public

information so there is no way you can

hide this if you want to be doing

authentication inside the client side so

if somebody comes across a web page when

there's a client ID and they're using

AWS would the first step to be trying

and seeing if you can do use Cognito to

register a new account and look at the

permissions I will definitely do that

and actually it's very easy to recognize

because you need to import a very

specific library in order for all of

this to work so you take a look and you

find the AWS SDK it's highly probable

that is using this all the people that

are into Recon all they have to do is

write a nuclear template that matches

that Javascript file actually that's

true actually that's true is it more to

the demo oh yeah yeah okay we're just

getting started oh okay okay so now that

we're logged in what's next yeah so yeah

we are yes during the started and this

was the first band of the of the demo we

managed to register this account as we

commented it's not always going to be

possible by default there are different

settings that you were that you can use

to prevent this uh the next step of this

demo is to manage to get an I am roll

from from knowing the identity pool ID

in this case Divinity police this one

this is not part of the code we just saw

before but it's something that you can

easily find in the wild actually this

was this very I I learned this part in a

was this very I I learned this part in a
in a blood heart blood heart London
in a blood heart blood heart London

where this guy

um
um

basically managed to find thousands of

these IDs and just try to get all the

credentials and on each credentials you

try to access Institute instance S3

buckets and then

prepare this kind of growth showing how

many hundreds of accounts he was he

managed to compromise just because of

this so for this one specifically to

work you have to have this ID yeah you

have to get into League somewhere or

maybe you find an application in the

logs it's leaked out so this is nothing

you can easily find though it's

something you cannot easily find but

actually this guy's phone thousands of

those yeah so it's an arbitrary thing if

those yeah so it's an arbitrary thing if
you find it then you can try this attack
you find it then you can try this attack

with but it's not like the client ID

when it's leaked on purpose got it okay

yeah yeah exactly

um so this is going to be pretty easy

just a couple of commands and you can

check if
check if

we have enough permissions

um let me identify maybe a region

this used one

so we have the identity ID

um
um

this is something that we need to use to

just get credentials for the identities

like this just generated some identity

for us in fact this is a really good

thing that people that get on a pen test

is more feasible to see this than on a

bug Bounty program because you know with

appendix you can get access to these

kinds of things but with a bug body

program it's a lot harder for me I'm

just comparing that you know with how

bug bounty hunters would look at these

things okay wow and it gives you just uh

credentials we just have the the token

here
here

um so if I set them up
um so if I set them up

fill out CTF let's call this

company to one similar to what we did

last week this is pretty much you just

pull credentials from it and all you

have to do is just authorize yourself

authenticate yourself into it and see

what you have access to right basically

a good way to look for this is people

leak these in GitHub and gitlab and just

files and mobile applications this is

very common to finding molecules even

very common to finding molecules even
like Jenkins has a lot of like I don't
like Jenkins has a lot of like I don't

know if that's a common word not

drinking sorry I feel like also with

like uh debug code sometimes they leave

a lot of information so you just have to

find a way to find this and as we're

just looking I'm like how would I look

for this word anyway you know for Uber

for example in a bug Bonnie program I

feel like I was a dumpster dive through

all the GitHub repositories and write a

regex status for this exactly actually

we should do that after this okay cool

so that's it we just get access to this

and now we can pretty much either

manually look for all the services it

has access to yeah or you'll run

something like a scout 2 or whatever

third-party tool you want and then you

just have it spit out what you have

just have it spit out what you have
access to and hopefully if you're on a
access to and hopefully if you're on a

pen test you have access to backups or

something good right

yeah we are not going to be doing that

but at this point the red team in

exercise will start cool that's awesome

uh is there more to this yeah just a

little bit more okay so wait there's

more
more

uh just a little bit more yeah so

previously uh we created this user and

as I told you there is a way to assign

other IM rows to generated users so we

are just going to be taking we are going

to follow the same step but we generated

use
use

um one two three four yeah

uh we need to
uh we need to

Decay the authentication flow the client

ID this is the same one as previously

a password
a password

so
so

we we get here a token to identify our

identity the ID token is what we are

going to be using
going to be using

um this is again the ID

this is the user pull ID it's not going

to be the same one as the we the pre the

one we used previously for getting

unauthenticated access again you will

need to take a look for this information

yeah
yeah

um
um

but when we have it also another ID you

will need is this one which is more

weird to find why do we want to get this

ID token under the request that you

showed earlier
showed earlier

I mean we get this ID token why is that

I mean we get this ID token why is that
so important so I'm pretty much what I'm
so important so I'm pretty much what I'm

