EDITORIAL Team

Managing Editor

Bartłomiej Adach
bartek.adach@pentestmag.com

Proofreaders & Betatesters

Lee McKenzie, Bernhard Waldecker, David Molik, Avi Benchimol, Girshel

Chokhonelidze, David von Vistauxx, Kevin Goosie, Paul Mellen, Robert Fling, Craig
Thornton, Da Co

Special thanks to the Proofreaders & Betatesters who helped with this issue. Without their
assistance there would not be a PenTest Magazine.

Senior Consultant/Publisher

Paweł Marciniak

CEO

Joanna Kretowicz

joanna.kretowicz@pentestmag.com

DTP

Bartłomiej Adach

bartek.adach@pentestmag.com

COVER DESIGN

Hiep Nguyen Duc

PUBLISHER
Hakin9 Media Sp. z o.o.
02-511 Warszawa
ul. Bielawska 6/19
Phone: 1 917 338 3631
www.pentestmag.com

All trademarks, trade names, or logos mentioned or used are the property of their respective owners.

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility
for misuse of the presented techniques or consequent data loss.

1
Dear PenTest Readers,

While the Summer is still on, it’s worth remembering that soon enough it will be Autumn, and
then things usually get a bit cloudy. That’s why in the current edition we take a closer look at
AWS pentesting. All pentesters are undoubtedly aware of the fact that methodologies for ethical
hacking of the AWS cloud differ from the standard procedures of assessing vulnerabilities,
according to the company policies.

Our contributors present you with practical tutorials on useful (and legitimate!) techniques and
tools, such as PACU exploitation framework, cognitive hacking, test scenarios, and
recommendations to prevent certain types of attacks.

If you would like to learn other stuff than AWS pentesting, there is also a fine bunch of articles
and write-ups on other cybersecurity topics! Inside, you will find a great tutorial on stack-based
Buffer Overflow for Windows 32-bit systems, a fantastic article on Privileged Access
Management, a piece on footprinting and reconnaissance for OSINT enthusiasts, a thorough
guide for post-exploitation techniques in your pentests, an interesting article on Risk Assessment
strategies in OT environments on the example of CIARA - a tool designed to help with such
complex tasks, and an interview with a highly skilled and experienced pentester - Jeremy Walker,
who is one of our regular contributors.

Special thanks to all authors, reviewers, and proofreaders who helped in creation of this edition.

Without further ado,

Let’s dive in the reading!

(but don’t forget to also enjoy the rest of the summer while it lasts :) )

Have a great read,

PenTest Magazine’s Editorial Team

2
Contents
Pentesting the Cloud
Staford Titus 4

PACU: The AWS Exploitation Framework Equivalent to

METASPLOIT
Jhansi Jonnakuti 24

Advanced Techniques to Pentest Web and Mobile Applications

Hosted in Cloud Environment
Baalaaji S 37

Cognitive Hacking of a resource in AWS Cloud

Jamel Metmati 44

Windows Exploit Development: Stack-Based Buffer

Overflow - Part 1
Vinicius Vieira 48

Post Exploitation Techniques for Penetration Test

Rafael Silva 60

Privileged Access: How Many Keys to Your Kingdom, and

Where Are They?
Robbie Harriman, Scott Goodwin, Anthony Lucia, Jill Kamperides, Michael Huffman 69

Information Gathering: Footprinting

Rakesh 81

Risk Assessment Strategies for OT Environments

Rani Kehat
91
“Technology is a rocket ship and training is a bus”
An Interview with Jeremy Walker 104
 Advanced Techniques to Pentest Web and Mobile Applications Hosted in Cloud Environment

Advanced Techniques to Pentest Web and

Mobile Applications Hosted in Cloud
Environment
Baalaaji S

Baalaaji S has 4+ years of experience in Information security domain.

Currently associated with Netaccess-India. My interests revolve in
Penetration Testing, Reverse Engineering and Fuzzing on Web, Mobile
and Client based Applications. My findings and recommendations
reported to Banking and Insurance related products were accepted.

