Level 3: Leaked Secrets
Task
The next level is fairly similar, with a slight twist. Time to find your first AWS key! I bet you'll find something that will let you list what other buckets are.
Resolution
Listing the Level 3 Bucket: The first step is to list the Level 3 bucket:
aws s3 --profile default ls s3://<url>.flaws.cloud
As we can see, there is a .git folder.
To avoid running ls on every folder and subfolder, it's better to download the entire bucket locally for easier navigation. To do this, we use the sync command:
aws s3 --profile default sync s3://<url>.flaws.cloud
Navigating the Bucket: Now, we go into the flaws/ folder:
cd flawsWhile exploring, we find the following:
It seems there was a commit that added data that shouldn't be there. Let's check the commit history.
Comparing Commits: To compare the commits, we run:
git diff
Configuring AWS with the Keys: Now that we have the keys, we need to add them to our AWS configuration using:
aws configure
Listing the Buckets: Finally, we list the buckets with:
aws s3 ls
Lesson Learned
People often leak AWS keys and then try to cover up their mistakes without revoking the keys. You should always revoke any AWS keys (or any secrets) that could have been leaked or were misplaced. Roll your secrets early and often.
Examples of this problem
Instagram's Million Dollar Bug: In this must read post, a bug bounty researcher uncovered a series of flaws, including finding an S3 bucket that had .tar.gz archives of various revisions of files. One of these archives contained AWS creds that then allowed the researcher to access all S3 buckets of Instagram. For more discussion of how some of the problems discovered could have been avoided, see the post "Instagram's Million Dollar Bug": Case study for defense
Another interesting issue this level has exhibited, although not that worrisome, is that you can't restrict the ability to list only certain buckets in AWS, so if you want to give an employee the ability to list some buckets in an account, they will be able to list them all. The key you used to discover this bucket can see all the buckets in the account. You can't see what is in the buckets, but you'll know they exist. Similarly, be aware that buckets use a global namespace meaning that bucket names must be unique across all customers, so if you create a bucket named merger_with_company_Y or something that is supposed to be secret, it's technically possible for someone to discover that bucket exists.
Avoiding the mistake
Always roll your secrets if you suspect they were compromised or made public or stored or shared incorrectly. Roll early, roll often. Rolling secrets means that you revoke the keys (ie. delete them from the AWS account) and generate new ones.
Last updated