asking is why did you have to run this

authenticating CLI so the first step is

to authenticate to the user pool

for that you need to know the username

and password you need to have register

your own user and you need to identify

the authentication flow so this is going

to be giving you the ID we just saw

previously so this is this is what the

user will be using to contact the web

application to say hey I am this is this

is me this is my user like this is the

JWT token it will be using for that so

that's your authorization headers that

you need that for okay exactly and then

using that you could manage to get some

iron roll credentials in this case you

are going to be needing the identity

pool ID for for the world for the user

pool ID for for the world for the user
pool and then you need also the user
pool and then you need also the user

pool ID which is this part here that is

something more weird to find in the wild

but I guess something that you could

also take a look for yeah I mean if they

leak this information it's going to be

together right yeah if it gets leaked

it's coming in documentation so if

you're developer watching this don't let

these things on GitHub so we're gonna

first get the identity ID

with her token that we have right yeah

so we are going to be getting the token

the demo Gods weren't with that so we're

making it work okay so we run this

command we gotta do the region comments

to be original
to be original

region U.S
region U.S

and then what this is going to do is

using the Cognito identity it's going to

give us the identity ID that we need for

our next command so we've copied that

into our next command right here we have

to put that we have to identify that we

need the spread for this to work but

we're using the same exact

authentication or authorization code and

the last step but we're just switching

the identity ID right yeah so those are

practically the same just getting the ID

that you want and then switching it yeah

this is because for Cognito you always

need to have this identity ID just like

in the unauthenticated demo

so doing that we managed together as

last step you just use this credentials

to log in should we use them to show it

yeah we should
yeah we should

real fast I also want to show that these

real fast I also want to show that these
are different roles or I think they
are different roles or I think they

should be different roles

so let me copy paste

some people are watching and they can

have different profiles so we're just

doing another one our last ones that we

got are up there so this is how people

could pretty much prevent themselves

right you can go from one set of key use

those keys to get another ID and from

that ID you can get the next set of keys

right yeah wow

so now we do AWS profile

meter to SDS with polar

identity
identity

motorcycle
motorcycle

insurance and I guess that will

depending if I have
depending if I have

two different roles or one I mean those

token kind of expired oh no it hasn't

token kind of expired oh no it hasn't
expired next it shows that you have
expired next it shows that you have

yeah pull R throw and then this one has

on our throw
on our throw

yeah so we will manage in this case to

to get to different Iron rows to get

into the account so you will have two

different entry points to to to exploit

AWS and the fun part is that both

credentials were actually public yeah

how common is this have you seen this in

any of your pen tests that you have done

in most of the ones that they are using

concrete so yeah it's common

nice okay is there anything is there any

more demo no I don't know of course if

you're watching this these are the first

one that we talked about the S3 bucket

is very common I've seen it a lot

happening with like just readable S3 so

I've never thought about their profiles

and cognitos are really big new thing

for me so I'm going to try and look at

these and I'll definitely you know if

they work in any other bug pattern stuff

that I do
that I do

cool uh if you're watching this you want

to learn more come back next week we're

going to look at gcp I feel like gcp and

AWS are kind of similar but also very

different yeah in a lot of ways hacking

is very similar I kind of feel like the

some of this stuff is very similar but

um the infrastructure itself is

different right so we'll take a look at

that next week cool that was all of it

and that's it there's one more episode

for now that's coming out next week

that's going to be focused on gcp or

Google Cloud platform and we're going to

Google Cloud platform and we're going to
take a look at different ways you can
take a look at different ways you can

hack into a gcp account some common

vulnerabilities and just completely

dedicated to gcp and learn from Carlos

on how to do these things so for now I

will see you all next week

[Music]
[Music]