I am reachable on https://www.linkedin.com/in/baalaaji-s-42956138

The article presents a couple of test scenarios with attacks on weakly configured
cloud services, including cloud infrastructure, cloud web application, and API Key in
a mobile application.

Introduction to types of Cloud Service

Cloud Computing comprises of three type of services like software-as-a-service (SaaS), infrastructure-as-a-
service (IaaS), and platform-as-a-service (PaaS).

• Software-as-a-service (SaaS) involves the licensure of a software application to customers. Licenses are
typically provided through a pay-as-you-go model or on-demand. This type of system can be found in
Microsoft Office's 365.

• Infrastructure-as-a-service (IaaS) involves a method for delivering everything from operating systems to
servers and storage through IP-based connectivity as part of an on-demand service. Clients can avoid the
need to purchase software or servers, and instead procure these resources in an outsourced, on-demand
service. Popular examples of the IaaS system include IBM Cloud, Microsoft AZURE, and Amazon Web
Services (AWS).

4
 Advanced Techniques to Pentest Web and Mobile Applications Hosted in Cloud Environment

• Platform-as-a-service (PaaS) is considered the most complex of the three layers of cloud-based
computing. PaaS shares some similarities with SaaS, the primary difference being that instead of delivering
software online, it is actually a platform for creating software that is delivered via the Internet. This model
includes platforms like Force.com and Heroku.

Test scenario to perform an attack on weakly configured cloud infrastructure

This scenario applies to a misconfigured IAM user in the AWS Environment. The Cloud Asset owner has hosted
a web application in the allocated in AWS environment to deploy a web application.

Virtual Private Cloud Resources required for scenario are as follows:

• ELB x 1- Load Balance

• EC2 x 1- Elastic Compute Cloud

• S3 x 3 - Simple Storage Service

• RDS x 1 - Relational Database Service

• IAM x 2 - Identity and Access Management User

Stage 1:

Attacker explores a way to target an IAM user and gains access to IAM user’s profile then enumerates the list of
S3 bucket using the below command:

aws s3 ls s3://<bucket> --recursive --profile IAM1

Stage 2:

Attempt made to copy the bucket details of the IAM User from cloud to local system:

aws s3 cp s3:// <bucket> --recursive list.txt

Stage 3:

Inside the bucket list downloaded, search for a pair of SSH keys. The attacker discovers that the SSH keys
found in the S3 bucket enable the attacker to log into the EC2 instance.

ssh -i cloud_instanceOS@<ec2_ip>

5
 Advanced Techniques to Pentest Web and Mobile Applications Hosted in Cloud Environment

Stage 4:

IAM User 1’s account is successfully logged in by User2. User2 monitors the log and finds out user1’s website
admin details like host address and tries to copy the web application database in local system using the below
command.

cp s3://<bucket>/db.access --recursive db1.access

Stage 5:

User2 executes SQL Query to make changes in the web application database with the acquired instance.

mysql- drop database db.access

Recommendation to prevent attack

Cloud Monitoring system shall be implemented by the cloud owner to monitor IAM User activities, which will
help forensic analyser to investigate and identify the root cause for user account compromise.

Two factor authentication shall be enabled for the cloud users.

Test scenario to perform an attack on weakly configured cloud web application

• A Meeting Room Web application is hosted by an organization in cloud environment. Top management in the
firm shall attend the virtual meeting to discuss strategic plans and share their ideologies to improve the
business.

• An application was developed and made available for public users as management personnel shall attend the
meeting from their favourable location.

Social Engineering attack:

A marketing employee has posted about this virtual meeting room on professional connects like LinkedIn.

Stage1:

• An application URL was harvested from LinkedIn by the security enthusiast. Information was gathered on the
web application framework using fingerprint tools.

• Fingerprint tools reveal web application framework details, like web server version, framework version and
JavaScript libraries function.

