Luke Vaccarella

Hacking the Cloud

lukevacc

Today I completed the flAWS hacking chllenge. This challenge is focused on exploting common cloud misconfigurations within Amazon Web Services (AWS). The biggest explit within AWS stems from a problem with s3 buckets. Amazon s3 is essentially Amazon’s version of Google Drive or MIcrosoft’s One Drive. The biggest reason companies get hacked is because configuring security for s3 buckets can be quite complex. In the process of trying to allow access while blocking everything else, you might accidentally let some things through, which is what tends to happen more often then companies would like.

In order to combat this problem, Amazon has put new default configuration settings on the creation of new s3 buckets in order to promote more security. The problem with this is that they can’t go in and change all of the old buckets missing these default settings, so individuals and companies with could have older s3 buckets floating around the internet completley prone to hackers with mal intent. This challenge was a really cool project to get my ethical haking career started. In order to exploit the misconfigurations, I used my linux terminal to run a nslookup on the website. With the website’s ip address, I was able to run a reverse nslookup to find out that the website was in fact an s3 bucket. With this information, I then used the command –no-sign-request and ls to list the files, and because of the misconfiguration, I was able to open the secret file, and complete the first challenge

The second task was a bit more challenging, but required many of the same steps. This second challenge revolved around a common misconfiguration that wold allow any AWS account access to files. To comlete this challenge I used all steps from the first challenge, but instead of using the command that requires no user credentials, I typed in my AWS credentials, ran LS, and BOOM, I had the second secret file to complete the second challenge.

While they were small seemingly small challenges, I learned a larage amount. This project showed me that human error in configuring technology can be a root cause of data breaches.

The impact of misconfiguration depends on the bucket’s contents. If the bucket has sensitive data, the attacker can:

  • Dump the data of the Bucket (Data Breaches)
  • Compromise the Integrity of files
  • Remove files from the Bucket
  • Upload Malicious files into the bucket.

All of which, are not ideal for large multi-billion dollar companies

Overall, I found the challenge quite educational and fun. It was a great way to use the skills I have gained from my education, and apply them in real world scenarios.

Leave a Reply

Your email address will not be published. Required fields are marked *