thank you
thank you

AWS Cloud Practitioner Exam Notes
No ratings yet
AWS Cloud Practitioner Exam Notes
26 pages
Amazon Web Services (AWS) Interview Questions and Answers
From Everand
Amazon Web Services (AWS) Interview Questions and Answers
Tech Interviews
4.5/5 (3)
AWS Certified Solutions Architect - Associate (SAA-C02) Sample Exam Questions
No ratings yet
AWS Certified Solutions Architect - Associate (SAA-C02) Sample Exam Questions
5 pages
AWS Certified Developer Study Content
No ratings yet
AWS Certified Developer Study Content
943 pages
AWS Solutions Architect Associate Notes
No ratings yet
AWS Solutions Architect Associate Notes
144 pages
New Study Note - SAA C03_fb45f1c8-1d69-4768-96db-8795069e1f55
No ratings yet
New Study Note - SAA C03_fb45f1c8-1d69-4768-96db-8795069e1f55
806 pages
What Is Amazon EC2
No ratings yet
What Is Amazon EC2
6 pages
What Is Amazon EC2
No ratings yet
What Is Amazon EC2
11 pages
CLI Demo Lab
No ratings yet
CLI Demo Lab
5 pages
AWS SAA C02 Study Guide
No ratings yet
AWS SAA C02 Study Guide
50 pages
00 02 Chapter Two Fundamentals of Amazon Web Services
No ratings yet
00 02 Chapter Two Fundamentals of Amazon Web Services
26 pages
Ultimate CCP Exam Cram
100% (1)
Ultimate CCP Exam Cram
146 pages
Cloud Computing - 1
No ratings yet
Cloud Computing - 1
44 pages
Aws General
No ratings yet
Aws General
1,056 pages
IAM EBS
No ratings yet
IAM EBS
25 pages
Aws General
No ratings yet
Aws General
870 pages
aws basics
No ratings yet
aws basics
72 pages
Getting Started With AWS
No ratings yet
Getting Started With AWS
29 pages
Aws General
No ratings yet
Aws General
1,114 pages
KPLABS - AWS SAA Exam Preparation
No ratings yet
KPLABS - AWS SAA Exam Preparation
31 pages
AWS
100% (2)
AWS
115 pages
Summer Summer
No ratings yet
Summer Summer
62 pages
General AWS General Reference
No ratings yet
General AWS General Reference
612 pages
AWS Certified Solution Architect - Associate: Amazon Web Services - AWS
0% (1)
AWS Certified Solution Architect - Associate: Amazon Web Services - AWS
27 pages
Case Study On AWS
No ratings yet
Case Study On AWS
51 pages
aws
No ratings yet
aws
9 pages
Aws Lab1
No ratings yet
Aws Lab1
12 pages
Aws General
No ratings yet
Aws General
676 pages
Wa0000.
No ratings yet
Wa0000.
13 pages
Aws General
No ratings yet
Aws General
509 pages
Lect 1
No ratings yet
Lect 1
2 pages
Amazon EC2
0% (1)
Amazon EC2
26 pages
Amazon AWS Intro
No ratings yet
Amazon AWS Intro
26 pages
AWS Administration - The Definitive Guide - Sample Chapter
100% (1)
AWS Administration - The Definitive Guide - Sample Chapter
39 pages
#Keep Learning Keep Growing
No ratings yet
#Keep Learning Keep Growing
81 pages
What Is Cloud Computing?: Demand Delivery of Computing Power, DB Storage, Apps, and More. This Means That We Pay
No ratings yet
What Is Cloud Computing?: Demand Delivery of Computing Power, DB Storage, Apps, and More. This Means That We Pay
47 pages
ASA_Short Notes 2
No ratings yet
ASA_Short Notes 2
43 pages
AWS Cloud
No ratings yet
AWS Cloud
311 pages
Overview of Amazon Web Services
No ratings yet
Overview of Amazon Web Services
104 pages
AWS SAA - Before Exam - 220901 - 165622
No ratings yet
AWS SAA - Before Exam - 220901 - 165622
76 pages
Amazon Web Services (Aws)
No ratings yet
Amazon Web Services (Aws)
20 pages
Lecture 2
No ratings yet
Lecture 2
52 pages
AWS IAM
No ratings yet
AWS IAM
5 pages
Getting Started With AWS
No ratings yet
Getting Started With AWS
11 pages
Aws Devops Notes
No ratings yet
Aws Devops Notes
17 pages
Cloud Computing With AWS
No ratings yet
Cloud Computing With AWS
70 pages
AWS Certified Solutions Architect Slides v40!1!400!1!100_backup
No ratings yet
AWS Certified Solutions Architect Slides v40!1!400!1!100_backup
83 pages
Aws Lab1
No ratings yet
Aws Lab1
48 pages
AWS Report
No ratings yet
AWS Report
23 pages
AWS Academy Resource - Content Resources
No ratings yet
AWS Academy Resource - Content Resources
7 pages
Amazon Web Services: Aws Developer: Building On Aws
No ratings yet
Amazon Web Services: Aws Developer: Building On Aws
36 pages
Aws General
No ratings yet
Aws General
791 pages
AWSome Day May 2019 Module 3 - TH - Final
No ratings yet
AWSome Day May 2019 Module 3 - TH - Final
40 pages
Aws General
No ratings yet
Aws General
750 pages
Aws General Desktop
No ratings yet
Aws General Desktop
754 pages
AWS Artifact: Sign Up For AWS Create An IAM User
No ratings yet
AWS Artifact: Sign Up For AWS Create An IAM User
11 pages
Project 1-16.y
No ratings yet
Project 1-16.y
55 pages
AWS knowledge and guide
No ratings yet
AWS knowledge and guide
729 pages
The Ultimate Aws Cloud Practitioner Mastery: Mastering AWS Essentials, A Comprehensive Guide for Cloud Practitioners
From Everand
The Ultimate Aws Cloud Practitioner Mastery: Mastering AWS Essentials, A Comprehensive Guide for Cloud Practitioners
Furuta Kimiko
No ratings yet
AWS for Non-Engineers
From Everand
AWS for Non-Engineers
Hiroko Nishimura
No ratings yet
Introduction to Amazon AWS
From Everand
Introduction to Amazon AWS
Eric Frick
No ratings yet
AWS Administrator MCQ
No ratings yet
AWS Administrator MCQ
12 pages
Summer Training Project
No ratings yet
Summer Training Project
69 pages
Vaiks Snowflake
No ratings yet
Vaiks Snowflake
183 pages
AWS Resource Access Manager: User Guide
No ratings yet
AWS Resource Access Manager: User Guide
24 pages
AWS Certified Cloud Practitioner CLF-C02 Exam - 252Q
No ratings yet
AWS Certified Cloud Practitioner CLF-C02 Exam - 252Q
229 pages
AWS Cloud Developer Associate Syllabus
No ratings yet
AWS Cloud Developer Associate Syllabus
2 pages
ST-2 Sample MCQ
No ratings yet
ST-2 Sample MCQ
39 pages
00 00 AWS - Fundamentals Instructor Guide
100% (1)
00 00 AWS - Fundamentals Instructor Guide
144 pages
Terraform HOWTO - Delete A Non-Empty AWS S3 Bucket
No ratings yet
Terraform HOWTO - Delete A Non-Empty AWS S3 Bucket
5 pages
Aws Security Checklist Report
No ratings yet
Aws Security Checklist Report
1 page
Ee PDF 2022-Aug-19 by Steven 410q Vce
No ratings yet
Ee PDF 2022-Aug-19 by Steven 410q Vce
16 pages
ADB Audience Manager Security Overview
No ratings yet
ADB Audience Manager Security Overview
12 pages
S3 Bucket Access From The Same and Another AWS Account
No ratings yet
S3 Bucket Access From The Same and Another AWS Account
9 pages
Whizlabs AWS-SAP-01-Migration To AWS
No ratings yet
Whizlabs AWS-SAP-01-Migration To AWS
2 pages
4 Cloud Computing.pptx
No ratings yet
4 Cloud Computing.pptx
34 pages
Hands-On Exercises With Big Data: Lab Sheet 1: Getting Started With Mapreduce and Hadoop
No ratings yet
Hands-On Exercises With Big Data: Lab Sheet 1: Getting Started With Mapreduce and Hadoop
14 pages
AWS Storage Options
100% (1)
AWS Storage Options
34 pages
Aws Clf-Co2 Qa
No ratings yet
Aws Clf-Co2 Qa
44 pages
AWS Certified Solutions Architect - Associate SAA-C03 Exam - Free Exam Q&As, Page 38 _ ExamTopics
No ratings yet
AWS Certified Solutions Architect - Associate SAA-C03 Exam - Free Exam Q&As, Page 38 _ ExamTopics
6 pages
Ingest Salesforce Data Into Amazon S3 Data Lake
No ratings yet
Ingest Salesforce Data Into Amazon S3 Data Lake
13 pages
Amazon Web Services: December 2020
No ratings yet
Amazon Web Services: December 2020
6 pages
Amazon Web Services - Disaster Recovery
100% (1)
Amazon Web Services - Disaster Recovery
41 pages
AWS Foundation Course - Exercises: Instructions To Strictly Follow
No ratings yet
AWS Foundation Course - Exercises: Instructions To Strictly Follow
4 pages
React Interview
No ratings yet
React Interview
11 pages
Solve Question
No ratings yet
Solve Question
44 pages
Amazon Web Services Actualtests clf-c02 Sample Question 2023-Dec-03 by Lynn 36q Vce
No ratings yet
Amazon Web Services Actualtests clf-c02 Sample Question 2023-Dec-03 by Lynn 36q Vce
17 pages
Internet of Things V2 Setting Up and Using Cloud Services
No ratings yet
Internet of Things V2 Setting Up and Using Cloud Services
41 pages
Couchbase On AWS Local Zones For Low Latency Edge Use Case
No ratings yet
Couchbase On AWS Local Zones For Low Latency Edge Use Case
1 page
AWS Certified Cloud Practitioner Exam - Free Actual Q&As, Page 1 - ExamTopics PDF
100% (1)
AWS Certified Cloud Practitioner Exam - Free Actual Q&As, Page 1 - ExamTopics PDF
114 pages

