Using cloud_enum to Find S3 Buckets and More
S3, first introduced in 2006, is one of Amazon Web Services’ most popular services. This simple and fast cloud object solution has undoubtely made development, file sharing, content-delivery, and much more seamless for its users across the years. However, this flexibiltiy and arguably confusing design has led to some of the biggest data breaches ever seen. With this in mind, let’s walk through why I like using cloud_enum to find S3 buckets and other goodies.
Windows is cool because the hashes of passwords can actually be directly used to authenticate to services. That’s right, an adversary does not need to crack the hashes of passwords offline with an expensive password cracking rig, they can just directly authenticate using the hash. This technique is often called passing-the-hash, and we will explore a few methods you can use to perform this lateral movement technique.
ScoutSuite is a multi-cloud security auditing tool written by the wonderful folks over at NCC group. I use it heavily, so I wanted to do a quick guide on getting it configured and running it in your own environment.
The data and reports it generates is extremely useful from both an offensive and defensive perspective, and I trust that you’ll feel the same way after using it in your own platform.
Password spraying is the process of brute-force guessing passwords against a list of accounts either externally or internally. Adversaries use this tactic to attempt to establish initial access within an organization and/or laterally move to alternate identities within a network.
The process of getting started password spraying is surprisingly easy. This is in part thanks to the prevalence of remote-work solutions that have created the need to allow users to authenticate from pretty much anywhere. Cloud services such as Office365 actually assist the password spraying process, by providing a reliable, centralized location that can be used to attempt to breach a company’s accounts.
Every year countless data breaches occur.
From 700 Million LinkedIn users’ information getting leaked sometime between 2020 and 2021, to at least 500 million Yahoo accounts information being breached in 2014, to the notable 2017 Equifax data breach which impacted millions of individuals, it’s safe to say that breaches are a part of the everyday news cycle in the present day.
These breaches contain a wide variety of data that has a variety of use cases. Social security numbers and credit card information can lead to fraud, age information and phone numbers can lead to targeted phishing attacks, and usernames and passwords can lead to… what exactly?
“Since it first launched over 10 years ago, the Amazon EC2 Instance Metadata Service (IMDS) has helped customers build secure and scalable applications. The IMDS solved a big security headache for cloud users by providing access to temporary, frequently rotated credentials, removing the need to hardcode or distribute sensitive credentials to instances manually or programatically. “
However, as you may have noticed, the Metadata service possesses one unique characteristic that is useful to attackers. Along with providing information access to the given instance, it also provides credentials.
Why does this matter?
Active Directory is a platform that has received plenty of attention from adversaries and operators over the years. It has a rich history of exploitaiton methodologies, and new abuse mechanisms and regularly released by security researchs. Combine these factors with the prevalence that it is encountered within organizations, and you can quickly see why it’s a favorite target for attackers.
There are a plethora of toolsets, cheatsheets, and enumeration options for Microsoft’s flagship directory service. Let’s outline a few of our favorite tools (hint: BloodHound) one can use to begin enumerating an Active Directory environment.
Kerberoasting is the attack that keeps on giving for adversaries and penesters alike. First documented in 2014 by Tim Medin, Kerberoasting is a tactic that can be used after an intial compromise to gain access to alternate accounts in an Active Directory domain. It has proven to be extremely potent in environments across the globe, and there’s a reason why it’s still worth talking about eight years after it’s initial (public) discovery. I’ll walk through an attack path that closely resembles ones I’ve used in the wild.
I’ll talk through how one can use LinkedIn to gather listings of usernames and email addresses that can be combined with password spraying tactics. For demonstration of password spraying, we’ll target internal Active Directory services with the Talon toolset written by Tylous. I’ll also document some of the extra functionality I added to the tool that is now included in the main version.
FristiLeaks 1.3 is a VulnHub box that I used to prepare for the OSCP exam. It’s by far one of my favorite VulnHub boxes I’ve done, as it involves some fun and simple reversing/code analysis. It also involves practice hopping around and enumerating a Linux environment from the perspective of multiple users, and requires some creative thinking.The challenge begins by using some simple guesswork to find a login portal. The source code of this login portal cotains an HTML comment that leaks a base64 encoded image. After decoding the image, we are able to gather the password used to login to web application. We exploit the web application’s upload functionality to upload a PHP reverse shell and get a reverse shell. Privilege escalation involves abusing a cronjob, reversing a simple python cryptography algorithm, reusing passwords, and a sudo misconfiguration to finally gather root.
Kioptrix Level 1.3 is the fourth iteration of the Kioptrix VulnHub challenges. It involves taking advantage of a SQL injection vulnerablility to login to a simple web application that leaks user credentials. Using these credentials we can connect to the box via SSH. Unfortunately, our SSH sessions spawn a restricted shell with very limited command availability. We use echo to spawn a full bash shell and escape these confines, from which we enumerate the box and find MySQL credentials. MySQL is running as root and we are able to use sys_exec to set the setuid bit on /bin/bash. From here we can simply execute the binary and receieve a root shell.
Kioptrix Level 1.2 continues the Kioptrix VulnHub series, and provides great experience with reusing credentials, attacking common web applications, and cracking hashed passwords. We start by exploiting LotusCMS to get a shell as www-data. From there, we find MySQL credentials that we use to login to phpMyAdmin and dump hashed user passwords. Finally, after cracking and logging in using these credentials, we exploit a sudo misconfiguration that allows us to privilege escalate using the ht text editor.
Kioptrix Level 1.1 is the next box in the series of Kioptrix VulnHub boxes. This box ups the ante from its predecessor, beginning with a simple SQL injection exploit to gain access to a web console. The web console can be bypassed to execute code, which we use to get a simple reverse shell. Finally, we successfully privilege escalate to root using a kernel exploit. As with the entire Kioptrix series, this challengs is pretty outdated, and the real-world applicability is questionable, but it’s great OSCP prep and learning material.
Kioptrix Level 1 is a simple boot-to-root VulnHub box that is vulnerable to a remote code execution vulnerability impacting its Samba service. This box is a great beginner test to learn basic port enumeration and exploitation.
How I used Python and Google’s Places API to farm phone numbers. Walk through my thought process of taking a problem, attacking it with Python and the (expensive) Google Places API to reach a workable solution.
An overview and review of Zero-Point Security’s (A.K.A. RastaMouse) newly revamped Certified Red Team Operator (CRTO) certification, and why you might want to pursue it.