• Fingerprint was performed with browser extension tools. Browser add-on tools like Wappalyzer and WhatRuns
were used to reveal application details as shown in Fig1. From Fig1, we see that the application uses Angular
JS Version 1.2.32 and the web server is Apache.

6
 Advanced Techniques to Pentest Web and Mobile Applications Hosted in Cloud Environment

Fig1: Information Gathered about cloud meeting application

Stage 2:

The cloud web application is inspected and JavaScript used by the application was analysed using the tools
like JS analyser (JavaScript Analyser). We were able to detect the vendor scripts written by developer. The
JavaScript used by the application reveals the internal pages and functionalities as shown in Fig2.

Fig2: Internal pages and application functionalities of application extracted

A list of 69 internal URLs is extracted from the JavaScript used by the web application. The list includes their
admin level URLs, internal file and mail directories, and API Service URLs as shown in Fig3.

7
 Advanced Techniques to Pentest Web and Mobile Applications Hosted in Cloud Environment

Fig3: Internal and API service URL disclosure

Stage 3:

We have enumerated the list of internal files used in the application for the Admin user as listed below in Fig4.

Fig4: Admin User Pages disclosed

Application logic was predictable with the enumerated list of Admin user internal files. If the application is prone
to clickjacking, an attacker may target the top level users with admin page framed inside the HTML tag used by
intruders to steal the credentials of an authenticated user.

Recommendation to prevent attack

• Application Internal page /Java scripts disclosed to the public allows an attacker to enumerate the internal
pages present in the application, which may lead to a lack of the access control mechanism. Hence, remove
the internal URLs disclosed in the client side.

• Two-Factor Authentication should be enabled for all the application users to prevent credential theft.

Test scenario to extract sensitive information from a weakly configured API Key in a
mobile application

A finance organization develops an application to track their loan defaulters. Mobile application installation was
mandated for their customers to provide instant loan and payment due information.

Stage 1: Reverse engineering the mobile application

• The financial mobile application is to be exported from mobile to PC/laptop. Android Studio is the tool used
by developers to build a mobile application. The tool shall also be used to reverse engineer an Android
application.

• The mobile application was opened in Android Studio in debug mode to find the internal packages used by
the developer.

8
 Advanced Techniques to Pentest Web and Mobile Applications Hosted in Cloud Environment

Fig5: io.fabric used in the application

We can infer from Fig5 that the application is developed with the io.fabric.sdk feature. Fabric SDK
Communicates with Fabric.io account created by the developer in the cloud. The Fabric account is used for
Crash analytics, which helps the application run smoothly and reports to the organization any errors incurred
during the deployment.

Stage 2: API Key search in Mobile application

The Android Studio tool also lists the internal file used in the mobile application. The Android Manifest.XML file
in the application consists of application user permission and export activities used by the application.

The Fabric API Key used by the application was collected from the Manifest file as shown in Fig6.

Fig6: Fabric API Key extracted from Manifest file.

The API Key is used in the communication layer for authentication purposes. The application communicates
with the account maintained in Fabric.io to report a crash/error incurred in the user device.

Stage 3: Applilcation Ownership takeover

Create a blank Android app using Android Studio. Build a secret in a fabric.properties file and place the API key.
Copy the API key out of Android manifest.

<meta-data android:name="com.crashlytics.ApiKey"
android:value="Paste_API_KEY_HERE"/>

The application crash report sent to the fabric.io account created by the application developer will be given
access to the fabric.io account, which shall be used to pull out application server scripts and may lead to
account takeover.

9
 Advanced Techniques to Pentest Web and Mobile Applications Hosted in Cloud Environment

Recommendation to prevent attack

Fabric SDK is deprecated and crash analytics report will be supported till November 2020. Upgrade to
generally available firebase crash analytics SDK.

List of tools used in the test scenario:

• Wappalyzer-Fingerprint the web application framework

• JavaScript Analyser-To extract/understand the script functionality

• Android Studio-To develop and debug a android application.

References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-inference.html

https://developer.android.com/training/basics/firstapp/building-ui

https://github.com/AliasIO/wappalyzer

10