[English (auto-generated)-English (auto-generated)] Cloud Hacking_ Hacking Amazon AWS [DownSub.com]

Uploaded by

[English (auto-generated)-English (auto-generated)] Cloud Hacking_ Hacking Amazon AWS [DownSub.com]

Uploaded by

welcome back to episode 4 of the cloud

welcome back to episode 4 of the cloud

hacking Series this episode is

completely dedicated to AWS so all we're

going to do this episode is take a look

at AWS solve some Labs that are hosted

on an AWS infrastructure and just

specifically dedicate this whole entire

episode to Amazon AWS let's roll it hey

Carlos thanks again for uh meeting me

around the last couple of episodes the

theme so far has been

web 2 and web 3 infrastructures don't

have a lot of differences you know you

still rely on web too

I know I figured this episode will come

back and talk about Amazon exactly as in

specific what Amazon is like so before

we jump into it can you tell me kind of

like is it common to see a lot of you

know your customers or these projects to

um you know is it common you still see

um yeah so most of the clients the

Harbor House are using actually AWS

and it's fun because most of the service

they use are also always going to be

very very similar yeah

um potentially one of the most common

ones is Amazon S3 S3 means simple

storage service yeah but this service

stopped being simple years ago I mean

um well here is the place where you will

be throwing some files some documents

you need some logs even it's like an FTP

server but it's supposed to be simpler

even though it's not that simple yeah I

suppose that was the goal yes to have

some place to restore these documents

but then Amazon has like two or three

other service to a store documents in

case you want to access them faster or

slower or more data or less data like

yeah it stop being Simple Man

when it comes down to just AWS you

mentioned S3 what are some of the

other functionalities before we talk

about the functionality what are some

like the the core things I know like I

am is a big deal with AWS right I miss

how you manage all your roles and how

the applications work and what they have

access to before we do that is that an

accurate way of explaining I am can you

explain how I am works and maybe what

are some common mistakes you see with

you know I am roles yeah so am is

service in AWS this is because it is

impossible to use AWS without using IM

this is the service uh it means identity

access management yeah which means that

you are going to be well creating users

creating roles groups and assigning

permissions via policies to these

principles the thing is that it's

impossible to do anything in the in AWS

if you specifically doesn't have their

require permission the thing is that

when someone start using AWS the idea is

what this must be super simple like I

just want to spin up a machine I just

want to store some things I want to run

this script in in a Lambda function so

most of the people start using AWS

without even learning about AWS so they

are going to be giving over privilege to

usually they are not touched anymore so