AWS Penetration Testing – Secrets Manager

AWS Secrets Manager allows users to rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle. Secrets can be decrypted on retrieval and transferred securely over TLS.

Due to the valuable information stored within Secrets Manager, it can be a treasure trove for any penetration tester.

Exploring Secrets Manager

So long as the current user has permission to read the Secrets Manager then a list of all secrets can be retrieved, this list will display the secret name, the date it was changed and the date created. This information is extremely useful as it helps narrow down secrets which may still be in production.

terminal$ aws --profile arctil secretsmanager list-secrets
{
    "SecretList": [
        {
            "ARN": "arn:aws:secretsmanager:us-east-1:2906688955117:secret:SQLDatabaseCreds-DJpe4m",
            "Name": "SQLDatabaseCreds",
            "LastChangedDate": 1702599109.304,
            "Tags": [],
            "SecretVersionsToStages": {
                "90011a7-09a2-3456-klb9-3a86t39dad21": [
                    "AWSCURRENT"
                ]
            },
            "CreatedDate": 1702599109.269
        }
    ]
}

As we can see, Example #1 shows that the Secrets Manager has a single secret currently stored, SQLDatabaseCreds. Using this information, the individual secret can be accessed to reveal the sensitive data in plain text. Although the command line tool will require –secret-id, the secret name can be provided here.

terminal$ aws --profile arctil secretsmanager get-secret-value --secret-id SQLDatabaseCreds
{
    "ARN": "arn:aws:secretsmanager:us-east-1:2906688955117:secret:SQLDatabaseCreds-DJpe4m",
    "Name": "SQLDatabaseCreds",
    "VersionId": "78011a7-08i2-1456-iob9-3a86t39dad21",
    "SecretString": "{\"username\":\"john\",\"password\":\"jonnyboi89\",\"engine\":\"mysql\",\"host\":\"127.0.0.1\",\"port\":\"3099\",\"dbname\":\"testerdb\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1702599109.3
} 

Once the secret has been specified the contents can be viewed, the value will be assigned to the JSON key SecretString. Using the found secret, it may be possible to authenticate to another service and enumerate the cloud environment further.




Up Next “CloudTrail”

Spread the love

Tags: